Archived Forum Post

Index of archived forum posts

Question:

Socket operation timeout in FTP TLS Handshake

Sep 27 '16 at 08:36

I get the following error when trying to connect to a particular FTP server on port 990.

    Using Implicit SSL
    ImplicitSsl: 1
    AuthTls: 0
    AuthSsl: 0
    ftpConnect:
      Hostname: ftps.xyz.com
      Port: 990
      Connecting via SSL/TLS
      IdleTimeoutMs: 10000
      socket2Connect:
        connect2:
          connectImplicitSsl:
            clientHandshake:
              clientHandshake2:
                readHandshakeMessages:
                  sockRecv: Socket operation timeout.
                  Failed to read TLS record (2)
                  tlsRec_msg: 155
                  msgLen: 8226
                  nReadNBytes: 155
                  status: 0
                --readHandshakeMessages
              --clientHandshake2
            --clientHandshake
            Client handshake failed. (3)
          --connectImplicitSsl
          ConnectFailReason: 103
        --connect2
      --socket2Connect
      ConnectFailReason: 103
    --ftpConnect
    Failed to connect to FTP server.

---

Answer

This was caused by the FTP server being configured for explicit SSL/TLS on port 990.

Port 990 is customarily the implicit SSL/TLS port for FTP. Implicit SSL/TLS is such that when the TCP connection is made, the TLS handshake immediately begins. Both sides, client and server, must be expecting this to occur. Otherwise one side would be "talking" the TLS handshake while the other was not (and a timeout would occur).

Explicit SSL/TLS is different. It's when TCP connection is made initially, and then later via an FTP command, the TLS handshake occurs to convert the connection to a secure channel.

Programmers often get confused by the Ftp2.Ssl and Ftp2.AuthTls properties, and often set them incorrectly. The "Ssl" property indicates implicit SSL/TLS, whereas the AuthTls property indicates explicit SSL/TLS. The AutoFix property, turned on by default, automatically fixes the problem when the programmer sets AuthTls = true for port 990. However, if some FTP administrator, not aware of the standard conventions for particular port numbers, configures the FTP server such that port 990 is for explicit TLS, then AutoFix=true will cause a problem. The solution is to set AutoFix=false, and then set AuthTls = true for port 990 (but only for the case where the FTP administrator, in my opinion, made the very poor choice of using port 990 w/ explicit TLS).