Receiving "Handshake message length exceeds the maximum" Error on FTPS Connection Attempt

Question

We connect to the FTP site of a large financial institution via FTPS, using an SSL certificate.  When we recently upgraded to version 12.1.1 of the edtFTPNetPRO library, we are now receiving the following error:

EnterpriseDT.BouncyCastle.Tls.TlsFatalAlert: internal_error(80); Handshake message length exceeds the maximum: certificate_request(13), 33962 > 32768

I tested against several versions of the library and the last version that works without any error is 11.1.1.  (I.e. the new behavior started in version 12.0.)  I was unable to find any information about this error through online searches or this site.  Are you aware of a reason for this error and/or a resolution for it?

Here are some additional logs:

DEBUG [CertificateStore] 22 Jul 2024 17:19:51.332 :  Valid PFX file
DEBUG [CertificateStore] 22 Jul 2024 17:19:51.338 :  Password valid - calling PFXImportCertStore
DEBUG [CertificateStore] 22 Jul 2024 17:19:51.362 :  Successfully imported the PFX file
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.239 :  Owner=[Redacted]
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.240 :  Expiry=[Redacted]
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.241 :  Flags: Flag 0=False;Flag 1=True;Flag 2=True;Flag 3=False;Flag 4=False;Flag 5=False;Flag 6=False;Flag 7=False;Flag 8=False;Flag 9=False;Flag 10=False;Flag 11=False
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.241 :  IsTrial=False,Product=EdtFTPnetPRO
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.242 :  Owner=[Redacted]
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.242 :  Licence expiry date: [Redacted]
DEBUG [LicenseProperties] 22 Jul 2024 17:19:57.242 :  Production license
DEBUG [SSLFTPClient] 22 Jul 2024 17:19:57.242 :  Connecting to [Redacted]:21
DEBUG [SSLFTPControlSocket] 22 Jul 2024 17:19:57.243 :  waitOnShutdownSSL=True
DEBUG [SecureSocket] 22 Jul 2024 17:19:57.250 :  ChangeSecurityProtocol: None
DEBUG [ExFTPControlSocket] 22 Jul 2024 17:19:57.251 :  Created control-socket: SocksContext=, ProxySettings=NoProxy, RemoteHost=[Redacted], controlPort=21, timeout=120000
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.252 :  StrictReturnCodes=False
DEBUG [HostNameResolver] 22 Jul 2024 17:19:57.253 :  Resolving [Redacted]
DEBUG [HostNameResolver] 22 Jul 2024 17:19:57.342 :  Obtained 2 addresses
DEBUG [HostNameResolver] 22 Jul 2024 17:19:57.342 :  IP address: [Redacted]
DEBUG [HostNameResolver] 22 Jul 2024 17:19:57.342 :  IP address: [Redacted]
DEBUG [HostNameResolver] 22 Jul 2024 17:19:57.342 :  [Redacted] resolved to [Redacted]
DEBUG [ExFTPControlSocket] 22 Jul 2024 17:19:57.342 :  Connecting directly to ftp-server [Redacted]:21
INFO [SSLFTPSocket] 22 Jul 2024 17:19:57.342 :  Connecting to [Redacted]:21 with timeout 120000 ms
DEBUG [SSLFTPSocket] 22 Jul 2024 17:19:57.421 :  Successfully connected to [Redacted]:21
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.421 :  Setting socket timeout=120000
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.422 :  SetSocketTimeout: 120000
INFO [FTPControlSocket] 22 Jul 2024 17:19:57.423 :  Command encoding=System.Text.SBCSCodePageEncoding
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.423 :  Setting socket buffer sizes=-1
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.423 :  SetSocketBuffers: -1
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:57.484 :  220 *** IT IS AN OFFENSE TO CONTINUE WITHOUT THE CORRECT AUTHORIZATION *** ready.
DEBUG [SSLFTPClient] 22 Jul 2024 17:19:58.357 :  SetSSLProtocol: min=DETECT, max=DETECT
DEBUG [SSLFTPClient] 22 Jul 2024 17:19:58.357 :  SetSSLProtocol=Tls1, Tls11, Tls12
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:58.358 :  ---> AUTH TLS
DEBUG [FTPControlSocket] 22 Jul 2024 17:19:58.426 :  234 SSLv23/TLSv1
DEBUG [SSLFTPControlSocket] 22 Jul 2024 17:19:58.427 :  Beginning Tls1, Tls11, Tls12 handshake.
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.427 :  ChangeSecurityProtocol: Tls1, Tls11, Tls12
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.435 :  Starting handshake
