FTP connection failure

I've got an FTP connection that fails to connect. The connection properties are set to Secure TLS Explicit (AUTH TLS). When I try to connect I get an error message:

What might be the cause of this?

You probably need to toggle Passive mode. See the FTP FAQ.

Hi Leo!

Though I've been told that passive mode has to be set I tried to toggle it. It didn't help. Also, a successful connection has been made with another client in both passive and active mode.
The log contains:

What's the log look like for the other program?

The log from Total Commander:

[quote]

Connect to: (2012.06.20 3:42:10 PM)
hostname=!!!removed hostname!!!
username=!!!removed username!!!
startdir=
!!!removed hostname!!!=!!!removed ip!!!
220 Welcome!
AUTH TLS
234 Proceed with negotiation.
Cert subject: /C=HU/ST=Budapest/L=Budapest/O=IQSYS Zrt./OU=Public BO/CN=!!!removed hostname!!!
Cert issuer: /C=HU/ST=Budapest/L=Budapest/O=IQSYS Zrt./OU=Public BO/CN=!!!removed hostname!!!
USER !!!removed username!!!
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
UTF8
211 End
PBSZ 0
200 PBSZ set to 0.
PROT P
200 PROT now Private.
OPTS UTF8 ON
200 Always in UTF8 mode.
Connect ok!
PWD
257 "/"
Get directory
TYPE A
200 Switching to ASCII mode.
PORT !!!removed!!!
500 Illegal PORT command.
PASV
227 Entering Passive Mode (!!!removed!!!).
LIST
150 Here comes the directory listing.
Download
Waiting for server...
226 Directory send OK.[/quote]

I tried a few others and the funny thing is that Total Commander was the only one able to connect :open_mouth: Here's the log from CuteFTP:

[quote]
*** CuteFTP 8.3 - build May 19 2010 ***

STATUS:> [2012.06.20. 16:00:29] Getting listing ""...
STATUS:> [2012.06.20. 16:00:29] Resolving host name !!!removed hostname!!!...
STATUS:> [2012.06.20. 16:00:29] Host name !!!removed hostname!!! resolved: ip = !!!removed ip!!!.
STATUS:> [2012.06.20. 16:00:29] Connecting to FTP server... !!!removed hostname!!!:21 (ip = !!!removed ip!!!)...
STATUS:> [2012.06.20. 16:00:29] Socket connected. Waiting for welcome message...
[2012.06.20. 16:00:29] 220 Welcome!
STATUS:> [2012.06.20. 16:00:29] Connected. Authenticating...
COMMAND:> [2012.06.20. 16:00:29] AUTH TLS
[2012.06.20. 16:00:29] 234 Proceed with negotiation.
STATUS:> [2012.06.20. 16:00:29] Establishing SSL session...
STATUS:> [2012.06.20. 16:00:29] Connected. Exchanging encryption keys...
STATUS:> [2012.06.20. 16:00:29] SSL Connect time: 123 ms.
STATUS:> [2012.06.20. 16:00:29] SSL encrypted session established.
COMMAND:> [2012.06.20. 16:00:29] PBSZ 0
[2012.06.20. 16:00:30] 200 PBSZ set to 0.
COMMAND:> [2012.06.20. 16:00:30] USER !!!removed username!!!
[2012.06.20. 16:00:30] 331 Please specify the password.
COMMAND:> [2012.06.20. 16:00:30] PASS *****
[2012.06.20. 16:00:30] 230 Login successful.
STATUS:> [2012.06.20. 16:00:30] Login successful.
COMMAND:> [2012.06.20. 16:00:30] PWD
[2012.06.20. 16:00:30] 257 "/"
STATUS:> [2012.06.20. 16:00:30] Home directory: /
COMMAND:> [2012.06.20. 16:00:30] FEAT
[2012.06.20. 16:00:30] Informational Message Only:
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
UTF8
211 End
STATUS:> [2012.06.20. 16:00:30] This site supports features.
STATUS:> [2012.06.20. 16:00:30] This site supports SIZE.
STATUS:> [2012.06.20. 16:00:30] This site can resume broken downloads.
COMMAND:> [2012.06.20. 16:00:30] REST 0
[2012.06.20. 16:00:30] 350 Restart position accepted (0).
COMMAND:> [2012.06.20. 16:00:30] PBSZ 0
[2012.06.20. 16:00:30] 200 PBSZ set to 0.
COMMAND:> [2012.06.20. 16:00:30] PROT P
[2012.06.20. 16:00:30] 200 PROT now Private.
COMMAND:> [2012.06.20. 16:00:30] PASV
[2012.06.20. 16:00:30] 227 Entering Passive Mode (!!!removed!!!).
COMMAND:> [2012.06.20. 16:00:30] LIST
STATUS:> [2012.06.20. 16:00:30] Connecting FTP data socket... !!!removed ip!!!:31227...
[2012.06.20. 16:00:30] 150 Here comes the directory listing.
STATUS:> [2012.06.20. 16:00:30] Connected. Exchanging encryption keys...
STATUS:> [2012.06.20. 16:00:30] SSL Connect time: 110 ms.
STATUS:> [2012.06.20. 16:00:30] SSL encrypted session established.
[2012.06.20. 16:00:31] 522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page
ERROR:> [2012.06.20. 16:00:31] Permanent completion problem reply.[/quote]

