PDA

View Full Version : FlashFXP FTPES Client Certificate handshake failure


msg7086
12-20-2017, 03:23 PM
Yes, I know this post may be useless considering what has happened. But I still want to share this with you and, if possible, get some ideas from you.

I'm trying to set up FTP server with client certificate authentication. I'm using ProFTPd 1.3.5b.

On the server my configuration reads:

TLSEngine on
TLSProtocol SSLv23 TLSv1 TLSv1.2
TLSECCertificateFile /etc/ssl/ssl.crt
TLSECCertificateKeyFile /etc/ssl/ssl.key
TLSRequired ctrl
TLSCACertificateFile /etc/ssl/ca.crt
TLSVerifyClient on
TLSOptions AllowDotLogin

Where ca.crt is a self-signed ECDSA-SHA256 CA with a EC-384 key.

Client keys are generated and signed by the CA.

When connecting to the FTPES server from FlashFXP 5.4, it is unable to complete ssl handshake.

[15:12:35] [R] Connected to test ftp
[15:12:35] [R] 220 ProFTPD 1.3.5b Server (Debian) [::ffff:172.16.0.102]
[15:12:35] [R] AUTH TLS
[15:12:35] [R] 234 AUTH TLS successful
[15:12:35] [R] SSL error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[15:12:36] [R] Failed TLSv1 negotiation, disconnected
[15:12:36] [R] Connection failed (Connection closed by server)
[15:12:36] [R] Delaying for 10 seconds before reconnect attempt #1

Having tried explicitly specifying SSLv3 or TLSv1 or TLSv1.2 and none of the three works.

However a manual test using openssl CLI shows that the server is working fine.

D:\>openssl s_client -connect <<removed>> -starttls ftp -cert <<removed>>-ftp.crt -key <<removed>>-ftp.key
CONNECTED(00000158)
depth=0 CN = <<removed>>.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = <<removed>>.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=<<removed>>.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgISBLTsG9cQFS5GIqfAG2EVLjbTMA0GCS qGSIb3DQEBCwUA
<<removed>>
VxhOxUBUHrvNvG1a/102TDGQu+LGDyBUe40=
-----END CERTIFICATE-----
subject=/CN=<<removed>>.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Acceptable client certificate CA names
/CN=<<removed>>CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+ SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SH A256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:D SA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+ SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SH A256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:D SA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1556 bytes and written 1379 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: <<removed>>
Session-ID-ctx:
Master-Key: <<removed>>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1513797526
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 ProFTPD 1.3.5b Server (Debian) [::ffff:172.16.0.102]
user root
232 User root logged in
stat -al
211-Status of .:
211-<<removed>>
211 End of status
quit
221 Goodbye.
closed

Both RSA-2048 and EC-384 key pairs were tried, and results were the same.