Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I am trying to connect to to a FTP server using System.Net.FtpWebResponse but i am running into TLS problems;

If i use this configuration:

 ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;
 FtpWebResponse response = (FtpWebResponse)request.GetResponse();
I get this error:
 "Authentication failed because the remote party has closed the transport stream."
For any other value of SecurityProtocolType (Tls12, Tls11, Tls) i get this error:
 "error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol"
what is the correct configuration ?
---------UPDATE
I don't know if it is of any relevance but i tried a tool to check the ftp server and i got this; i really don't know what any of this means
Testing protocols via sockets except NPN+ALPN
SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      not offered
TLS 1.1    not offered
TLS 1.2    not offered
TLS 1.3    not offered
You should not proceed as no protocol was detected. If you still really really want to, say "YES" --> YES
NPN/SPDY   not offered
ALPN/HTTP2 http/1.1 (offered)
Testing cipher categories
NULL ciphers (no encryption)                  not offered (OK)
Anonymous NULL Ciphers (no authentication)    not offered (OK)
Export ciphers (w/o ADH+NULL)                 not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
Triple DES Ciphers / IDEA                     not offered
Obsolete: SEED + 128+256 Bit CBC cipher       not offered
Strong encryption (AEAD ciphers)              not offered
Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4
Cipher mapping not available, doing a fallback to openssl
Local problem: You only have 1 PFS ciphers on the client side
Testing server preferences
Has server cipher order?     no (NOT ok)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) (limited sense as client will pick)
Negotiated cipher per proto  (limited sense as client will pick)
(SSLv2: Local problem: /usr/bin/openssl doesn't support "s_client -ssl2")
ECDHE-RSA-AES256-GCM-SHA384:                        TLSv1.2
No further cipher order check has been done as order is determined by the client
Error setting TLSv1.3 ciphersuites
140630432556352:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Testing server defaults (Server Hello)
TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "application layer protocol negotiation/#16"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support       yes
Session Resumption           Tickets no, ID: yes
TLS clock skew               Random values, no fingerprinting possible
Client problem, shouldn't happen: Host certificate found but we can't continue with "server defaults".
Testing HTTP header response @ "/"
HTTP Status Code             403 Forbidden
HTTP clock skew              0 sec from localtime
Strict Transport Security    not offered
Public Key Pinning           --
Server banner                Apache
Application banner           --
Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
Security headers             --
Reverse Proxy banner         --
Testing vulnerabilities
Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224)                       not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
ROBOT                                     Error setting TLSv1.3 ciphersuites
140275162178880:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140324905874752:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139742720451904:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140133308515648:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140251683521856:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140392466134336:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140019500512576:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139707582891328:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
139892042757440:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140262622430528:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
Error setting TLSv1.3 ciphersuites
140130529056064:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
not vulnerable (OK)
Secure Renegotiation (RFC 5746)           supported (OK)
Secure Client-Initiated Renegotiation     not vulnerable (OK)
CRIME, TLS (CVE-2012-4929)                test failed (couldn't connect)
BREACH (CVE-2013-3587)                    no HTTP compression (OK)  - only supplied "/" tested
POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507)              test failed (couldn't connect)
SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
FREAK (CVE-2015-0204)                     not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=EB4B836B43825246B82235A5E6851DEE642977E8714EA8C7D9F28BF907928B9C could help you to find out
LOGJAM (CVE-2015-4000), experimental      Error setting TLSv1.3 ciphersuites
140009947899200:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental     Error setting TLSv1.3 ciphersuites
140314971432256:error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match:../ssl/ssl_ciph.c:1294:
potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808)        Local problem: No RC4 Ciphers configured in /usr/bin/openssl
Testing all 1 locally available ciphers against the server, ordered by encryption strength
Cipher mapping not available, doing a fallback to openssl
Hexcode  Cipher Suite Name (IANA/RFC)                      KeyExch.   Encryption  Bits     Cipher Suite Name (OpenSSL)
Local problem: couldn't find client simulation data in /home/user/etc/client-simulation.txt
                the server is Microsoft FTP Service, at least that is what i am seeing when logging the connection
– jmiguel77
                Jun 23, 2020 at 22:10
                i tried using FluentFTP but the same problem; this is the log of the connection # Connect() Status:   Connecting to [ip]:21 Response: 220-Microsoft FTP Service Response: 220 ************************************************************ Status:   Detected FTP server: WindowsServerIIS Command:  AUTH TLS Response: 234 AUTH command ok. Expecting TLS Negotiation.   then nothing
– jmiguel77
                Jun 23, 2020 at 22:13
                Either the server does not support TLS or you don't use the proper tool to check - since it does not find any TLS support. But it might simply be that the tool is not suitable for FTP+TLS in the first place. Apart from that please fix your formatting to make it more readable and don't just dump unformatted stuff into the question.
– Steffen Ullrich
                Jun 24, 2020 at 4:07
Hexcode Cipher Suite Name (IANA/RFC) KeyExch. Encryption Bits Cipher Suite Name (OpenSSL)
In case you need to convert IANA names, OpenSSL names or hexadecimal codepoints:
There is a simple way to convert any OpenSSL (or GnuTLS, NSS, etc.) cipher name into IANA/standard/RFC cipher names by using tls-map library in ruby:
require 'tls_map'
tm = TLSmap::App.new
# OpenSSL -> IANA
tm.search(:openssl, 'AES128-SHA', :iana) #=> {:iana=>"TLS_RSA_WITH_AES_128_CBC_SHA"}
# Hexadecimal codepoint to all (including OpenSSL & IANA)
tm.search(:codepoint, '1303') #=> {:codepoint=>"1303", :iana=>"TLS_CHACHA20_POLY1305_SHA256", :openssl=>"TLS_CHACHA20_POLY1305_SHA256", :gnutls=>"CHACHA20_POLY1305_SHA256", :nss=>"TLS_CHACHA20_POLY1305_SHA256"}
It's also available as a CLI tool:
$ tls-map search openssl AES128-SHA -o iana
iana: TLS_RSA_WITH_AES_128_CBC_SHA
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.