FTPS connection is not stable: Client handshake failed: -2146893018

English support forum

Moderators: white, Hacker, petermad, Stefan2

Post Reply
iskokin
Junior Member
Junior Member
Posts: 4
Joined: 2021-07-31, 00:53 UTC

FTPS connection is not stable: Client handshake failed: -2146893018

Post by *iskokin »

I am using version 10.00 to connect to our server using P12 file. Sometimes I can connect at first attempt, often I receive this first:
----------
Using sChannel (Secur32.dll) for SSL/TLS connection.
220 ProFTPD Server (ProFTPd with TLS installation) [Server IP Address]
AUTH TLS
234 AUTH TLS successful
Using client certificate...
Client handshake failed: -2146893018
----------

Then I keep trying to connect, sometimes many times, finally connection goes like this
----------
Using sChannel (Secur32.dll) for SSL/TLS connection.
220 ProFTPD Server (ProFTPd with TLS installation) [Server IP Address]
AUTH TLS
234 AUTH TLS successful
Using client certificate...
Method: TLSv1.2
Chain verification (2): OK
USER sNNNN
232 User sNNNN logged in
----------
and I can work without issues till Total Commander is restarted
I am sure there is a setting that would allow me to connect stable way, not play this lottery
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *ghisler(Author) »

Error -2146893018 or in hexadecimal "0x80090326" is SEC_E_ILLEGAL_MESSAGE, see:
https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts

It means that the client received a message from the server which it could not understand.
It sounds like the server is using a handshake not yet supported by the sChannel library of your Windows installation.

I would try using OpenSSL dlls instead of the built-in sChannel library.

I'm providing self-compiled OpenSSL 1.0.2u here:
https://www.ghisler.com/openssl/

Total Commander 10 also supports OpenSSL 2, while Total Commander 10.50 supports OpenSSL 2 and 3 now.
Author of Total Commander
https://www.ghisler.com
iskokin
Junior Member
Junior Member
Posts: 4
Joined: 2021-07-31, 00:53 UTC

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *iskokin »

Therefore this text "Method: TLSv1.2" means not different protocol but simply next step after handshake went through... I hoped to find quick easy solution here. I have subfolder "64" without quotes with some DDLs, later will check if these are the same I see in the link.
But why connection finally establishes? Sometimes I have to spend 15 minutes trying to connect but always prevail at the end - I had hope to find what goes right in that case
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *Dalai »

Do you have access to the logs on the server? If so, I suggest to check them, they might give information on the culprit.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
iskokin
Junior Member
Junior Member
Posts: 4
Joined: 2021-07-31, 00:53 UTC

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *iskokin »

Sorry for such a long delay.
No, I do not have access to the server.

And due to policy of my organization I could not get OpenSSL DLLs recommended in this discussion.

After the discussion started, we migrated to next generation Linux servers, for them I still have to try connecting several times but on new servers the connection attempts look diffently: after 8AM it takes between 1 and 5 attempts, before 7AM it takes so many attempts that I wrote small code to see how it goes, today it took 260 tries to connect before Total Commander 10.00 finally established FTPS connection.
With code I do not have issues like earlier - PC is piece of metal and I let it to the job, for now the mystery stays unsolved for me...
User avatar
Hacker
Moderator
Moderator
Posts: 13052
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *Hacker »

A wild guess would be some kind of port mismatch.

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *ghisler(Author) »

Maybe they use a server cluster, and only one of the servers lets them in?
For example, the other servers may be configured to only accept TLS 1.3 connections. To make TLS 1.3 connections work, it may need to be enabled in control panel (control.exe) - Internet Options - Extended - Use TLS 1.3.
Author of Total Commander
https://www.ghisler.com
iskokin
Junior Member
Junior Member
Posts: 4
Joined: 2021-07-31, 00:53 UTC

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *iskokin »

Yes, we definitely have servers joined in cluster, of them only two allow FTPS connection and I connect to those two (I tried the other ones, they do not understand what I want) - however I give exact server name trying to connect. Speaking of enabling TLS 1.3 - just found that our admins disabled this checkbox, it stays unchecked saying "Use TLS 1.3 (experimental)". As I said, for now after every restart of computer I let program try many times to connect - and piece of metal does the work beautifully. Thanks for your time!
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: FTPS connection is not stable: Client handshake failed: -2146893018

Post by *ghisler(Author) »

If you have a cluster, a DNS lookup may resolve to a different server each time. Maybe try with the IP address of one of the working servers instead?
Author of Total Commander
https://www.ghisler.com
Post Reply