IndySecOpenSSL using OpenSSL 3.6.0 does not connect with "CompleteFTP Server"

[JPeterMugaas]

I'm having problems using IndySecOpenSSL with OpenSSL 3.6.0, TIdFTP, with a "Complete FTP" Server.

I get the following exception:

Project ftp.exe raised exception class EOpenSSLUnderlyingCryptoError with message 'Error connecting with SSL.
error:0A000126:SSL routines::unexpected eof while reading'.

The problem appears whenever using OpenSSL 3.x but funny enough, the program does work with OpenSSL 1.1.1w. The test program is below:

program ftp;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  Classes,
  IdExplicitTLSClientServerBase,
  IdFTP,
  IdFTPCommon,
  IdSecOpenSSL,
  IdSecOpenSSLAPI,
  IdSecOpenSSLOptions,
  System.SysUtils;


procedure TestLocalHostCompleteFTP;
var
  LSec : TIdSecIOHandlerSocketOpenSSL;
  LFTP : TIdFTP;
  LDir : TStrings;
  i : Integer;
begin
  LFTP := TIdFTP.Create(nil);
  try
    LSec :=  TIdSecIOHandlerSocketOpenSSL.Create(nil);
    try
      LSec.SSLOptions.SSLVersions := DEF_SSLVERSIONS;
      LSec.SSLOptions.Mode := sslmClient;
      LFTP.IOHandler := LSec;
      LFTP.UseTLS := utUseExplicitTLS;
      LFTP.Host := 'localhost';
      LFTP.Username := '****';
      LFTP.Password := '****';
      LFTP.DataPortProtection := ftpdpsPrivate;
      LFTP.Connect;
      try
        LDir := TStringList.Create;
        try
          LFTP.List(LDir);
          for i := 0 to LDir.Count -1 do
          begin
            WriteLn(LDir[i]);
          end;
        finally
          FreeAndNil(LDir);
        end;
      finally
        LFTP.Disconnect;
      end;
    finally
      FreeAndNil(LSec);
    end;
  finally
    FreeAndNil(LFTP);
  end;
end;

begin
  try
    { TODO -oUser -cConsole Main : Insert code here }
    if OpenSSL_Using_Dynamic_Library_Load then
    begin
      WriteLn('Use Dynamic loading');
    end;
    WriteLn(OpenSSLVersion);
    TestLocalHostCompleteFTP;
  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
  ReadLn;
end.

Here is the packet capture from Wireshark:

indysec-openssl-completeftp.zip

Funny enough, this issue also appears with TaurusTLS.
TaurusTLS-Developers/TaurusTLS#131

[JPeterMugaas]

I have successfully tested the "CompleteFTP" server with Filezilla and WinSCP.

Just in case you were tempted to ask, I am attaching a Wireshark pcapng for the sample program above using OpenSSL 1.1.1w with success:

indysec-openssl-completeftp-openssl-1-1-1w.zip

[JPeterMugaas]

I have verified that the test program work with OpenSSL 3.4.3. It raises the same exception I use OpenSSL 3.5.0.

As I say, I suspect that this is the same issue I'm having with TaurusTLS.

[JPeterMugaas]

Using the openssl program to access CompleteFTP on my computer:

C:\msys64\home\***\TaurusTLS\Demos\TaurusFTPConsole\Win64\Debug>openssl --version
OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025)
C:\msys64\home\***\TaurusTLS\Demos\TaurusFTPConsole\Win64\Debug>openssl s_client -connect localhost:990 --servername localhost --showcerts
Connecting to ::1
CONNECTED(000001B4)
E44C0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:691:
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 0 bytes and written 1549 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[JPeterMugaas]

The CompleteFTP Vendor has been contacted about this issue.

[dsk8311]

I am experiencing the same issue, albeit intermittently, when performing requests to MS GRAPH endpoints. According to openssl documentation this can be mitigated with option SSL_OP_IGNORE_UNEXPECTED_EOF
How to set it?