FTPS problem: "A TLS packet with unexpected length was received."
I'm trying to connect to an FTPS server (not SFTP). I am connecting from a linux system, so I have tried lftp, ftp-ssl, and even using php's ftp_ssl_connect, but none of them work. (I have been able to connect to other FTPS servers using all or at least some of the above methods).
The most descriptive error I have is from lftp with debug all the way up to 11:
$ lftp lftp :~> open -u my-username ftps://server.net Password: lftp my-username@server.net:~> debug 99999999999 lftp my-username@server.net:~> ls FileCopy(0x717bf0) enters state INITIAL FileCopy(0x717bf0) enters state DO_COPY ---- dns cache hit ---- Connecting to server.net开发者_开发百科 (IP ADDRESS) port 990 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_MD5 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 GNUTLS: EXT[acfbb0]: Sending extension CERT_TYPE GNUTLS: HSK[acfbb0]: CLIENT HELLO was send [88 bytes] GNUTLS: REC[acfbb0]: Sending Packet[0] Handshake(22) with length: 88 GNUTLS: ASSERT: gnutls_cipher.c:205 GNUTLS: REC[acfbb0]: Sent Packet[1] Handshake(22) with length: 93 GNUTLS: ASSERT: gnutls_buffers.c:638 GNUTLS: ASSERT: gnutls_record.c:909 GNUTLS: ASSERT: gnutls_buffers.c:1152 GNUTLS: ASSERT: gnutls_handshake.c:1032 GNUTLS: ASSERT: gnutls_handshake.c:2331 **** gnutls_handshake: A TLS packet with unexpected length was received. ---- Closing control socket ls: Fatal error: gnutls_handshake: A TLS packet with unexpected length was received.
With PHP I get the following:
Warning: ftp_login(): SSL/TLS handshake failed in /home/user/ftp.php on line 7 Warning: ftp_login(): SSL enabled start the negotiation in /home/user/ftp.php on line 7 cannot login
Line 6: $connect = ftp_ssl_connect("server.net") or die("cannot connect");
line 7: $result = ftp_login($connect,"my-username","my-password") or die("cannot login");
With ftp-ssl:
$ ftp-ssl -d -z debug server.net SSL_DEBUG_FLAG on Connected to server.net. 220-Security Notice 220-All activities may be monitored. System use indicates consent to 220 monitoring. Information may be given to law enforcement. ftp: setsockopt: Bad file descriptor Name (server.net:user): my-username ---> AUTH SSL 234 SSL enabled start the negotiation write to 0x68c190 (102 bytes => 102 (66)) 0000 - 80 64 01 03 01 00 4b 00-00 00 10 00 00 39 00 00 .d....K......9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 e9 28-25 ed ea 2d e4 d2 f2 25 .......(%..-...% 0060 - 80 e1 2e f1 c3 71 .....q read from 0x68c190 (7 bytes => -1 (FFFFFFFFFFFFFFFF)) ftp: SSL_connect error error:00000000:lib(0):func(0):reason(0) : Connection reset by peer
Sorry if this post is long, but I've been googling for days with no answer in sight. Just hoping some debug info I missed could be of use to someone.
On debian when experiencing the same error:
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
First I had to upgrade the ssl-cert package on debian:
$ sudo apt-get upgrade ssl-cert
Then I had to use open ftp:// not open ftps://:
lftp :~> open ftp://xxx.xxx.xxx.xxx:21
ltfp :~> user foo bar
Then the error changed to:
lftp foo@xxx.xxx.xxx.xxxx:~> ls
ls: Fatal error: Certificate verification: Not trusted (XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)
This option removed the error and allowed access:
lftp foo@xxx.xxx.xxx.xxxx:~> set ssl:verify-certificate no
It looks like server uses incompatible, or invalid key exchange algorithm. Try to use Wireshark to catch packets between your client and server, probably that will shed some light on issue. Also, you can try to enable/disable some key exchange algorithms.
精彩评论