Moderator: Project members
-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
[Solved] GnuTLS error -15: An unexpected TLS packet was received
#1
Post
by dryuk94 » 2020-01-14 11:13
Code: Select all
Status: Connecting to 3x.xxx.xxx.91:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection abortedHello everyone!
Let me explain the problem: I have a Western Digital NAS where I have activated the FTP protocol. If I use a plain TLS connection (without explicit and implicit TLS) I can connect to the server both locally (192.168.1.5) and remotely (3x.xxx.xxx.91). The moment I activate explicit TLS, it connects without problems locally, while remotely I have this error. Attached I also entered the settings of the NAS of the WD and the ports open in the modem. What could be the problem?
- Attachments
-
- Modem Setting.PNG (15.04 KiB) Viewed 15033 times
-
- NAS Setting-4.PNG (30.37 KiB) Viewed 15033 times
-
- NAS Setting-3.PNG (25.24 KiB) Viewed 15033 times
-
- NAS Setting-2.PNG (22.82 KiB) Viewed 15033 times
-
- NAS Setting-1.PNG (21.92 KiB) Viewed 15033 times
Last edited by dryuk94 on 2020-01-15 17:48, edited 4 times in total.
-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
Re: GnuTLS error -15: An unexpected TLS packet was received
#3
Post
by dryuk94 » 2020-01-14 13:05
boco wrote: ↑
2020-01-14 11:56
Does it work if you select the «Report external IP in PASV mode?Did you configure the router correctly? Network Configuration
I have selected the «Report external IP in PASV mode» and entered as the IP address «3x.xxx.xxx.91» (the public IPv4 address of the router). This is the result:
Code: Select all
Status: Connecting to 3x.xxx.xxx.91:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (3x,xxx,xxx,91,234,34)
Command: MLSD
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: The data connection could not be established: ECONNABORTED - Connection aborted
Attached I enter the settings of the router, NAS and FileZilla Client.
- Attachments
-
- FileZilla-3.PNG (6.86 KiB) Viewed 15021 times
-
- FileZilla-1.PNG (13.51 KiB) Viewed 15021 times
-
- NAS Settings.PNG (54.45 KiB) Viewed 15021 times
-
- Modem Setting-6.PNG (16.93 KiB) Viewed 15021 times
-
- Modem Setting-5.PNG (40.89 KiB) Viewed 15021 times
-
- Modem Setting-4.PNG (23.04 KiB) Viewed 15021 times
-
- Modem Setting-3.PNG (62.58 KiB) Viewed 15021 times
-
- Modem Setting-2.PNG (43.29 KiB) Viewed 15021 times
-
- Modem Setting-1.PNG (41.94 KiB) Viewed 15021 times
-
boco
- Contributor
- Posts: 26451
- Joined: 2006-05-01 03:28
- Location: Germany
Re: GnuTLS error -15: An unexpected TLS packet was received
#4
Post
by boco » 2020-01-14 14:17
The bottom port forwarding in your router is wrong (the 49153-65534).
«Public door» 49153-65534 is correct, but the local port isn’t. If you cannot enter the same port range as in «Public door», but only a single port, enter the first port of the range (49153) and the router will figure out the rest.
Test again. Note that we have a test facility: https://ftptest.net
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###
-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
Re: GnuTLS error -15: An unexpected TLS packet was received
#5
Post
by dryuk94 » 2020-01-14 14:34
boco wrote: ↑
2020-01-14 14:17
The bottom port forwarding in your router is wrong (the 49153-65534).«Public door» 49153-65534 is correct, but the local port isn’t. If you cannot enter the same port range as in «Public door», but only a single port, enter the first port of the range (49153) and the router will figure out the rest.
Test again. Note that we have a test facility: https://ftptest.net
I changed the port setting:
— local port 49153
— public door 49153-65534
Now I have this error:
Code: Select all
Status: Connecting to 3x.xxx.xxx.91:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (3x,xxx,xxx,91,213,167)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
Instead from the test facility https://ftptest.net:
Code: Select all
Status: Resolving address of 3x.xxx.xxx.91
Status: Connecting to 3x.xxx.xxx.91
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Reply: 220-You are user number 3 of 10 allowed.
