Pure-ftp error TLS renegotiation

Discussion in 'General' started by zapyahoo, Aug 19, 2019.

  1. zapyahoo

    zapyahoo Member

    Weird? anyone else with this issue?
    I did all ubuntu server 18 updates a few days ago and now client can not connet via ftp to their sites using explicit TLS.
    Don't know if it was a pure-ftp update or openssl update but now the connections give:
    pure-ftp ERROR TLS renegotiation
    I used the tutorial available here to re-install pure-fto, generate a new certificate and forced pure-ftp to use, only accept TLS. No avail.
    Plain text works fine.

    OpenSSl Test with port 21
    ****@PPPP:~# openssl s_client -connect ***.***.***.101:21
    140346606842304:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 5 bytes and written 316 bytes
    Verification: OK
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
  2. ahrasis

    ahrasis Well-Known Member

    What is the status of pure-ftpd-mysql? Do run "service pure-ftpd-mysql status" to check.

    Do further check based on the tutorial for ubuntu 18.04 apache / nginx at pureftpd parts. E.g. /etc/default/pure-ftpd-common, /etc/pure-ftpd/conf/TLS, /etc/ssl/private/.

    Check all the SSL certs for it, whether they have already expired.
  3. zapyahoo

    zapyahoo Member

    The SSl is new since i did the pure-ftp tutorial again. Even got the pop up to accept the new cert.

    # service pure-ftpd-mysql status
    ● pure-ftpd-mysql.service
    Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated)
    Active: active (running) since Tue 2019-08-20 09:03:54 WEST; 9min ago
    Docs: man:systemd-sysv-generator(8)
    Process: 1653 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4678)
    CGroup: /system.slice/pure-ftpd-mysql.service
    └─1666 pure-ftpd (SERVER)

    Aug 20 09:05:57 test.localhost pure-ftpd[8088]: ([email protected]***.***.56.1) [ERROR] TLS renegociation
    Aug 20 09:06:13 test.localhost pure-ftpd[23298]: ([email protected]***.***.56.1) [INFO] New connection from
    Aug 20 09:06:13 test.localhost pure-ftpd[23298]: ([email protected]***.***.56.1) [DEBUG] Command [auth] [TLS]
    Aug 20 09:06:13 test.localhost pure-ftpd[23298]: ([email protected]***.***.56.1) [ERROR] TLS renegociation
    Aug 20 09:06:51 test.localhost pure-ftpd[26810]: ([email protected]::1) [INFO] New connection from ::1
    Aug 20 09:06:51 test.localhost pure-ftpd[26810]: ([email protected]::1) [DEBUG] Command [quit] []
    Aug 20 09:06:51 test.localhost pure-ftpd[26810]: ([email protected]::1) [INFO] Logout.
    Aug 20 09:10:01 test.localhost pure-ftpd[27593]: ([email protected]::1) [INFO] New connection from ::1
    Aug 20 09:10:01 test.localhost pure-ftpd[27593]: ([email protected]::1) [DEBUG] Command [quit] []
    Aug 20 09:10:01 test.localhost pure-ftpd[27593]: ([email protected]::1) [INFO] Logout.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Try using a different FTP client, e.g. fireftp which is a firefox plugin or use the FTP (not SFTPor SCP) mode if winSCP.
  5. OsmDroid

    OsmDroid New Member

    @zapyahoo @till I am running into exact same problem. It connects through plain text but doesn't connect over TLS . Maybe its a problem with pure-ftpd-mysql. I'll try to remove that and install pure-ftpd (normal)
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Don't do that, FTP will not work anymore then at all as users can't connect. pure-ftpd without mysql can not be used as it can not connect to mysql. Instead. try using a different FTP client like fireftp or winscp in ftp mode.
  7. OsmDroid

    OsmDroid New Member

    @till I just tested pure-ftpd on fresh Ubuntu 18.04 (which pureftp has 1.46) and fresh 19.04 (1.47) concluding that TLS works perfectly after following steps you mentioned in ubuntu 18.04 perfect server on 1.47 but doesn't work on 1.46. I found one ppa (launchpad dot net/~joshuaspring9/+archive/ubuntu/pure-ftpd) with 1.47 for bionic but idk if its trustworthy or not. Maybe I need to compile from source. Can you please provide me brief instructions to compile?

    Thanks much. Big fan
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  9. ahrasis

    ahrasis Well-Known Member

    Strange. Mine works fine while using Ubuntu 18.04.3 default pure-ftpd-mysql 1.0.46.

