我在 Windows 2008R2 服务器上安装了 Filezilla Server (0.9.6 beta)。直到最近它运行良好,但最近我们收到了连接错误的报告。
最常见的两种报告是
1. AUTH TLS 命令后连接超时
2. 服务器发送了未分类的证书链,违反了 TLS 规范
当使用 Filezilla FTP 客户端 (3.45.1) 连接时,我随机收到两个错误。有时出现第一个错误,有时出现第二个错误。
使用https://ftptest.net,我能够持续重现这些错误。
通过 FTP 使用显式 TLS:
Status: Connecting to xx.xx.xxx.xx
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220 Welcome to FTP server.
Command: CLNT https://ftptest.net on behalf of xx.xx.xxx.xx
Reply: 200 Don't care
Command: AUTH TLS
Error: Connection timed out
通过 FTP 使用隐式 TLS:
Status: Resolving address of ftp.xxxxxx.com
Status: Connecting to xx.xx.xxx.xx
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, performing TLS handshake...
Error: TLS handshake failed: An unexpected TLS packet was received.
使用允许回退到普通 FTP:
Status: Resolving address of ftp.xxxxxx.com
Status: Connecting to xx.xx.xxx.xx
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220 Welcome to FTP server.
Command: CLNT https://ftptest.net on behalf of xx.xx.xxx.xx
Reply: 200 Don't care
Command: AUTH TLS
Reply: 234 Using authentication type TLS
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 4 certificates from server.
Status: cert[0]: subject='OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.xxxxxx.com' issuer='C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA'
Status: cert[1]: subject='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'
Status: cert[2]: subject='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'
Status: cert[3]: subject='C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA' issuer='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority'
Error: Peer certificate chain received in wrong order. The TLS specifications require that each certificate in the chain must directly certify the one preceeding it.
当我尝试使用 openssl 进行连接时,没有发送任何证书:
openssl s_client -starttls ftp -connect ftp.xxxxxx.com:21
CONNECTED(000001A8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 43 bytes and written 329 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
问题
对于普通 FTP,我很难读取证书顺序来确定哪里出了问题。即使我解决了这个问题,似乎也没有办法在 Filezilla 服务器中更改该顺序。我应该在这里看什么?
对于显式 TLS,我不知道为什么 AUTH TLS 命令总是超时。可能是因为证书顺序?
普通 FTP 连接将出现错误,但仍将继续列出目录。但是,显式 TLS 连接不会越过 AUTH TLS 错误。修复显式 TLS 连接错误是否也能解决证书订购错误?