FTPS not negotiating TLS with server

4 thoughts on “FTPS not negotiating TLS with server

  1. Having managed to get the HE910 modem (firmware 12.00.224) to store the PEM file, I’m finding that opening the connection to the FTPS server is failing to complete TLS negotiation. Any ideas what I’m doing wrong, as I have followed the documentation. Here are the commands sent to the modem and received back:

    01/01/1970 00:00:36 Cmd: AT#FTPCFG=100,0,1
    01/01/1970 00:00:36 Resp 0: OK
    01/01/1970 00:00:36 Cmd: AT#FTPTO=600
    01/01/1970 00:00:36 Resp 0: OK
    01/01/1970 00:00:36 Cmd: AT#SSLSECCFG=1,0,1,1
    01/01/1970 00:00:36 Resp 0: OK
    01/01/1970 00:00:36 Cmd: AT#SSLSECDATA=1,1,1,1367
    01/01/1970 00:00:36 Resp 0: >
    01/01/1970 00:00:36 Cmd: —–BEGIN CERTIFICATE—–

    … not printed for security …
    —–END CERTIFICATE—–

    01/01/1970 00:00:38 Resp 0: OK
    01/01/1970 00:00:38 Cmd: AT+CMEE=2
    01/01/1970 00:00:38 Resp 0: OK
    01/01/1970 00:00:38 Cmd: AT#FTPOPEN=”ipaddress:port”,”username”,”password”,1
    01/01/1970 00:00:46 Resp 0: +CME ERROR: Bad or no response from server
    01/01/1970 00:00:46 301    Could not connect to FTP server

    This is what the server (vsftp) reports:

    Tue Apr  7 15:42:50 2015 [pid 12199] CONNECT: Client “ipaddress”
    Tue Apr  7 15:42:50 2015 [pid 12199] FTP response: Client “ipaddress”, “220 Welcome to FTP service.”
    Tue Apr  7 15:42:51 2015 [pid 12199] FTP command: Client “ipaddress”, “AUTH TLS”
    Tue Apr  7 15:42:51 2015 [pid 12199] FTP response: Client “ipaddress”, “234 Proceed with negotiation.”

    There is no sign of negotiation from the modem. I had expected the TLS negotiation / handshake to be performed as part of the FTPOPEN command. Is there another command I’m missing that will do that?

    1. I can login to the FTPS server using an FTP client in explicit FTPS mode, and there are no issues, so I don’t believe that the FTPS server is configured incorrectly. Would grabbing wireshark logs help?

      1. Seems that the certificate had expired – my colleage had created one with a very short validity period! I have created a new certificate, used that PEM file and now it works.