Moderator: Project members
-
arvobowen
- 500 Syntax error
- Posts: 17
- Joined: 2015-07-24 14:22
- First name: Arvo
- Last name: Bowen
GnuTLS error -8: A packet with illegal or unsupported version was received.
#1
Post
by arvobowen » 2021-11-18 21:06
I have two VMs set up using the same version of FileZilla Server (0.9.13b). On ServerA I seem to have no issues when connecting with TLS. On ServerB (a new one I have created) I have an issue connecting using the same client with the same settings…
GnuTLS error -8: A packet with illegal or unsupported version was received.
Is there something I need to do on the server itself to support other TLS versions like TLS 1.2?
-
botg
- Site Admin
- Posts: 34744
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
- Contact:
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#2
Post
by botg » 2021-11-18 22:48
You absolutely must update those servers. Cheesus fucking crust that’s antique….
-
arvobowen
- 500 Syntax error
- Posts: 17
- Joined: 2015-07-24 14:22
- First name: Arvo
- Last name: Bowen
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#3
Post
by arvobowen » 2021-11-19 00:25
LOL I’m trying to but there were features taking out of the newer versions that are no longer available to me in the newer versions. I would love to update so bad. But as old as that version is and as much as I would like to update it, the issue I’m experiencing is not related to the age of the version of Filezilla server I’m running. Like I said, it works fine with no issues on another server. I’m just trying to figure out what is different on the Windows Server 2019 boxes that would allow one to use TLS 1.2 and one to only use TLS 1.0.
-
arvobowen
- 500 Syntax error
- Posts: 17
- Joined: 2015-07-24 14:22
- First name: Arvo
- Last name: Bowen
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#4
Post
by arvobowen » 2021-11-19 15:27
To ask a more pointed question…
FileZilla Server 0.9.13b beta does support TLS 1.2 correct?
-
arvobowen
- 500 Syntax error
- Posts: 17
- Joined: 2015-07-24 14:22
- First name: Arvo
- Last name: Bowen
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#6
Post
by arvobowen » 2021-11-19 16:27
Thanks boco! Then at this point I’m really confused. LOL
I have 0.9.13b beta running on a server and I have the latest version of FileZilla Client running with minimum version of TLS 1.2 required. It connects with no issues. How is that possible?
On the left is FileZilla Client FTP log (with detailed info) and on the right is the settings from FileZilla Client.
Running these same settings connecting to the second FTP server that should be 100% identical to the first (production and working as seen above) with the exception that the second (non-working) server is on a domain.
-
boco
- Contributor
- Posts: 26451
- Joined: 2006-05-01 03:28
- Location: Germany
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#7
Post
by boco » 2021-11-20 03:42
That old version does not officially and properly support TLS 1.2. However, I guess it makes no attempt to limit the upper TLS version, if the underlying OpenSSL library supports it (even if only experimental). Therefore, it negotiates whatever is supported by OpenSSL.
However, that doesn’t mean it will support any of the security features of TLS 1.2 properly. Plus, it comes with a truckload of security vulnerabilities that will make grown men cry.
Official, proper TLS 1.2 awareness came with 0.9.43.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###
-
arvobowen
- 500 Syntax error
- Posts: 17
- Joined: 2015-07-24 14:22
- First name: Arvo
- Last name: Bowen
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#8
Post
by arvobowen » 2021-11-29 16:03
Unfortunately it looks like it might be time for me to move on from FileZilla Server. There was a small feature that is available in that «old version» (0.9.13b beta) that we have to have. In later versions the feature is now being actively blocked (for now reason other than it was not considered to ever be used by botg in the past). I have requested that this feature not be blocked and allowed but have not really heard any type of acknowledgement that it would be allowed again in the current version.
Anyway, as much as I love the FileZilla dev team and the product because of this I’m having to look for other solutions free/paid that will work for me. Thanks guys!
-
drmca
- 550 Permission denied
- Posts: 28
- Joined: 2019-10-25 20:16
- First name: Drm
- Last name: Ca
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#9
Post
by drmca » 2022-08-11 17:22
I realize that this is an ancient topic but I am seeing these errors in the log of the latest version:
Code: Select all
GnuTLS error -8: A packet with illegal or unsupported version was received.