Reply: 220-Local time is now 15:27. Server port: 21.
Reply: 220-IPv6 connections are also welcome on this server.
Reply: 220 You will be disconnected after 10 minutes of inactivity.
Command: CLNT https://ftptest.net on behalf of 3x.xxx.xxx.91
Reply: 530 You aren't logged in
Command: AUTH TLS
Reply: 234 AUTH TLS OK.
Status: Performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 1 certificates from server.
Status: cert[0]: subject='CN=192.168.1.5' issuer='CN=192.168.1.5'
Command: USER xxxx
Reply: 331 User xxxx OK. Password required
Command: PASS ***********
Reply: 230 OK. Current restricted directory is /
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Extensions supported:
Reply: EPRT
Reply: IDLE
Reply: MDTM
Reply: SIZE
Reply: REST STREAM
Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Reply: MLSD
Reply: ESTP
Reply: PASV
Reply: EPSV
Reply: SPSV
Reply: ESTA
Reply: AUTH TLS
Reply: PBSZ
Error: Carriage return without line feed receivedResults
Error: Carriage return without line feed received
— The replies sent by your server are violating the FTP specifications.
— You have to upgrade to a proper server.
-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
Re: GnuTLS error -15: An unexpected TLS packet was received
#6
Post
by dryuk94 » 2020-01-15 11:45
I tried using Cyberduck instead of FileZilla, and was able to connect remotely with Active mode. But I can’t download the files. The moment I try to download a file it gives me an error: 500 — I won’t opean a connection to xxx.xxx.xx.xxx (only to 3x.xxx.xxx.91). Why does Cyberduck connect, instead FileZilla doesn’t? I can only see the folders and files, but I can’t download them(remotely).
-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
Re: GnuTLS error -15: An unexpected TLS packet was received
#7
Post
by dryuk94 » 2020-01-15 16:15
I decreased the public port range to 65523-65534. Now I can access the folders remotely from FileZilla, but as soon as I try to download a file it gives me this error:
Code: Select all
Status: Connecting to 3x.xxx.xxx.91:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful
Status: Disconnected from server
Status: Connecting to 3x.xxx.xxx.91:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Starting download of /D-Russo/Desktop/stampa.bollettino.pagamento_rotated.pdf
Command: CWD /D-Russo/Desktop
Response: 250 OK. Current directory is /D-Russo/Desktop
Command: PWD
Response: 257 "/D-Russo/Desktop" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (3x,xxx,xxx,91,255,249)
Command: RETR stampa.bollettino.pagamento_rotated.pdf
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
Error: Connection timed out after 20 seconds of inactivity
Error: File transfer failed
Instead with WinSCP I have this error:
Code: Select all
Failed to get the folder list
I won't open a connection to 192.168.1.8 (only to 3x.xxx.xxx.91)-
dryuk94
- 504 Command not implemented
- Posts: 6
- Joined: 2020-01-10 15:42
- First name: Davide
- Last name: Russo
Re: GnuTLS error -15: An unexpected TLS packet was received
#8
Post
by dryuk94 » 2020-01-15 17:48
Problem solved!
I had to assign a number of ports equal to the number of users that can be connected (10). Also I created port forwarding in the router for each port and not an interval. The connection is in passive mode and I can also download the files.
-
botg
- Site Admin
- Posts: 34744
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
- Contact:
Re: [Solved] GnuTLS error -15: An unexpected TLS packet was received
#9
Post
by botg » 2020-01-16 08:40
As a rule of thumb you need at least as many ports as transfers that can possibly be done in 4 minutes.
TL;DR: Configuring vsftp is a difficult work and we always meet various of errors. In this post, I am going to introduce one possible solution of error «GnuTLS error -15: An unexpected TLS packet was received.» when you are using vsftpd.
