Knowledge Search


[WX] FTPS and SSL acceleration error message E47 SslV3GetHdrFields: CCF: invalid version-3=0x303

  [KB21111] Show KB Properties

  [KB21111] Hide KB Properties

Knowledge Base ID: KB21111
Last Updated: 09 Aug 2011
Version: 1.0

FTPS and SSL acceleration log messages that may help you determine if the version of SSL is supported.

Implicit ssl

FTPS client=filezilla 3.4.0

FTP server= Global space EFT 6.3 ftps server

ftps client>>>wx>>>wan>>>wx>>>>>ftps server

Problem or Goal:
WXC 590
WXOS version of code 5.7.7

We had a customer who wanted to use SSL acceleration, on the WXC 590 version 5.7.7 with the Filezilla FTPS client; but continually got the following message in the logs, and soft quits in the flow diagnostics:

In the display system log of the client side WX the following message is seen:
2011-05-23 12:52:37 126BDBF8 E47 SslV3GetHdrFields: CCF: invalid version-3=0x303 f=1:
2011-05-23 12:52:37 126BDBF8 I47 SoftQuitParse: CCF: reason=NOT_OPTIMISED_CHK_RMT_WX f=1:
The flow diags on the server side WX showed:
soft quit reason= SESSION_CACHE_MISS
Cipher suite= TLS_RSA_WITH_AES_256_CBC_SHA
We never get the SSL acceleration for this FTPS transfer.

The following is the reason for the SSL acceleration not working:
E47 SslV3GetHdrFields: CCF: invalid version-3=0x303 f=1:

This particular SSL version corresponds to value 0x303 in the header. From the code, we do support sslv3, but only up to SSL v3.2 which is TLS v1.1. This value represents TLS 1.2, which is SSL 3.3 and we do not support it.

If you see the above message in the logs for your SSL accelerated flow, that is the reason. We have noted in support, that when using certain FTPS clients, Filezilla for one, that the client sends a SSL client hello with TLS 1.2 and SSL 3.3. This flow is going to soft quit as we do not support it.

We have also noted that CuteFTP sends a SSL client hello on version TLS 1.0 SSL version 3.0, these connections are supported and are accelerated. 

Tested versions are:
  • Failed -Filezilla 3.5.0,Filezilla 2.2.7
  • Working -CuteFTP home 8.3, CuteFTP pro 8.3

The WX should not be soft quitting the Filezilla SSL client 'hellos'. The WX should be waiting for the SSL server hello, as this is what is going to determine the eligibility of the flow to be accelerated. But currently, the WX is incorrectly soft quitting the flow based upon the SSL client hello. 

Workaround: Use CuteFtp Pro or Home instead of Filezilla.


Related Links:

Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.