Are they anything to be concerned of?
-
botg
- Site Admin
- Posts: 34744
- Joined: 2004-02-23 20:49
- First name: Tim
- Last name: Kosse
- Contact:
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#10
Post
by botg » 2022-08-12 07:03
It’s either antique clients or random garbage.
-
drmca
- 550 Permission denied
- Posts: 28
- Joined: 2019-10-25 20:16
- First name: Drm
- Last name: Ca
Re: GnuTLS error -8: A packet with illegal or unsupported version was received.
#11
Post
by drmca » 2022-08-12 12:11
No idea which clients they use but it is like 80-90% of all connections.
@elcallio I need your help with this please.
I suspect the problem (the EOF on the client instead of the correct error response) is that when the handshake encounters the GnuTLS error -8 (GNUTLS_E_UNSUPPORTED_VERSION_PACKET) besides returning the error code to the caller — which we turn into a throw — it probably also needs to write a response to the client that the version is unsupported.
I suspect that either we’re not waiting for this write before closing the connection (like in the problem you fixed a few years ago, scylladb/seastar@6c04862), or, alternatively, the gnu_tls code doesn’t actively write a response and we need to build it in our code. I’m not familiar with this code so I don’t know which is the right explanation.
Here is a working test for this (put it in test/cql-pytest, run with test/cql-pytest/run --ssl testname
). It is expected to fail, but look at the error message in the failure and see the «EOF occurred in violation of protocol» instead of the correct error message. If you don’t want to fix this now, maybe you can just give me hints on where the problem might be.
import pytest import ssl import cassandra.cluster # Test that TLS 1.2 is supported (because this is what "cqlsh --ssl" uses # by default), and that other TLS version are either supported or if # disallowed, result in the expected sort of failure. def test_tls_versions(cql): # To reduce code duplication, we let conftest.py set up 'cql', and then # learn from it whether SSL is supported in this run, and if so which # contact points, ports, and other parameters, we should use here. if not cql.cluster.ssl_context: pytest.skip("SSL-specific tests are skipped without the '--ssl' option") # TLS v1.2 must be supported, because this is the default version that # "cqlsh --ssl" uses. If this fact changes in the future, we may need # to reconsider this test. try_connect(cql.cluster, ssl.PROTOCOL_TLSv1_2) for ssl_version in [ssl.PROTOCOL_TLSv1_1]: try_connect(cql.cluster, ssl_version) def try_connect(orig_cluster, ssl_version): cluster = cassandra.cluster.Cluster( contact_points=orig_cluster.contact_points, port=orig_cluster.port, protocol_version=orig_cluster.protocol_version, auth_provider=orig_cluster.auth_provider, ssl_context=ssl.SSLContext(ssl_version)) cluster.connect() cluster.shutdown()
Sorry for being picky on this seemingly unimportant issue, but it may also be the tip of the iceberg of a bigger issue where all sort of SSL errors are not reported correctly to the client and instead they get mysterious EOF.
After I upgraded from Fedora 32 to Fedora 33 suddenly one of my VPNs started to refuse to work.
[root@localhost ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug -v
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to xxx.xxx.xxx.xxx
Failed to obtain WebVPN cookie
On another machine that was not updated Fedora 32 it worked
[root@nas4 ~]# openconnect --authenticate xxx.xxx.xxx.xxx:443 -status -msg -debug
MTU 0 too small
POST https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
--servercert pin-sha256:C0SdphdMszJEgY2qx29Jl7leJTPwt8Iyif+KB9tAkAk=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://xxx.xxx.xxx.xxx/+webvpn+/index.html
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx with ciphersuite (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
Please enter your username and password.
The I noticed in some release notes that in Fedora 33 several ciphers were completely removed.
Yes, I know we should not use unsecured ciphers but what can I do if the VPN server is not under my control and I am still forced to support a client that runs it.
The magic command is:
update-crypto-policies --set LEGACY
The above will make sure that the old deprecated ciphers are still allowed.