Forum » Support and Bug Reports »

Looking for help with FTPS TLS

Advertisement

tsrCharles
Guest

Looking for help with FTPS TLS

Version of WinSCP: 5.19.6 Build 12002 2022-02-22)
New problem – has never worked
Windows 10 Pro 64-bit
FTPS
No scripting
Error is:
SSL3 alert read: fatal: handshake failure
TLS connect: error in error
Can't establish TLS connection
Disconnected from server
Connection failed.
Let me give you some background. I am not a TLS newbie. I teach certificate classes.
I can connect with WinSCP to this host if I use an FTP server without SSL/TLS.
If I try to connect with TLS (min 1.1, max 1.3) it fails with the indicated error.
I can connect to this host with SSL/TLS using WS_FTP, so we can assume the certificate chain is there.
What should I try? What should I be looking for? Thanks,
Charles

Reply with quote

Advertisement

tsrCharles
Joined:
Posts:
5
Location:
California

Server error

I have control of the server so if you want some change there I may be able to do it.
FWIW the server error is SSL protocol or certificate type is not supported. [Not terribly useful]
Recall I am using the same certificate chain sucessfully with WS_FTP.

Reply with quote

tsrCharles
Joined:
Posts:
5
Location:
California

Thank you for your reply. Sorry for the slow response; one or two things going on :-)

I would prefer not to post the connection instructions. (1) for the obvious reason; and (2) it would be more complex than you may be picturing because the certificate is signed by an internal CA, not a public CA, so you would need the CA certificate as well.

I previously had it limited to 1.1 to 1.3; I just changed that to 1.1 to 1.2 and it fails the same way.

Also, I was not familiar with the terms implicit and explicit TLS. I tested both ways. I think what I am used to is what you call explicit TLS: that is, the connection is established in the clear and then the client sends AUTH TLS (and if the client does not do so, the server prohibits all other commands).

As I indicated I am something of a TLS expert but not at all an expert in Windows certificate management. Where do you expect the CA cert to be installed, and are there any special considerations?

Reply with quote

tsrCharles
Joined:
Posts:
5
Location:
California

Let me try to summarize the way things behave. 
           | WinSCP | WS_FTP 
-----------+--------+-----------------
No SSL/TLS | Works  | Works
-----------+--------+--------------
TLS 1.1/1.2| Fails  | Works
-----------+--------+------------
TLS 1.3    | *      | Not supported
*This is how I am hoping to use WinSCP.

Reply with quote

Advertisement

tsrCharles
Joined:
Posts:
5
Location:
California

Thanks, you can close this ticket

I have it working with FileZilla client so I will not be pursuing WinSCP and further.

Speaking as a friend, I think you have an issue here. WS_FTP and FileZilla worked right out of the box. Literally. I downloaded FileZilla, fired it up, and a transfer ran (TLSv1.2, and with some work on the server end, TLSv1.3). Now it may be that what they are doing is wrong and what you are doing is right, or that what you are doing is better, but if that is the case you need to document what you need in the way of certificates, trust, etc. because it appears to be a non-typical requirement.

Thanks for your consideration.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,605
Location:
Prague, Czechia

tsrCharles wrote:

I would prefer not to post the connection instructions. (1) for the obvious reason; and (2) it would be more complex than you may be picturing because the certificate is signed by an internal CA, not a public CA, so you would need the CA certificate as well.
Would you be willing to post (just) the host name privately? I do not think the problem is about certificates, so internal CA should not prevent me from testing this.

Reply with quote

Advertisement

You can post new topics in this forum

Documentation

Support

Associations

Follow Us