FTPS problem: "A TLS packet with unexpected length was received."

Question

I'm trying to connect to an FTPS server (not SFTP). I am connecting from a linux system, so I have tried lftp, ftp-ssl, and even using php's ftp_ssl_connect, but none of them work. (I have been able to connect to other FTPS servers using all or at least some of the above methods).

The most descriptive error I have is from lftp with debug all the way up to 11:

$ lftp
lftp :~> open -u my-username ftps://server.net
Password: 
lftp [email protected]:~> debug 99999999999
lftp [email protected]:~> ls
FileCopy(0x717bf0) enters state INITIAL
FileCopy(0x717bf0) enters state DO_COPY
---- dns cache hit
---- Connecting to server.net (IP ADDRESS) port 990
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
GNUTLS: HSK[acfbb0]: Keeping ciphersuite: RSA_ARCFOUR_MD5
GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[acfbb0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
GNUTLS: EXT[acfbb0]: Sending extension CERT_TYPE
GNUTLS: HSK[acfbb0]: CLIENT HELLO was send [88 bytes]
GNUTLS: REC[acfbb0]: Sending Packet[0] Handshake(22) with length: 88
GNUTLS: ASSERT: gnutls_cipher.c:205
GNUTLS: REC[acfbb0]: Sent Packet[1] Handshake(22) with length: 93
GNUTLS: ASSERT: gnutls_buffers.c:638
GNUTLS: ASSERT: gnutls_record.c:909
GNUTLS: ASSERT: gnutls_buffers.c:1152
GNUTLS: ASSERT: gnutls_handshake.c:1032
GNUTLS: ASSERT: gnutls_handshake.c:2331
**** gnutls_handshake: A TLS packet with unexpected length was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: A TLS packet with unexpected length was received.

With PHP I get the following:

Warning: ftp_login(): SSL/TLS handshake failed in /home/user/ftp.php on line 7
Warning: ftp_login(): SSL enabled start the negotiation in /home/user/ftp.php on line 7
cannot login

Line 6: $connect = ftp_ssl_connect("server.net") or die("cannot connect");

line 7: $result = ftp_login($connect,"my-username","my-password") or die("cannot login");

With ftp-ssl:

$ ftp-ssl -d -z debug server.net
SSL_DEBUG_FLAG on
Connected to server.net.
220-Security Notice
220-All activities may be monitored.  System use indicates consent to
220 monitoring.  Information may be given to law enforcement.
ftp: setsockopt: Bad file descriptor
Name (server.net:user): my-username
---> AUTH SSL
234 SSL enabled start the negotiation
write to 0x68c190 (102 bytes => 102 (66))
0000 - 80 64 01 03 01 00 4b 00-00 00 10 00 00 39 00 00   .d....K......9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 e9 28-25 ed ea 2d e4 d2 f2 25   .......(%..-...%
0060 - 80 e1 2e f1 c3 71                                 .....q
read from 0x68c190 (7 bytes => -1 (FFFFFFFFFFFFFFFF))
ftp: SSL_connect error error:00000000:lib(0):func(0):reason(0)
: Connection reset by peer

Sorry if this post is long, but I've been googling for days with no answer in sight. Just hoping some debug info I missed could be of use to someone.

Answer 1

On debian when experiencing the same error:

---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.

First I had to upgrade the ssl-cert package on debian:

$ sudo apt-get upgrade ssl-cert

Then I had to use open ftp:// not open ftps://:

lftp :~> open ftp://xxx.xxx.xxx.xxx:21
ltfp :~> user foo bar

Then the error changed to:

lftp [email protected]:~> ls

ls: Fatal error: Certificate verification: Not trusted (XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)

This option removed the error and allowed access:

lftp [email protected]:~> set ssl:verify-certificate no

Answer 2

It looks like server uses incompatible, or invalid key exchange algorithm. Try to use Wireshark to catch packets between your client and server, probably that will shed some light on issue. Also, you can try to enable/disable some key exchange algorithms.