FTPS problem: "A TLS packet with unexpected length was received."
I'm trying to connect to an FTPS server (not SFTP). I am connecting from a linux system, so I have tried lftp, ftp-ssl, and even using php's ftp_ssl_connect, but none of them work. (I have been able to connect to other FTPS servers using all or at least some of the above methods).
The most descriptive error I have is from lftp with debug all the way up to 11:
$ lftp lftp :~> open -u my-username ftps://server.net Password: lftp [email protected]:~> debug 99999999999 lftp [email protected]:~> ls FileCopy(0x717bf0) enters state INITIAL FileCopy(0x717bf0) enters state DO_COPY ---- dns cache hit ---- Connecting to server.net (IP ADDRESS) port 990 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_MD5 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 GNUTLS: EXT[acfbb0]: Sending extension CERT_TYPE GNUTLS: HSK[acfbb0]: CLIENT HELLO was send [88 bytes] GNUTLS: REC[acfbb0]: Sending Packet[0] Handshake(22) with length: 88 GNUTLS: ASSERT: gnutls_cipher.c:205 GNUTLS: REC[acfbb0]: Sent Packet[1] Handshake(22) with length: 93 GNUTLS: ASSERT: gnutls_buffers.c:638 GNUTLS: ASSERT: gnutls_record.c:909 GNUTLS: ASSERT: gnutls_buffers.c:1152 GNUTLS: ASSERT: gnutls_handshake.c:1032 GNUTLS: ASSERT: gnutls_handshake.c:2331 **** gnutls_handshake: A TLS packet with unexpected length was received. ---- Closing control socket ls: Fatal error: gnutls_handshake: A TLS packet with unexpected length was received.
With PHP I get the following:
Warning: ftp_login(): SSL/TLS handshake failed in /home/user/ftp.php on line 7 Warning: ftp_login(): SSL enabled start the negotiation in /home/user/ftp.php on line 7 cannot login
Line 6: $connect = ftp_ssl_connect("server.net") or die("cannot connect");
line 7: $result = ftp_login($connect,"my-username","my-password") or die("cannot login");
With ftp-ssl:
$ ftp-ssl -d -z debug server.net SSL_DEBUG_FLAG on Connected to server.net. 220-Security Notice 220-All activities may be monitored. System use indicates consent to 220 monitoring. Information may be given to law enforcement. ftp: setsockopt: Bad file descriptor Name (server.net:user): my-username ---> AUTH SSL 234 SSL enabled start the negotiation write to 0x68c190 (102 bytes => 102 (66)) 0000 - 80 64 01 03 01 00 4b 00-00 00 10 00 00 39 00 00 .d....K......9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 0050 - 00 00 03 02 00 80 e9 28-25 ed ea 2d e4 d2 f2 25 .......(%..-...% 0060 - 80 e1 2e f1 c3 71 .....q read from 0x68c190 (7 bytes => -1 (FFFFFFFFFFFFFFFF)) ftp: SSL_connect error error:00000000:lib(0):func(0):reason(0) : Connection reset by peer
Sorry if this post is long, but I've been googling for days with no answer in sight. Just hoping some debug info I missed could be of use to someone.
Answer
On debian when experiencing the same error:
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
First I had to upgrade the ssl-cert package on debian:
$ sudo apt-get upgrade ssl-cert
Then I had to use open ftp:// not open ftps://:
lftp :~> open ftp://xxx.xxx.xxx.xxx:21
ltfp :~> user foo bar
Then the error changed to:
lftp [email protected]:~> ls
ls: Fatal error: Certificate verification: Not trusted (XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)
This option removed the error and allowed access:
lftp [email protected]:~> set ssl:verify-certificate no