Posts Tagged ‘FTPS’

FTP TLS encrypted data connections fail (EMS)

Wednesday, October 16th, 2019

Problem

After the installation of the October 8, 2019 — KB4517389 or KB4520003 or KB4519998 or KB4519990 update (depending on OS version), all TLS encrypted data connections to the affected FTP servers fail.

Error you may see is: “TLS session of data connection has not resumed or the session does not match the control connection”

Detailed explanation

In FTP protocol, data connection does not directly authenticate the client.

Client uses control connection to authenticate, then it established data connection using PASV command followed by the STOR (upload) or RETR (download) command.

The server opens a port and waits for the client to connect to it and upload/download files.

An attacker could figure out the port the server listens to, connect to it before the client, and upload a piece of malware.

TLS session resumption prevents this. It acts as a form of authentication. If the TLS session of the data connection matches the session of the control connection, both the client and the server have the guarantee, that the data connection is genuine. Any mismatch in sessions indicates a potential attack.

Ftp.dll library uses .NET’s SslStream that relies on Schannel (Microsoft Secure Channel – a security package that facilitates the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS))

Cause

The KB4517389 addresses the following issue:

“Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don’t support Extended Master Secret (EMS) RFC 7627 to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don’t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.”

It looks like Schannel stared enforcing EMS. If the server runs a TLS stack which is not compatible with this change, the FTP data connection fails.

OpenSSL, which is used by most servers, supports EMS since version 1.1.0 (released 25th August 2016).

Affected Servers

  • All FTP servers using OpenSSL older than version 1.1.0
  • FileZilla Server (all versions). The latest version uses an insecure/outdated OpenSSL version 1.0.2.11 from 2017.

Solution

Contact the server administrator, explain the situation and and request an upgrade of the FTP server software and of the installed OpenSSL version.

As a temporary workaround, the KB4517389 (or equivalent for non-Windows 10 machines) can be uninstalled.

As a temporary workaround on FileZilla server you can go to “FileZilla Server Interface/Edit/Settings/Ftp over TLS setting” and uncheck “Require TLS resumption on data connection when using FTP over TLS”:

FTP Active vs Passive

Wednesday, October 19th, 2011

Ftp.dll .NET FTP component supports both Active and Passive mode FTP transfers.

In Active mode client waits for incomming data connections, in Passive mode client establishes data connections.

Passive mode is default. You can switch to Active mode using Mode property:

// C#

using (Ftp client = new Ftp())
{
    client.Mode = FtpMode.Active;

    client.Connect("ftp.example.com");
    client.Login("user", "password");

    // ...

    client.Close();
}

' VB.NET

Using client As New Ftp()
    client.Mode = FtpMode.Active

    client.Connect("ftp.example.com")
    client.Login("user", "password")

    ' ...

    client.Close()
End Using

Specify different port for FTP

Wednesday, October 19th, 2011

With Ftp.dll .NET FTP component establishing connection using default port is easy:

// C#

client.Connect("ftp.example.com");
' VB.NET

client.Connect("ftp.example.com")

If you need to specify different port just use overloaded version of Connect method:

// C#

client.Connect("ftp.example.com", 999);
// -or-
client.Connect("ftp.example.com", 999, false);
' VB.NET

client.Connect("ftp.example.com", 999)
' -or-
client.Connect("ftp.example.com", 999, False)

If you are using SSL:

// C#

client.ConnectSSL("ftp.example.com", 999);
// -or-
client.Connect("ftp.example.com", 999, true);
' VB.NET

client.ConnectSSL("ftp.example.com", 999)
' -or-
client.Connect("ftp.example.com", 999, True)

You can also specify the port range used in Active mode.

// C#

client.ActiveModePorts = new Range(1024, 1025);
' VB.NET

client.ActiveModePorts = New Range(1024, 1025)

You can set the IP address announced to the FTP server in Active mode data transfer.
By default, the value of this property is IPAddress.None which means that the address of the network interface is used instead.

// C#

client.ActiveModeAddress = IPAddress.Parse("ftp.example.com");
' VB.NET

client.ActiveModeAddress = IPAddress.Parse("ftp.example.com")

Verify file hash after FTP upload

Tuesday, November 16th, 2010

This blog post describes hot to check the file checksum (hash) after upload to FTP server. Ftp.dll .NET FTP component supports most popular hashing algorithms like CRC, MD5 and SHA1.

