SSL Error - invalid token!?!

I am trying to connect to AT&T worldnet, and I get the following:

AUTH SSL
234 AUTH SSL successful
Connected. Exchanging encryption keys...
SSL Error
The token supplied to the function is invalid

I am using Explicit SSL, and a user created certificate, with port 21. Can anyone help??

Frank

Interoperability problems with the SSL implementation of the FTP server.

What FTP server software is running on the server?
Can you post the full log (including welcome message)?

It could also be that the server requests your client cert to be signed by a valid/authorized CA (cert authority). The cert created by SmartFTP is self signed.

Thanks.
-Mat

Here is the full script:

Resolving host name upload.att.net...
Connecting to (upload.att.net).
Connected to (upload.att.net) -> IP: 204.127.135.142 PORT: 21.
Socket connected waiting for login sequence.
220-
220-Welcome to the AT&T WorldNet (sm) Personal Web Pages FTP server 204.127.135.68
220-You are accessing it from host 24.237.89.14
220-at Mon Jan 6 19:22:50 2003 GMT
220-
220-This is the "Access from Anywhere" PWP FTP server, and is available
220-from the general internet. However, you MUST use an SSL enabled
220-FTP client. A list of such clients can be found at:
220-
220- http://home.att.net/ftp_anywhere.html
220-
220-For more tips on how to configure your FTP or Web Publishing
220-software to work with Personal Web Pages@att.net, please follow
220-the instructions on these web pages:
220-
220- http://www.wurd.com/eng/pwp/ftpindex.htm
220- or
220- http://www.wurd.com/eng/pwp/editors.htm
220-
220- ****IMPORTANT****
220-
220-Any access to and use of this FTP server, authorized or
220-unauthorized, is governed by and constitutes your acceptance of
220-the terms and conditions imposed on the following web page:
220-
220- http://home.att.net/pwp_gia_terms.html
220-
220-Use your EMAIL-ID at the login prompt (the portion before the "@").
220-Use your EMAIL PASSWORD at the password prompt.
220-
220-
220 PWPFTPD 2.02 (6feb2002) Server (AT&T WorldNet (sm) Personal Web Pages FTP GIA server) [204.127.135.68]
AUTH SSL
234 AUTH SSL successful
Connected. Exchanging encryption keys...
SSL Error
The token supplied to the function is invalid
Cannot login waiting to retry...


The AT&T website which describes Smart FTP ops (see the welcome message) has you set up a self-signed certificate. Thanks for your help.

Working fine here. But you need to create a client cert and enable the "Use Client Cert" checkbox in the Settings->Connection->SSL.
And make sure you have the correct certiticate selected in the combobox.

[20:42:57] 220 PWPFTPD 2.02 (6feb2002) Server (AT&T WorldNet (sm) Personal Web Pages FTP GIA server) [204.127.135.68]
[20:42:57] AUTH SSL
[20:42:57] 234 AUTH SSL successful
[20:42:57] Connected. Exchanging encryption keys...
[20:42:58] SSL encrypted session established.
[20:42:58] PBSZ 0
[20:42:58] 200 PBSZ 0 successful

I have the certificate set up (have the whole time). I've even deleted and redone the certificate (twice) and still get the same error message. Is there any other reason for this error? I only have the one ceritificate loaded, so it shouldn't be a matter of selecting that certificate (unless there's a different combo box that I'm not seeing?) Is there something unique about the certificate (I've entered all of the information)?

I downloaded the update, but I'm still getting the same error. I even tried entering the same certificate information as the automatically generated certificate from another progam (Voyager FTP), but no luck. Any other suggestions?

HEllo,
Was ther any resolution to this problem? I have the same problem.
Thanks,
Frank

We don't see a problem on our side. Sorry.
We can sucessfully connect to the ftp server mentioned earlier.

-Mat

Hi folks, I have the same problem with SSL and AT&T's ftp and some diagnostic information.

