- Plesk for Linux
FTP connection over TLS failed with the following error in
CONFIG_TEXT: mod_tls/2.7: unable to accept TLS connection: received EOF that violates protocol
mod_tls/2.7: unable to accept TLS connection: usually this indicates an FTP-aware router, NAT, or firewall interfering with the TLS handshake
mod_tls/2.7: TLS/TLS-C negotiation failed on control channel
The FTPS connection can be established locally:
# lftp -u ftpuser 127.0.0.1
lftp firstname.lastname@example.org:~> set ftp:ssl-force true
lftp email@example.com:~> set ssl:verify-certificate no
lftp firstname.lastname@example.org:~> ls
drwxr-xr-x 2 ftpuser psacln 4096 Jul 13 2017 error_docs
drwxr-x--- 26 ftpuser psaserv 4096 May 8 08:45 httpdocs
drwx------ 2 ftpuser root 4096 Jul 3 03:43 logs
After, the following logs can be found in
CONFIG_TEXT: mod_tls/2.7: TLS/TLS-C requested, starting TLS handshake
mod_tls/2.7: client supports secure renegotiations
mod_tls/2.7: TLSv1.2 connection accepted, using cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
mod_tls/2.7: Protection set to Private
mod_tls/2.7: starting TLS negotiation on data connection
mod_tls/2.7: TLSv1.2 data connection accepted, using cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
This behavior is usually observed if the server is behind a router or firewall that inspects packets on the default port 21 (for example ISA does not support FTP with TLS).
Verify that FTPS connections are enabled in Tools & Settings > Security Policy > FTPS usage policy and that TLSEngine is enabled in
/etc/proftpd.conf config file.
There are two possible solutions:
Solution I. Disable filtering on the router/firewall/ISA server for 21 port.
Solution II. Change FTP port in
to another (for example to 2121):
Connect to the server via SSH
/etc/servicesusing any text editor and change the port for ftp to 2121 for both tcp/udp protocols.
# vi /etc/services
It should look like the following:
# cat /etc/services | grep 2121 | grep ftp
Restart xinetd service
# service xinetd restart
Check the FTP and FTPS connection using the new port.
Note: Port 2121 should be opened on the firewall: How to manage local firewall rules on a Plesk for Linux server