First add appropriate namespaces:

// C# version

using Limilabs.FTP.Client;
using Limilabs.FTP.Client.Hash;

' VB.NET version

Imports Limilabs.FTP.Client
Imports Limilabs.FTP.Client.Hash

Then upload the file, ask the server for hash of the uploaded file, compute the local hash and compare them:

// C# version

using (Ftp client = new Ftp())
{
    client.Connect("ftp.example.org");
    client.Login("user", "password");

    client.Upload("report.txt", @"c:\report.txt");

    byte[] serverHash = client.GetFileHash(
        "report.txt",
        FtpHashType.CRC);

    FileHash hash = new FileHash(FtpHashType.CRC);
    bool hashIsValid = hash.IsValid(@"c:\report.txt", serverHash);

    Console.WriteLine(hashIsValid);

    client.Close();
}
' VB.NET version

Using client As New Ftp()
	client.Connect("ftp.example.org")
	client.Login("user", "password")

	client.Upload("report.txt", "c:\report.txt")

	Dim serverHash As Byte() = client.GetFileHash( _
		"report.txt", _
		FtpHashType.CRC)

	Dim hash As New FileHash(FtpHashType.CRC)
	Dim hashIsValid As Boolean = hash.IsValid("c:\report.txt", serverHash)

	Console.WriteLine(hashIsValid)

	client.Close()
End Using

You can use CRC, MD5 and SHA1 algorithms for hash verification.

You can download Ftp.dll FTP/FTPS client for .NET here.

The handshake failed due to an unexpected packet format

Sunday, November 7th, 2010

Most likely your FTP server requires explicit SSL. So first try to connect without SSL:

// C#

client.Connect("ftp.example.org");
' VB.NET

client.Connect("ftp.example.org")

Then, before logging-in, start explicit SSL negotiation:

// C#

client.AuthSSL();
' VB.NET

client.AuthSSL()

Now, your connection is secured.

Remember that you can ignore SSL certificate errors using ServerCertificateValidate event:

// C# version

using (Ftp client = new Ftp())
{
    // Use this line to validate self-signed certificates:
    client.ServerCertificateValidate += ValidateCertificate;

    client.Connect("ftp.example.org");
    client.AuthSSL();
    client.Login("username", "password");

    foreach (FtpItem item in client.GetList())
    {
        if (item.IsFolder == true)
            Console.WriteLine("[{0}]", item.Name);
        else
            Console.WriteLine("{0}", item.Name);
    }
    client.Close();
}

private static void ValidateCertificate(
    object sender,
    ServerCertificateValidateEventArgs e)
{
    const SslPolicyErrors ignoredErrors =
        SslPolicyErrors.RemoteCertificateChainErrors |
        SslPolicyErrors.RemoteCertificateNameMismatch;

    if ((e.SslPolicyErrors & ~ignoredErrors) == SslPolicyErrors.None)
    {
        e.IsValid = true;
        return;
    }
    e.IsValid = false;
}
' VB.NET version

Using client As New Ftp()
    ' Use this line to validate self-signed certificates:
    AddHandler client.ServerCertificateValidate, AddressOf ValidateCerificate

    client.Connect("ftp.example.org")
    client.AuthSSL()
    client.Login("username", "password")

    For Each item As FtpItem In client.GetList()
        If item.IsFolder = True Then
            Console.WriteLine("[{0}]", item.Name)
        Else
            Console.WriteLine("{0}", item.Name)
        End If
    Next
    client.Close()
End Using

Private Sub ValidateCerificate( _
    ByVal sender As Object, _
    ByVal e As ServerCertificateValidateEventArgs)

    Const ignoredErrors As SslPolicyErrors = _
        SslPolicyErrors.RemoteCertificateChainErrors Or _
        SslPolicyErrors.RemoteCertificateNameMismatch

    If (e.SslPolicyErrors And Not ignoredErrors) = SslPolicyErrors.None Then
        e.IsValid = True
        Return
    End If
    e.IsValid = False
End Sub

You can download Ftp.dll FTP/FTPS client for .NET here.