File upload fails in FTP 7.5, getting error 550

Question

User-117341026 posted

I have recently setup a FTP server using FTP for IIS 7.5. The server requires TLS connection. While creating new folders, renaming and deleting files are successful, uploading files result in Error "550 The supplied message is incomplete. The signature was not verified.". This is the first time I see this error and I have no idea how to fix it. What do I need to do to fix it?

Status:	Connection established, waiting for welcome message...
Response:	220 Microsoft FTP Service
Command:	AUTH TLS
Response:	234 AUTH command ok. Expecting TLS Negotiation.
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER XXXX
Status:	TLS/SSL connection established.
Response:	331 Password required for friend.
Command:	PASS ***************
Response:	230 User logged in.
Command:	OPTS UTF8 ON
Response:	200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command:	PBSZ 0
Response:	200 PBSZ command successful.
Command:	PROT P
Response:	200 PROT command successful.
Status:	Connected
Status:	Starting upload of C:\xxx\FileZilla_3.3.1_win32-setup.exe
Command:	CWD /
Response:	250 CWD command successful.
Command:	PWD
Response:	257 "/" is current directory.
Command:	TYPE I
Response:	200 Type set to I.
Command:	PASV
Response:	227 Entering Passive Mode.
Command:	STOR FileZilla_3.3.1_win32-setup.exe
Response:	125 Data connection already open; Transfer starting.
Response:	550 The supplied message is incomplete. The signature was not verified. 
Status:	Retrieving directory listing...
Command:	PASV
Response:	227 Entering Passive Mode.
Command:	LIST
Response:	150 Opening BINARY mode data connection.
Response:	226 Transfer complete.
Status:	Directory listing successful

Answer 1

User-117341026 posted

It seems that FileZilla (or some commands/connection methods used by FileZilla) is causing the problem, becuase the error does not occur with Core FTP LE.

Welcome to Core FTP, release ver 2.1, build 1637 (U) -- © 2003-2010
WinSock 2.0
Mem -- 4,183,628 KB, Virt -- 2,097,024 KB
Started on Sunday January 10, 2010 at 14:27:PM
Resolving DNS
Connect socket #932 to xxx.xxx.xxx.xxx, port 21...
220 Microsoft FTP Service  
AUTH TLS  
234 AUTH command ok. Expecting TLS Negotiation.  
TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit
USER friend  
331 Password required for xxx.  
PASS **********  
230 User logged in.  
SYST  
215 Windows_NT  
Keep alive off...
PWD  
257 "/" is current directory.  
PBSZ 0  
200 PBSZ command successful.  
PROT P  
200 PROT command successful.  
PASV  
227 Entering Passive Mode.  
LIST  
Connect socket #964 to xxx.xxx.xxx.xxx, port 57507...
TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit
150 Opening ASCII mode data connection.  
226 Transfer complete.  
Transferred 185 bytes in 0.011 seconds  
PWD  
257 "/" is current directory.  
TYPE I  
200 Type set to I.  
PASV  
227 Entering Passive Mode.  
STOR TurboBoostSetup.exe  
Connect socket #1076 to xxx.xxx.xxx.xxx, port 57585...
150 Opening BINARY mode data connection.  
TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit
226 Transfer complete.  
TurboBoostSetup.exe - 19275432 bytes transferred  
MDTM 20100108045438 TurboBoostSetup.exe  
213 20100108045438  
Transfer time: 00:00:01  
QUIT  
221 Goodbye.

The FTP log also shows a non-0 Windows status for those 550 error:

2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 56723 DataChannelOpened - - 0 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 -
2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 56723 DataChannelClosed - - 2148074264 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 -
2010-01-10 06:22:45 [c-ip] [cs-username] [s-ip] 21 STOR FileZilla_3.3.1_win32-setup.exe 550 2148074264 0 e28d12a4-f0d7-4420-a66c-3a7c1497ea12 /FileZilla_3.3.1_win32-setup.exe

Answer 2

User1138193213 posted

The 2148074264 error is 0x80090318, which is the SSL Error code SEC_E_INCOMPLETE_MESSAGE, and the description for that is the error text that you are seeing: "The supplied message is incomplete. The signature was not verified."

That being said, I've used FileZilla with FTPS for some time now, so the problem isn't just FileZilla - it's some combination of factors in this scenario. With that in mind, what SSL certificate are you using? (e.g. Self-Signed, Verisign, etc.) Are there any servers between the FTP client and FTP server? (e.g. Are you locating your FTP server behind a firewire server like ISA server? Are you using the built-in Windows Firewall service on the FTP server?)

I would assume that you are not using some sort of firewall service on the client that might be trying to do stateful inspection of FTP traffic that's failing the data channel, otherwise you would not be seeing directory listings in FileZilla, but it's still a good thing to check to make sure that FileZilla has been configured to work through your client's firewall or any Internet security software.

Answer 3

User-117341026 posted

The built-in Windows Firewall service is protecting the FTP Server. The server is directly connected to the internet. The certificate is self-signed and generated by markcert.exe in Program Files\Microsoft SDKs\Windows\v6.0A\Bin. FileZilla is working with another non-IIS FTPS.

This combination was working in Windows 7 RC.

Answer 4

User-117341026 posted

The problem has been resolved, it is related to TLS 1.1 and/or TLS 1.2. After disabling TLS 1.1 and TLS 1.2, connection with FileZilla is now fine.

Answer 5

User936683659 posted

The problem still persists on my server. Disabling TLS 1.1 and TLS 1.2 is no good solution regarding to the BEAST attack. What else can be done?

 

Update:

I did the following to resolve the issue on IIS 7.5 and get protected against the BEAST attack:

• disable SSL 2.0
• enable TLS 1.1
• enable TLS 1.2
• set the cipher priority to prioritize RC4

Have a look at this: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

 

Answer 6

User-1672167363 posted

Hi,

Did you check the support links http://support.microsoft.com/kb/2643584 

and latest Security Bulletin http://technet.microsoft.com/en-us/security/bulletin/ms12-006 ?

Regards, 

Martin

 

Answer 7

User1247989282 posted

I did the following to resolve the issue on IIS 7.5 and get protected against the BEAST attack:

• disable SSL 2.0
• enable TLS 1.1
• enable TLS 1.2
• set the cipher priority to prioritize RC4

Have a look at this: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

Thanks bobbel78 !

I had the same problem, and your solution works perfectly, even with IIS 8 on Windows Server 2012.

A reboot is required after these modifications.

Answer 8

User-827746226 posted

Hi ther, Can you help me with this issue? Where will i disable the TLS 1.1/TLS 1.2 on the server or the FileZilla client?

TIA