After finished configuration of vsftpd, we are trying to connect to the ftp server, and then, an error seems as follow:
Status: Connection established, waiting for welcome message... Status: Initializing TLS... Status: Verifying certificate... Status: TLS connection established. Command: USER my_ftp_user Response: 331 Please specify the password. Command: PASS ************ Error: GnuTLS error -15: An unexpected TLS packet was received. Error: Could not connect to server Status: Waiting to retry...
It seems like an error in SSL/TLS, but sometimes it isn’t.
Firstly, we may check the configuration of SSL/TLS.
Here is a sample of my configuration , you may check your configruation, and make sure your SSL configuration is correct.
And then, we may comment the lines for SSL temporary, and try to connect again.
As for me, the error message has been changed as follow:
Command: USER my_ftp_user Response: 331 Please specify the password. Command: PASS ************ Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Error: Critical error: Could not connect to server
It is pretty easy to find a solution here , which is adding another line:
allow_writeable_chroot=YES
in somewhere.
Actually, I am just supposed to provide an approach in debugging, if we are meeting some errors similar to «GnuTLS error -15: An unexpected TLS packet was received.», This situation may just tell us one unexpected message comes (always error message), instead of normal TLS package. Temporarily close the SSL may make everything easy.
—- Updated ——
According to this QA you may required to update configure file as follow if you are using ubuntu…
pam_service_name=ftp
Yu
Ideals are like the stars: we never reach them, but like the mariners of the sea, we chart our course by them.
Hello,
Lots of googling with no solutions to this problem unfortunately and after at least a solid 12 hours trying to solve this i’m loosing it a bit! 
Problem already exists here however none of the provided solutions helped and noticed it was already solved after I necrobumped (oops). Also went through at least first 2 pages of search results on google so can’t say I haven’t tried with this one!
As the title describes I am trying to enable SSL on my VSFTPD. I get different errors on different FTP clients however on FileZilla I get the most helpful one:
GnuTLS error -15: An unexpected TLS packet was received
Attemping to mount the FTP server with curlftpfs gives the following error:
Error connecting to ftp: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
.
A lot of sites have suggested that SSL is hiding the actual issue however everything works fine when SSL is disabled.
Here is my vsftpd.conf file:
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftp
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
#chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
# Set own PAM service name to detect authentication settings specified
# for vsftpd by the system package.
pam_service_name=vsftpd
ssl_enable=YES
# if you accept anonymous connections, you may want to enable this setting
allow_anon_ssl=NO
# by default all non anonymous logins and forced to use SSL to send and receive password and data, set to NO to allow non secure connections
force_local_logins_ssl=NO
force_local_data_ssl=NO
# TLS v1 protocol connections are preferred and this mode is enabled by default while SSL v2 and v3 are disabled
# the settings below are the default ones and do not need to be changed unless you specifically need SSL
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
# provide the path of your certificate and of your private key
# note that both can be contained in the same file or in different files
rsa_cert_file=/etc/ssl/certs/vsftpdCertificate.pem
rsa_private_key_file=/etc/ssl/certs/vsftpdServerkey.pem
# this setting is set to YES by default and requires all data connections exhibit session reuse which proves they know the secret of the control channel.
# this is more secure but is not supported by many FTP clients, set to NO for better compatibility
require_ssl_reuse=NO
#ssl_ciphers=AES128-SHA256
ssl_ciphers=HIGH
#pasv_enable=YES
#pasv_min_port=6000
#pasv_max_port=7000
#pasv_address=127.0.0.1
#debug_ssl=YESIn addition the full trace of FileZilla in debug mode:
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Status: Connecting to 127.0.0.1:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220 (vsFTPd 3.0.3)
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Proceed with negotiation.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: tls_layer_impl::client_handshake()
Trace: tls_layer_impl::continue_handshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: tls_layer_impl::on_send()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::on_read()
Trace: tls_layer_impl::continue_handshake()
Trace: tls_layer_impl::failure(-15)
Error: GnuTLS error -15: An unexpected TLS packet was received.
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Trace: CRealControlSocket::OnSocketError(103)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 4
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)Any advise on how to fix this would be greatly appreciated!
Many Thanks
Last edited by doctorzeus (2019-09-27 03:29:24)