File upload fails in FTP 7.5, getting error 550
Question
Saturday, January 9, 2010 3:13 AM
I have recently setup a FTP server using FTP for IIS 7.5. The server requires TLS connection. While creating new folders, renaming and deleting files are successful, uploading files result in Error "550 The supplied message is incomplete. The signature was not verified.". This is the first time I see this error and I have no idea how to fix it. What do I need to do to fix it?
Status: Connection established, waiting for welcome message... Response: 220 Microsoft FTP Service Command: AUTH TLS Response: 234 AUTH command ok. Expecting TLS Negotiation. Status: Initializing TLS... Status: Verifying certificate... Command: USER XXXX Status: TLS/SSL connection established. Response: 331 Password required for friend. Command: PASS *************** Response: 230 User logged in. Command: OPTS UTF8 ON Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON. Command: PBSZ 0 Response: 200 PBSZ command successful. Command: PROT P Response: 200 PROT command successful. Status: Connected Status: Starting upload of C:\xxx\FileZilla_3.3.1_win32-setup.exe Command: CWD / Response: 250 CWD command successful. Command: PWD Response: 257 "/" is current directory. Command: TYPE I Response: 200 Type set to I. Command: PASV Response: 227 Entering Passive Mode. Command: STOR FileZilla_3.3.1_win32-setup.exe Response: 125 Data connection already open; Transfer starting. Response: 550 The supplied message is incomplete. The signature was not verified. Status: Retrieving directory listing... Command: PASV Response: 227 Entering Passive Mode. Command: LIST Response: 150 Opening BINARY mode data connection. Response: 226 Transfer complete. Status: Directory listing successful
All replies (8)
Saturday, January 23, 2010 12:07 PM ✅Answered
The problem has been resolved, it is related to TLS 1.1 and/or TLS 1.2. After disabling TLS 1.1 and TLS 1.2, connection with FileZilla is now fine.
Sunday, January 10, 2010 1:41 AM
It seems that FileZilla (or some commands/connection methods used by FileZilla) is causing the problem, becuase the error does not occur with Core FTP LE.
Welcome to Core FTP, release ver 2.1, build 1637 (U) -- © 2003-2010 WinSock 2.0 Mem -- 4,183,628 KB, Virt -- 2,097,024 KB Started on Sunday January 10, 2010 at 14:27:PM Resolving DNS Connect socket #932 to xxx.xxx.xxx.xxx, port 21... 220 Microsoft FTP Service AUTH TLS 234 AUTH command ok. Expecting TLS Negotiation. TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit USER friend 331 Password required for xxx. PASS ********** 230 User logged in. SYST 215 Windows_NT Keep alive off... PWD 257 "/" is current directory. PBSZ 0 200 PBSZ command successful. PROT P 200 PROT command successful. PASV 227 Entering Passive Mode. LIST Connect socket #964 to xxx.xxx.xxx.xxx, port 57507... TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit 150 Opening ASCII mode data connection. 226 Transfer complete. Transferred 185 bytes in 0.011 seconds PWD 257 "/" is current directory. TYPE I 200 Type set to I. PASV 227 Entering Passive Mode. STOR TurboBoostSetup.exe Connect socket #1076 to xxx.xxx.xxx.xxx, port 57585... 150 Opening BINARY mode data connection. TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit 226 Transfer complete. TurboBoostSetup.exe - 19275432 bytes transferred MDTM 20100108045438 TurboBoostSetup.exe 213 20100108045438 Transfer time: 00:00:01 QUIT 221 Goodbye.
The FTP log also shows a non-0 Windows status for those 550 error:
2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 56723 DataChannelOpened - - 0 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 - 2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 56723 DataChannelClosed - - 2148074264 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 - 2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 21 STOR FileZilla_3.3.1_win32-setup.exe 550 2148074264 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 /FileZilla_3.3.1_win32-setup.exe
Thursday, January 14, 2010 1:18 PM
The 2148074264 error is 0x80090318, which is the SSL Error code SEC_E_INCOMPLETE_MESSAGE, and the description for that is the error text that you are seeing: "The supplied message is incomplete. The signature was not verified."
That being said, I've used FileZilla with FTPS for some time now, so the problem isn't just FileZilla - it's some combination of factors in this scenario. With that in mind, what SSL certificate are you using? (e.g. Self-Signed, Verisign, etc.) Are there any servers between the FTP client and FTP server? (e.g. Are you locating your FTP server behind a firewire server like ISA server? Are you using the built-in Windows Firewall service on the FTP server?)
I would assume that you are not using some sort of firewall service on the client that might be trying to do stateful inspection of FTP traffic that's failing the data channel, otherwise you would not be seeing directory listings in FileZilla, but it's still a good thing to check to make sure that FileZilla has been configured to work through your client's firewall or any Internet security software.
Sunday, January 17, 2010 1:39 AM
The built-in Windows Firewall service is protecting the FTP Server. The server is directly connected to the internet. The certificate is self-signed and generated by markcert.exe in Program Files\Microsoft SDKs\Windows\v6.0A\Bin. FileZilla is working with another non-IIS FTPS.
This combination was working in Windows 7 RC.
Thursday, January 19, 2012 4:02 AM
The problem still persists on my server. Disabling TLS 1.1 and TLS 1.2 is no good solution regarding to the BEAST attack. What else can be done?
Update:
I did the following to resolve the issue on IIS 7.5 and get protected against the BEAST attack:
- disable SSL 2.0
- enable TLS 1.1
- enable TLS 1.2
- set the cipher priority to prioritize RC4
Have a look at this: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx
Thursday, January 19, 2012 8:50 AM
Hi,
Did you check the support links http://support.microsoft.com/kb/2643584
and latest Security Bulletin http://technet.microsoft.com/en-us/security/bulletin/ms12-006 ?
Regards,
Martin
Wednesday, April 24, 2013 2:19 PM
I did the following to resolve the issue on IIS 7.5 and get protected against the BEAST attack:
- disable SSL 2.0
- enable TLS 1.1
- enable TLS 1.2
- set the cipher priority to prioritize RC4
Have a look at this: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx
Thanks bobbel78 !
I had the same problem, and your solution works perfectly, even with IIS 8 on Windows Server 2012.
A reboot is required after these modifications.
Saturday, November 16, 2013 3:33 PM
Hi ther, Can you help me with this issue? Where will i disable the TLS 1.1/TLS 1.2 on the server or the FileZilla client?
TIA