I tried smart ftp with my AT&T webspace and get two different errors. I've checked and double checked that I followed AT&T's guidance exactly.

From an ME machine I get the bad token SSL error.
From a 2000 machine I get a the follwoing SSL error.
An established connection was aborted by the software in your host machine.

Both occur during the encryption key exchange.

I've been trying to get help from AT&T through their newsgroup. Another user (not sure what operating system) said it worked fine for him.

I tried another FTP product (a 30 day trial) and was able to succesfully FTP on my ME machine.

So, it seems that there is some setting in Smart FTP that isn't consistent accross platforms.

Any guidance would be greatly appreciated.

Yours,
Mark

Question for all users having a problem:

Do you have domestic or export encryption installed?

In MSIE, Help->About, look for "Cipher Strength". Domestic encryption is 128 bit.

Question for SmartFTP folks:

I'm assuming that you are using Windows security services for your encryption, since I can't find any OpenSSL identification strings in your DLLs nor exe files.

I have a theory that SmartFTP SSL may not work correctly with export grade encryption.

Suggestion for folks having a problem:

If you have only export grade encryption, upgrade you system (NT/2000) or MSIE (9x/ME) to domestic 128 bit encryption. I'm pretty sure that XP ships this way by default...

Henry, thanks for your input.
We're using schannel (the MS ssl/tls implementation)

I think thats exactly the problem. All users with the problem mentioned should install the 128bit update over http://www.windowsupdate.com.

-Mat

I like the idea. Unfortunately it's not the answer.

I have 128 bit cipher on my Win 2000 machine and still have the problem. Tonight I'll check my ME machine too.

It was so promising though . . . .

Yours,
Mark

Indeed, I also have 128 bit cipher on my Me machine (which is where I get the token error when trying to connect to upload.att.net using Smart FTP).

I also have some folks at AT&T looking into this. We have a thread on the newsgroup: worldnet.help.pwp.new-users

The thread is 534 Insecure Connection.

Hmm.

OK, then, the usual culprits. Did you install SP 3 on your Win2K machine?

Next, do you have a NAT/NAPT box or any other application firewall?

Lastly, does your entire network path to the server support MTU path discovery? You haven't installed any download accelerators, tweaked max/min MTU, or any such thing, have you?

Note that MS Schannel seems to return "bad token" messages on reconnect when the packets are truncated. This might also cause an application disconnect under win9x/ME. Similarly, the distant end will close the SSL session if there are too many packet retrans' because of broken MTU path discovery.

See:

http://groups.google.com/groups?hl=en&l ... &frame=off

for a supporting discussion.

I'm cross posting this on both the AT&T and the Smart FTP discussions.

Thanks Henry, but no luck. Win2K has SP3 and Me is up to date with v. 4.90.3

Both were updated within the last two weeks.

I wouldn't know an MTU if it bit me on the nose. The Me machine is stand alone at home (no local network or anything) with AT&T dsl and the Win2K is part of an office network hooked up to the Net via a commercial AT&T T-1.

Me is running a Norton Firewall, but I get the token error even with the Firewall off

WS_FTP works to connect to AT&T's ftp upload.att.net even with the Firewall on (Me machine, haven't also tried WS_FTP on the Win2K).

As I understand that others have had this problem (as per the Smart FTP discussion), I would be glad to have a phone call with someone from Smart FTP or AT&T to walk through all the settings on one of my machines to try and find the culprit.

If anyone is interested, e-mail me directly at freedmanmf@att.net

Well I never solved the SmartFTP problem, but thanks to information I found elsewhere with AT&T I have a work around that lets me use Dreamweaver's built in FTP without SSL.

TLS-Wrap is a DOS program that apparently 'masks' my connection to look like SSL. I run that and then I can use normal non-SSL ftp.

Here is the information for doing this.

http://www.wurd.com/cl_ssl_tlswrapper.php