Could it be a firewall issue, with most programs being blocked by default and only the one which works being allowed through?

Or maybe the site is just using an SSL feature that not many things support.

If you want to see if Opus and/or CuteFTP are able to connect to another SSL site, try this one:

Connection: Secure TLS Explicit (AUTH TLS)
Host address: ftp.secureftp-test.com
Port: 21
Login: test
Password: test

Additionally, check that all the programs are using the same port and SSL type (there's at least two modes of SSL, implicit and explicit, with one typically on port 21 and the other on port 990; usually only one of the two modes will work with an FTP-SSL site).

No, it does not work with firewall disabled either.

[quote="leo"]
If you want to see if Opus and/or CuteFTP are able to connect to another SSL site, try this one:

Connection: Secure TLS Explicit (AUTH TLS)
Host address: ftp.secureftp-test.com
Port: 21
Login: test
Password: test[/quote]
This one works.

Using port 990 instead of 21 makes it fail with "FD_CONNECT - WSAETIMEDOUT: Connection timed out".

Seems to be the case here. All the other ftp programs except Total Commander failed, even those claiming they're pro or whatever. It's quite frustrating :cry:

Have you got any ideas for a workaround?

I checked the doc of CuteFTP for 552 and I don't understand the error message. I haven't tried uploading anything. Actually, I didn't get anywhere near being able to do that since it fails before the connection is fully established.

Is there a way to make Opus log a bit more verbose?

You've looked up error 552 when it's error 522 in the log, which is why the docs for the error doesn't seem to fit the situation. :slight_smile:

If you do a web search on the error message, 522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page, it turns out to be a non-standard behaviour of the vsftpd server which causes problems with a lot of different FTP clients (as it is not part of the FTP-SSL specification) and can be turned off on the server side via the require_ssl_reuse option mentioned in the error message. (Only the server admin can do that.)

We might be able to make Opus support the vsftpd behaviour, although it could be difficult to test unless someone we can get access to a vsftpd server to test against. Apparently it is a security feature (though there seems to be some debate over that) so admins may be reluctant to turn it off. If you link your account we'll assign a higher priority to this.

What's strange is that vsftpd made this change back in 2009, mentioning that it works with FileZilla for example (although at least one person in the comments complained that it didn't work with FileZilla), but there are threads from this year with people complaining about it breaking FileZilla, WinScp, and some others. Maybe something changed recently or was broken somewhere in vsftpd or one of the components it depends on.

(It's also possible that Opus and CuteFTP are failing to work with vsftpd for different reasons, as the logs aren't showing the same things.)

[quote="leo"]You've looked up error 552 when it's error 522 in the log, which is why the docs for the error doesn't seem to fit the situation. :slight_smile:
[/quote]
True, my bad, sorry :blush: :laughing:

That would be great!

Sure, right away :wink:

[quote="leo"]
What's strange is that vsftpd made this change back in 2009, mentioning that it works with FileZilla for example (although at least one person in the comments complained that it didn't work with FileZilla), but there are threads from this year with people complaining about it breaking FileZilla, WinScp, and some others. Maybe something changed recently or was broken somewhere in vsftpd or one of the components it depends on.

(It's also possible that Opus and CuteFTP are failing to work with vsftpd for different reasons, as the logs aren't showing the same things.)[/quote]
I've tried Directory Opus, CuteFtp Free (or was it Light?) and Pro, Coffecup Free FTP, GoFTP, Filezilla, Total Commander, WinSCP and several others (4 or 5) I can't remember the names of. Of those only GoFTP and Total Commander were able to connect, so you must be right, something has been terribly broken there.

Thank you very much for your help, Leo. Have a nice day :slight_smile: