EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FTPS, ERROR_SSL_BAD_RECORD_MAC, 75778

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#16473
Posted: 05/18/2011 08:00:46
by Jesse Terrell (Standard support level)
Joined: 05/29/2007
Posts: 24

I'm attempting to use the Simple FTPS .NET control version 9 (tried version 8.x too) to connect an FTPS server. We've been connecting to the server at this address for months until recently. The server certificate has been modified and we can no longer connect. We need help resolving an error ERROR_SSL_BAD_RECORD_MAC, 75778. Any suggestions would be appreciated. Below are the log events from both the Simple FTPS Demo client and two other third party clients.

Here is the certificate information from the host server. This has recently changed.

Valid From: 4/6/2011
Valid To: 4/5/2014
Serial Number: 00
Public key algorithm: RSA with 2048 bits
Fingerprint (MD5): a8:bunch more stuff here
Fingerprint(SHA-1): 95:bunch more stuff here
Cipher: AES-128-CBC
MAC: SHA1

Here are the log events from the FTPS Demo Client that can’t connect no matter what combination of settings I attempt:

Connecting to ftps.welldynerx.com:990
Fatal Remote Error 75778
If you are getting error 75778, this can mean the remote server doesn’t support the specified SSL/TLS version
Server cannot perform SSL/TLS negotiation

Here are the log events from IPSwitch WS_FTP Pro v12 client after a successful connection:

Finding Host ftps.welldynerx.com ...
[2011.05.18 07:45:54.129] Connecting to 216.139.196.217:990
[2011.05.18 07:45:54.176] Connected to 216.139.196.217:990 in 0.046874 seconds, Waiting for Server Response
[2011.05.18 07:45:54.176] Initializing SSL Session ...
[2011.05.18 07:45:54.192] SSL session NOT set for reuse
[2011.05.18 07:45:54.363] SSL Session Started.

[2011.05.18 07:45:54.598] 220-This is a private site. If you do not have permission to use
[2011.05.18 07:45:54.598] 220 this site, disconnect now.
[2011.05.18 07:45:54.598] Host type (1): AUTO
[2011.05.18 07:45:54.598] USER webtpa
[2011.05.18 07:45:54.957] 331 User webtpa, password please
[2011.05.18 07:45:54.957] PASS (hidden)
[2011.05.18 07:45:55.301] 230 Password Ok, User logged in
[2011.05.18 07:45:55.301] SYST
[2011.05.18 07:45:55.348] 215 UNIX Type: L8
[2011.05.18 07:45:55.348] Host type (2): Unix (Standard)
[2011.05.18 07:45:55.348] PBSZ 0
[2011.05.18 07:45:55.442] 200 PBSZ=0
[2011.05.18 07:45:55.442] PROT P
[2011.05.18 07:45:55.629] 200 PROT P OK, data channel will be secured
[2011.05.18 07:45:55.629] CLNT WS_FTP_Professional 12
[2011.05.18 07:45:55.817] 200 Command okay
[2011.05.18 07:45:55.817] PWD
[2011.05.18 07:45:55.942] 257 "/" is the current directory
/ loaded from [Directory Listing Cache]DIR100B.tmp

Here are the log events from Filezilla version 3.3.4.1 after a successful connection:

07:56:25 Status: Resolving address of ftps.welldynerx.com
07:56:25 Status: Connecting to 216.139.196.217:990...
07:56:25 Status: Connection established, initializing TLS...
07:56:25 Status: Verifying certificate...
08:00:07 Status: TLS/SSL connection established, waiting for welcome message...
08:00:07 Response: 220-This is a private site. If you do not have permission to use
08:00:07 Response: 220 this site, disconnect now.

08:00:07 Command: USER webtpa
08:00:07 Error: Connection closed by server
08:00:07 Error: Could not connect to server

08:00:07 Status: Waiting to retry...
08:00:12 Status: Resolving address of ftps.welldynerx.com
08:00:12 Status: Connecting to 216.139.196.217:990...
08:00:12 Status: Connection established, initializing TLS...
08:00:12 Status: Verifying certificate...
08:00:12 Status: TLS/SSL connection established, waiting for welcome message...
08:00:12 Response: 220-This is a private site. If you do not have permission to use
08:00:12 Response: 220 this site, disconnect now.

08:00:12 Command: USER webtpa
08:00:12 Response: 331 User webtpa, password please
08:00:12 Command: PASS *******
08:00:13 Response: 230 Password Ok, User logged in
08:00:13 Command: SYST
08:00:13 Response: 215 UNIX Type: L8
08:00:13 Command: FEAT
08:00:13 Response: 211- Additional features supported include:
08:00:13 Response: MDTM
08:00:13 Response: MFCT
08:00:13 Response: MFMT
08:00:13 Response: SIZE
08:00:13 Response: REST STREAM
08:00:13 Response: AUTH TLS
08:00:13 Response: AUTH SSL
08:00:13 Response: PBSZ
08:00:13 Response: EPRT
08:00:13 Response: EPSV
08:00:13 Response: XCRC
08:00:13 Response: XSHA1
08:00:13 Response: XSHA256
08:00:13 Response: XSHA512
08:00:13 Response: XMD5
08:00:13 Response: PROT
08:00:13 Response: LANG EN*
08:00:13 Response: SITE PSWD
08:00:13 Response: SITE ZONE
08:00:13 Response: SITE UTIME
08:00:13 Response: MLST Type*;Size*;Modify*;Create*;
08:00:13 Response: CLNT
08:00:13 Response: CSID
08:00:13 Response: RMDA
08:00:13 Response: UTF8
08:00:13 Response: 211 End