DEBUG [SocketController] 22 Jul 2024 17:19:58.437 :  Starting TLS client
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.459 :  Handshake started
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.459 :  Waiting for handshake completion
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.459 :  Waiting for handshake to complete (timeout=120000ms)
DEBUG [EdtTlsClient] 22 Jul 2024 17:19:58.643 : FTPClient.1 NotifyAlertRaised(level=2,desc=80,msg=Failed to read record)
ERROR [SocketController] 22 Jul 2024 17:19:58.644 : FTPClient.1 OnReceive - caught exception - closing
ERROR [SocketController] 22 Jul 2024 17:19:58.644 : FTPClient.1 EnterpriseDT.BouncyCastle.Tls.TlsFatalAlert: internal_error(80); Handshake message length exceeds the maximum: certificate_request(13), 33962 > 32768
ERROR [SocketController] 22 Jul 2024 17:19:58.644 : FTPClient.1    at EnterpriseDT.BouncyCastle.Tls.TlsProtocol.SafeReadRecord()
ERROR [SocketController] 22 Jul 2024 17:19:58.644 : FTPClient.1    at EnterpriseDT.BouncyCastle.Tls.TlsProtocol.OfferInput(Byte[] input, Int32 inputOff, Int32 inputLen)
ERROR [SocketController] 22 Jul 2024 17:19:58.644 : FTPClient.1    at EJXBPZg7K526wn0mw4nt.NyGAwWg7cutXms4TT42x.yfig7sJE42w(IAsyncResult  )
DEBUG [SocketController] 22 Jul 2024 17:19:58.650 : FTPClient.1 CloseConnection(e=internal_error(80); Handshake message length exceeds the maximum: certificate_request(13), 33962 > 32768)
DEBUG [SocketController] 22 Jul 2024 17:19:58.650 : FTPClient.1 Shut down socket
DEBUG [SocketController] 22 Jul 2024 17:19:58.650 : FTPClient.1 Closed socket
DEBUG [TransferBuffer] 22 Jul 2024 17:19:58.650 : FTPClient.1 Close() called when open
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.650 : FTPClient.1 OnHandshakeComplete(False,internal_error(80); Handshake message length exceeds the maximum: certificate_request(13), 33962 > 32768)
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.650 : FTPClient.1 OnHandshakeComplete - waiting for lock
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.650 : FTPClient.1 OnHandshakeComplete - in lock
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.650 : FTPClient.1 OnHandshakeComplete - exiting lock
DEBUG [SecureSocket] 22 Jul 2024 17:19:58.650 : FTPClient.1 OnHandshakeComplete - exit
ERROR [SecureSocket] 22 Jul 2024 17:19:58.650 :  Exception during handshake
ERROR [SecureSocket] 22 Jul 2024 17:19:58.650 :  EnterpriseDT.BouncyCastle.Tls.TlsFatalAlert: internal_error(80); Handshake message length exceeds the maximum: certificate_request(13), 33962 > 32768
ERROR [SecureSocket] 22 Jul 2024 17:19:58.650 :     at EnterpriseDT.BouncyCastle.Tls.TlsProtocol.SafeReadRecord()
ERROR [SecureSocket] 22 Jul 2024 17:19:58.650 :     at EnterpriseDT.BouncyCastle.Tls.TlsProtocol.OfferInput(Byte[] input, Int32 inputOff, Int32 inputLen)
ERROR [SecureSocket] 22 Jul 2024 17:19:58.650 :     at EJXBPZg7K526wn0mw4nt.NyGAwWg7cutXms4TT42x.yfig7sJE42w(IAsyncResult  )
DEBUG [SecureSocket] 22 Jul 2024 17:20:03.299 : FTPClient.1 Close()
DEBUG [SocketController] 22 Jul 2024 17:20:03.299 : FTPClient.1 Dispose()
DEBUG [SocketController] 22 Jul 2024 17:20:03.299 : FTPClient.1 CloseConnection(e=null)

Answer 1

In the TLS protocol implementation we are using, the default maximum length of a TLS handshake message is set to 32768. The specification does allow for a much bigger length (in fact, up to 16,777,215 bytes), but in practice messages are generally much smaller. I assume your certificate size is what's resulting in the longer than usual length - maybe the number of certificates in the chain. To remedy this we will increase the default maximum to 65,536. That will be more than enough for your situation (and likely most others). 

If you have a current support agreement, please open a ticket here and we will sort out getting you a patched version of 12.1.1 with the increased size. Otherwise, it will be in the next release.

Comments

Thank you for the quick response!  We do have an active support agreement.  I will put in a ticket, just to formally request the change, but we don't need a custom patch.  We can wait for a future version.