Filezilla Server - AUTH TLS 超时和服务器发送未分类的证书链违反 TLS 规范问题

Filezilla Server - AUTH TLS 超时和服务器发送未分类的证书链违反 TLS 规范问题

我在 Windows 2008R2 服务器上安装了 Filezilla Server (0.9.6 beta)。直到最近它运行良好,但最近我们收到了连接错误的报告。

最常见的两种报告是
1. AUTH TLS 命令后连接超时
2. 服务器发送了未分类的证书链,违反了 TLS 规范

当使用 Filezilla FTP 客户端 (3.45.1) 连接时,我随机收到两个错误。有时出现第一个错误,有时出现第二个错误。

使用https://ftptest.net,我能够持续重现这些错误。

通过 FTP 使用显式 TLS

Status: Connecting to xx.xx.xxx.xx  
Warning: The entered address does not resolve to an IPv6 address.  
Status: Connected, waiting for welcome message...  
Reply: 220 Welcome to FTP server.  
Command: CLNT https://ftptest.net on behalf of xx.xx.xxx.xx  
Reply: 200 Don't care  
Command: AUTH TLS  
Error: Connection timed out

通过 FTP 使用隐式 TLS

Status: Resolving address of ftp.xxxxxx.com  
Status: Connecting to xx.xx.xxx.xx  
Warning: The entered address does not resolve to an IPv6 address.  
Status: Connected, performing TLS handshake...  
Error: TLS handshake failed: An unexpected TLS packet was received. 

使用允许回退到普通 FTP

Status: Resolving address of ftp.xxxxxx.com  
Status: Connecting to xx.xx.xxx.xx  
Warning: The entered address does not resolve to an IPv6 address.  
Status: Connected, waiting for welcome message...  
Reply: 220 Welcome to FTP server.  
Command: CLNT https://ftptest.net on behalf of xx.xx.xxx.xx  
Reply: 200 Don't care  
Command: AUTH TLS  
Reply: 234 Using authentication type TLS  
Status: Performing TLS handshake...  
Status: TLS handshake successful, verifying certificate...  
Status: Received 4 certificates from server.  
Status: cert[0]: subject='OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.xxxxxx.com' issuer='C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA'  
Status: cert[1]: subject='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'  
Status: cert[2]: subject='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'  
Status: cert[3]: subject='C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA' issuer='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority'  
Error: Peer certificate chain received in wrong order. The TLS specifications require that each certificate in the chain must directly certify the one preceeding it.

当我尝试使用 openssl 进行连接时,没有发送任何证书:

openssl s_client -starttls ftp -connect ftp.xxxxxx.com:21
CONNECTED(000001A8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 43 bytes and written 329 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

问题

对于普通 FTP,我很难读取证书顺序来确定哪里出了问题。即使我解决了这个问题,似乎也没有办法在 Filezilla 服务器中更改该顺序。我应该在这里看什么?

对于显式 TLS,我不知道为什么 AUTH TLS 命令总是超时。可能是因为证书顺序?

普通 FTP 连接将出现错误,但仍将继续列出目录。但是,显式 TLS 连接不会越过 AUTH TLS 错误。修复显式 TLS 连接错误是否也能解决证书订购错误?

相关内容