08:00:13 Command: CLNT FileZilla
08:00:13 Response: 200 Command okay
08:00:13 Command: OPTS UTF8 ON
08:00:13 Response: 220 UTF8 support on
08:00:13 Command: PBSZ 0
08:00:13 Response: 200 PBSZ=0
08:00:13 Command: PROT P
08:00:13 Response: 200 PROT P OK, data channel will be secured
08:00:13 Status: Connected
08:00:13 Status: Retrieving directory listing...
08:00:13 Command: PWD
08:00:13 Response: 257 "/" is the current directory
08:00:13 Command: TYPE I
08:00:13 Response: 200 Type Binary
08:00:13 Command: PASV
08:00:13 Response: 227 Entering Passive Mode (216,139,196,217,12,172)
08:00:13 Command: MLSD
08:00:13 Response: 150 Opening data connection
08:00:14 Response: 226 Transfer complete

08:00:14 Status: Directory listing successful


[ Download ]
#16474
Posted: 05/18/2011 09:18:38
by Jesse Terrell (Standard support level)
Joined: 05/29/2007
Posts: 24

Well, after more thought I decided to trap the cipher being used by the FTPS Demo client in the Client_OnCertificateValidate event to see if the wrong cipher suite was being auto-detected. The auto-detected cipher suite being attempted was SB_SUITE_RSA_RC4_SHA so I disabled it and let the next auto-detected cipher suite have a go. And wouldn't you know the next one (SB_SUITE_DHE_RSA_AES256_SHA) works. For other users having trouble with error code 75778 in the Simple FTPS client, I suggest trapping the cipher suite number in the Client_OnCertificateValidate event and disabling them one at a time until you are confident the auto detected cipher suite is not the issue.

Here's the line of code to disable a cipher suite in c#. Put it before you call Client.Open of course.

Client.set_CipherSuites(SBConstants.__Global.SB_SUITE_RSA_RC4_SHA, false);
#16475
Posted: 05/18/2011 09:48:50
by Ken Ivanov (EldoS Corp.)

Thank you for the detailed explanation. It seems that your problem has been caused by incorrect handling of RC4 algorithm by the server. In either case, the steps you performed to localize the issue are perfectly correct and indeed can be used in similar situations to track down the problem.
#16476
Posted: 05/18/2011 09:52:23
by Eugene Mayevski (EldoS Corp.)

Thank you for posting a solution. Error with this code is given when some buggy server doesn't understand one of algorithms or protocol versions, passed by the client. Correctly written server should ignore the value, but some servers close connection with this error code. Usually it's TLS 1.1 or 1.2 that causes the problems, and it's the first time the cipher suite caused it. So your report is also valuable as it tells us about such possibility. I am wondering what the server software is.


Sincerely yours
Eugene Mayevski
#18124
Posted: 11/09/2011 10:52:55
by Thomas Kraemer (Standard support level)
Joined: 11/09/2011
Posts: 1

How do I go about trapping the cipher suite number?
#18125
Posted: 11/09/2011 11:01:56
by Ken Ivanov (EldoS Corp.)

Use the CipherSuite property to get the number of the cipher suite negotiated by a client and a server.
#26993
Posted: 10/24/2013 16:59:51
by David Serrano (Basic support level)
Joined: 11/16/2012
Posts: 19

Hi, I am having the same problem!! But i have the last version of eldos dlls. So, what can i do for getting the cipher suite number that i have to quit? Im using the CipherSuite property and it is 0 !!!
Thanks.
#26994
Posted: 10/24/2013 17:09:18
by Ken Ivanov (EldoS Corp.)

Hello David,

ERROR_SSL_BAD_RECORD_MAC error might be returned in a variety of circumstances, so you problem might not be related directly to ciphersuites. First of all please try to switch off TLS1.1 and TLS1.2 protocol versions and check if it helps. If it doesn't, could you please put a breakpoint inside the OnError event handler and capture the call stack of the error?
#26995
Posted: 10/24/2013 17:22:04
by David Serrano (Basic support level)
Joined: 11/16/2012
Posts: 19

Mmm Well I added a OnSSlError handler and it is not called in any moment. And the only detail exception i have is: Server cannot perform SSL/TLS negotiation. That excpetion is fired when i call the Open method.
#26996
Posted: 10/24/2013 17:29:59
by David Serrano (Basic support level)
Joined: 11/16/2012
Posts: 19

The server that i am using is Complete FTP from EnterpriseDT, so the connection is FTPS implicit and if i use filezille client it works fine. I am trying to use your client demo and the different versions of TSL but i always get the same error.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 5107 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!