FTPS explicit TLS no longer works without client certificate

[cyberduck]

569de3b created the issue

A few years ago I set up an FTP server for a client, and tested with multiple FTP client software it works as expected with explicit TLS and passive transfers. Cyberduck has alway been my favourite file transfer client and it worked just fine.

Server side is setup with vsftpd and with default settings for ssl_request_cert=YES and require_cert=NO. The latter means (according to man page): If set to yes, all SSL client connections are required to present a client certificate.

Cyberduck now asks me to point to a local certificate in my login keychain and wants to export it. Without completing this I'm no longer able to connect to the FTP server with Cyberduck. When I test this for my client with alternative tools like FileZilla and WinSCP I can still connect fine without configuring a client TLS cert.

This appears to be a bug, i think the use of a client cert should not be mandatory on the client unless the server requires it.

Best, Martinus

[cyberduck]

@dkocher commented

Ticket retargeted after milestone closed

[cyberduck]

@dkocher commented

http://vsftpd.beasts.org/vsftpd_conf.html

[cyberduck]

@dkocher commented

10671 closed as duplicate.

[cyberduck]

@dkocher commented

I can confirm this issue. As a workaround select any certificate in the bookmark settings.

[cyberduck]

@dkocher commented

Ticket retargeted after milestone closed

[cyberduck]

@dkocher commented

10875 closed as duplicate.

[cyberduck]

@dkocher commented

Milestone renamed

[cyberduck]

@dkocher commented

Ticket retargeted after milestone closed

[cyberduck]

@dkocher commented

Milestone renamed

[cyberduck]

@dkocher commented

Ticket retargeted after milestone closed

[EugeneDae]

I wish there was an option to ignore server's request for a certificate. It's simply not possible to configure this for Synology FTPS. So sad.

[conor888]

This seems to be an issue still. I have been connecting fine to an FTP-SSL server for months, then recently set up an Apple Developer profile, and now Cyberduck refuses to let me connect to the FTP-SSL server without presenting my Apple Developer certificate--which I don't want to do.

[psiberfunk]

I couldn't quite figure out why Cyberduck won't let me connect to a Synology FTPS setup.. but i suspect this is the reason. Sadly, Cyberduck just fails in this utterly useless way, which I now suspect is related to this thread. While this is kinda protocol related, suggesting that led me down the path of thinking the server was on an old TLS version. Howerver that was false. Filezilla works fine as you can see from the debug log below, and the server supports TLS 1.3. Despite the error message's indication that I should complain to the server admin (me), this really does seem to be a Cyberduck problem @dkocher

I turned on full debug w/ Filezilla (which works fine!) and dumped the logs here so you can see what's going on. Hopefully this is enough to pinpoint the issue... it does appear to represent a client certificate exchange:

FileZillaDebugLog.txt

Here's the Cyberduck log with debug turned on: cyberduck.log

[psiberfunk]

P.S. I think you once asked in a related thread what version of FTPD Synology used. I believe they currently use SmbFTPD Ver 2.7 with their own security/update patches applied (based on aless@DS220:~$ /usr/bin/ftpd -v).

However this old reliable server supports the latest in TLS protocols and is generally up to date.

[EugeneDae]

@conor888 #10671 #10875

I found a little trick to prevent Cyberduck from repeatedly asking for a client certificate on macOS. Simply add this piece to your exported bookmark and then re-add it back to Cyberduck:

    <key>Client Certificate</key>
    <string>0</string>

A more detailed guide in my blog.

@psiberfunk For the interoperability failure error we found useful switching to another profile called "FTP-SSL (Compatibility Mode)".