    As advised above, you should try a different ftp client, just to make sure that it is not an ftp client problem, as filezilla 3.40 has known issue with its TLS1.3 support as the same is not handled properly in pure-ftpd-mysql 1.046.
  10. OsmDroid

    OsmDroid New Member

    @ahrasis @Taleman Appreciating both of yours help. I've been trying to get TLS working since 12 hours.
    Tried everything from completely uninstalling pure-ftpd to installing latest from source to again uninstalling fully to installing 1.47 from 19.04 to switching to 5 other FTP clients. Tinkered with all other settings disabling firewall, ipv4/6, changing ports, switching active passive but NO LUCK :(
    I always get this
    Command:    AUTH TLS
    Response:    502 AUTH TLS OK.
    Command:    AUTH SSL
    Error:    Could not connect to server
    TLS auth is working but listing isn't happening. Who knows if something is conflicting or pure-ftp has bugs, I'll have to wait till ubuntu updates package
  11. ahrasis

    ahrasis Well-Known Member

    I think if you did the above to resolve your problem, or use other ftp client, then it should work fine too, however, you report that as failing as well.

    So, if you want to fix it, please try checking the result of all these in the terminal:
    apt-get install pure-ftpd-common pure-ftpd-mysql openssl   # This will show all their version if installed
    cat /etc/pure-ftpd/conf/TLS   # This normally is 1 as per the tutorial
    ls -lath /etc/ssl/private/   # You should have both pure-ftpd-dhparams.pem and pure-ftpd.pem
    service pure-ftpd-mysql restart   # You should successfully restart it
    service pure-ftpd-mysql status   # Status should be ok with no error
    Check if the ftp port 21 and 22 are open for connections.

    Try searching for that error will also help if everything above is ok. https://lmgtfy.com/?q=ftp+Error:+Could+not+connect+to+server&p=1
    Last edited: Sep 11, 2019
    OsmDroid likes this.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you can connect with TLS but it stopped when trying to list folders? In that case, your passive ports are blocked.


    And as a side note, I use Ubuntu 18.04 with its default pure-ftpd-mysql binary as well here and it works fine with TLS, so there is no issue with that package regarding TLS. the only issue that the old pure-ftpd version has is an incompatibility with the latest FileZilla version, other clients are not affected and older filezilla versions are not affected too.
    OsmDroid likes this.
  13. winsbury

    winsbury New Member

    I've given up with Filezilla for similar reasons - Coffeecup FTP Free seems to work just fine, I haven't tried any other clients yet so there may be others that work.
  14. OsmDroid

    OsmDroid New Member

    @till @ahrasis @Taleman After many hours of brain blowing troubleshooting by trying to fix server, eventually found out problem was so simple but I was looking at wrong side. Problem was from client side, my ISP is blocking FTPES connections while allowing plain text FTP.
    This is too shady, clients would connect to FTP even when FTPES is available allowing them to look at which types of files we're

    I wonder how do they achieve this? btw i am very grateful for help
  15. ahrasis

    ahrasis Well-Known Member

    That is because from the tutorial we allow them to do that.
    I think if you change the above content to 2 only then it will force everybody to use only FTPES access.
  16. OsmDroid

    OsmDroid New Member

    Yes i know. But you didn't get me. If I try to connect to FTPES it just won't work via my ISP but with my mobile data hotspot i can connect to same server with FTPES
  17. ahrasis

    ahrasis Well-Known Member

    I was replying to this.

    Anyway, you wanna say your ftp server is fine. Noted that.
  18. byman64

    byman64 New Member

    Hi, today I just got the same issue using FTP client Filezilla.

    I tried with SCP for windows and I am able to connect

    Yesterday filezilla client works properly and I didnt update the client, so the same version.
    I am reading the discussion but I see some reinstall stuff but I don't want to try if I am not sure.
    Any idea?

    I have Ubuntu 18.04 with ispconfig installed following 1 of your nice guide
    **service pure-ftpd-mysql status**
    ● pure-ftpd-mysql.service
    Loaded: loaded (/etc/init.d/pure-ftpd-mysql; generated)
    Active: active (running) since Mon 2019-09-16 21:09:30 CEST; 3min 46s ago
    Docs: man:systemd-sysv-generator(8)
    Process: 1442 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 4915)
    CGroup: /system.slice/pure-ftpd-mysql.service
    └─1500 pure-ftpd (SERVER)

    Sep 16 21:10:18 vps7 pure-ftpd[2046]: ([email protected]) [INFO] New connection from xx.23.40.yy
    Sep 16 21:10:19 vps7 pure-ftpd[2046]: ([email protected]) [ERROR] TLS renegociation
  19. OsmDroid

    OsmDroid New Member

    You don't need to do anything just change your client from filezilla to Flash FTP and if it still doesn't work try changing local internet. Then tell if it works
  20. byman64

    byman64 New Member

    As I reported, problem is with Filezilla client ftp over TLS...it worked for ages and stopped works...I am sure, I didnt instal new version of Filezilla...

    BTW I can use WinSCP without problem using "TLS/SSL Explicit encryption".

    It's real strange...something changed on my pc? A Windows 10 update? Who can say...I agree with you, it seems a client ftp issue...

    I also tried from another pc with another internet line, same version of client filezilla and same configuration and filezilla reports the same error:

    Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
    Status: Server did not properly shut down TLS connection
    Error: Could not read from socket: ECONNABORTED - Connection aborted
    Error: Could not connect to server

Share This Page