LibCurl FTPS is attempting to use SSLv3 and failing connections

tomstephens89 · April 25, 2022 at 7:55 AM

I am trying to make an FTPS connection to a server of mine running filezilla server. Its set to require explicit FTPS (min TLS v1.2) and has a public wildcard certificate (issued by major public CA). This configuration is tested working from various FTPS clients at different locations. Should probably say that I'm a network/infrastructure guy and configure servers/networks/certificates all day long. The FTPS server is good.

However adding an FTPS connection within the Kodi interface does not work. It cannot make a connection. Upon investigation heres what the client kodi logs and the filezilla server logs show. IP's/Domains changed for privacy of course.

Code

KODI LOG:

2022-04-25 07:31:29.882 T:1002    DEBUG <general>: CurlFile::Open(0xff8e0700) ftps://USERNAME:[email protected]:21/
2022-04-25 07:31:29.882 T:1002    DEBUG <general>: easy_acquire - Created session to ftps://FTP.MYSERVERHERE.COM
2022-04-25 07:31:30.097 T:1002    DEBUG <general>: Curl::Debug - TEXT:   Trying 1.1.1.1:21...
2022-04-25 07:31:30.127 T:1002    DEBUG <general>: Curl::Debug - TEXT: Connected to FTP.MYSERVERHERE.COM (1.1.1.1) port 21 (#0)
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT: successfully set certificate verify locations:
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT:  CAfile: /run/libreelec/cacert.pem
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT:  CApath: none
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - TEXT: TLSv1.3 (OUT), TLS handshake, Client hello (1):
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT: e▒▒▒▒@}
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT: ▒
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002     INFO <general>: Skipped 2 duplicate messages..
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:

2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_IN: 220-F
2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - TEXT: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - TEXT: Closing connection 0
2022-04-25 07:31:30.159 T:1002    ERROR <general>: CCurlFile::FillBuffer - Failed: SSL connect error(35)
2022-04-25 07:31:30.159 T:1002    ERROR <general>: CCurlFile::Open failed with code 0 for ftps://USERNAME:[email protected]:21/:

2022-04-25 07:31:30.159 T:1002    ERROR <general>: GetDirectory - Error getting ftps://USERNAME:[email protected]:21/



SERVER LOG:

2022-04-25T06:36:26.058Z !! [FTP Session 1 5.5.5.5] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:26.058Z !! [FTP Server] Session 1 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:31.789Z !! [FTP Session 2 5.5.5.5] Control channel closed with error from source 1. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:31.790Z !! [FTP Server] Session 2 ended with error from source 0. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:38.577Z !! [FTP Session 3 5.5.5.5] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:38.577Z !! [FTP Server] Session 3 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:40.889Z !! [FTP Session 4 5.5.5.5] Control channel closed with error from source 1. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:40.889Z !! [FTP Server] Session 4 ended with error from source 0. Reason: EINVAL - Invalid argument passed.

Display More

This is the line of concern:

Code

TEXT: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

From my research, it appears this Curl FTPS library is having a hard time dealing with TLS 1.2 or above and actually looks like its trying to use SSLv3, which of course will fail.

Any ideas?

tomstephens89 · April 25, 2022 at 9:04 AM

Sorry forgot to add, I am running kodi 19.4 under libreelec 10.0.2.

tomstephens89 · April 25, 2022 at 1:24 PM

Full log:

External Content pastebin.com

Content embedded from external sources will not be displayed without your consent.

Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.

tomstephens89 · April 26, 2022 at 3:36 PM

Just stumbled across this.

https://everything.curl.dev/ftp/ftps

I wonder if this is what is happening. My FTP server is configured for Explicit TLS rather than Implicit (since its deprecated in filezilla server) and that CURL doc says the correct way to handle Explicit FTPS is to use ftp:// and NOT ftps://, but then to add the "--ssl-reqd" flag on the curl command.

I guess that flag can't be added to the URL in KODI? How about adding |AUTH=tls instead? So ftp://user:pass@http://ftp.myftp.com/Movies|AUTH=tls

tokul · April 26, 2022 at 4:13 PM

ftps:// is FTP over SSL and you are trying to connect to ftp server with starttls extension support.

if you select to use FTP with Starttls, nothing stops you from providing FTP over SSL to maximize client base. Those services do not conflict with each other.

If you want to secure and keep it simple, use SFTP. It needs just one port.

tomstephens89 · April 26, 2022 at 6:05 PM

Im not using FTP over SSH, FTPS is fine.

I have actually resolved the problem just this minute. FTPS:// is for implicit TLS, whereas FTP:// with an auth=tls flag at the end is for explicit TLS.

Please see here:

LibCurl FTPS is attempting to use SSLv3 and failing connections

tokul · April 27, 2022 at 3:32 PM

Quote from tomstephens89

LibCurl FTPS is attempting to use SSLv3 and failing connections

If you point TLS client at plain text service port or closed port, it will attempt to negotiate down to last version it is allowed to talk to. Fallback from TLSv1 is SSLv3.

User error is not a bug.