TLS problem with pureftpd and FileZilla

Discussion in 'General' started by Elayne, Apr 26, 2016.

  1. Elayne

    Elayne Member

    I've got a little problem that I'm just not able to explain because it's really odd. I read about it on FileZilla forums about the TLS problem and that it was the servers fault and after that the other side (clients) blaming Filezilla that the problem was in the client itself and I could reasonably agree with both sides. But while reading I was getting nowhere and just becoming confused as hell.

    Code:
    Status:   Starting download of /web/Sources/ManageMail.php
    Command:   PASV
    Response:   227 Entering Passive Mode (217,174,155,59,178,83)
    Command:   RETR ManageMail.php
    Response:   150-Accepted data connection
    Response:   150 12.6 kbytes to download
    Error:   GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
    Status:   Server did not properly shut down TLS connection
    Error:   Could not read from transfer socket: ECONNABORTED - Connection aborted
    Response:   226-File successfully transferred
    Response:   226 0.000 seconds (measured here), 41.22 Mbytes per second
    Error:   File transfer failed after transferring 13,313 bytes in 1 second
    
    Why am I confused?
    Some files are getting transferred without error, some files are transferred with error while other are not transferred at all with error. They have nothing in common, absolutely nothing.

    What I did...
    Installed gnutls-bin as it wasn't, updated and then upgraded all packages, tried checking any error log, I see only transfer log which doesn't contain any error log. Updated FileZilla to latest version (after which actually everything started), tried checking the TLS version at the server if it was 3.4.10 which is the GnuTLS version of FileZilla. Made a gnutls-cli test in the SSH which didn't return anything useful as information on port 443, only that it is using TLS protocol version 1.2 and after that ran a test on port 21 which actually showed something interesting but nothing that rings a bell to me:

    Code:
    |<2>| ASSERT: gnutls_record.c:538
    |<2>| ASSERT: gnutls_record.c:995
    |<2>| ASSERT: gnutls_handshake.c:2762
    *** Fatal error: An unexpected TLS packet was received.
    |<4>| REC: Sending Alert[2|10] - Unexpected message
    |<4>| REC[0x9664b0]: Sending Packet[1] Alert(21) with length: 2
    |<4>| REC[0x9664b0]: Sent Packet[2] Alert(21) with length: 7
    *** Handshake has failed
    GnuTLS error: An unexpected TLS packet was received.
    |<4>| REC[0x9664b0]: Epoch #0 freed
    |<4>| REC[0x9664b0]: Epoch #1 freed
    
    Any idea?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Reminds me of another post on the forums recently, and IIRC, the solution (or recommendation?) was to generate a new certificate for the server.
     
  3. Elayne

    Elayne Member

    Yes I also thought of that but sounds kinda non-logical, because as I said previously I can transfer some files but others I can't and if the certificate itself was the problem it would be for every connection and file wouldn't it? Seems like I don't have much of a choice and I have to try it... any other possible solution? I could easily try to restart the server but I'm willing to fix the problem is it's happening so I can know what causes it. By the way restarting pureftpd doesn't fix it.

    Edit -------------------------------------------

    Generated a new certificate and the problem remains. Deleted the job queue for certain files and issued them to get downloaded again but the problem occurs again. It's like the SSL certificate is securing the information irreversibly.
     
    Last edited: Apr 27, 2016
  4. gbe

    gbe Member HowtoForge Supporter

    Hey Elayne, did you ever manage to solve this?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    To resolve this you'll need to compile pure-ftpd on your own. Read more about it here: https://github.com/jedisct1/pure-ftpd/issues/94

    Your server may also need Open SSL 1.1.1 too.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There are actually several options to resolve or work around the issue:

    1) Use a different FTP client.
    2) switch back to the prior FileZilla version.
    3) Compile a newer pure-ftpd-mysql version.
    4) On Debian and Ubuntu: Try to install a precompiled version which has this patch inside via apt pinning as the version from Debian 10 should not be affected and the version from latest Ubuntu 19.04 or upcoming 19.10 might work too.
     
    ahrasis likes this.
  8. Zador

    Zador New Member

    Hi, i have same problem.
    There is impossible ftp connect with TLS certificate. I renewed certificate but with any ftp client i get same error:
    all is ok, host ok, user ok, password ok, certificate ok, but suddently non-properly terminated or This security scheme is not implemented
    there is any solution?


    Respuesta: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Respuesta: 220-You are user number 1 of 50 allowed.
    Respuesta: 220-Local time is now 11:43. Server port: 21.
    Respuesta: 220-This is a private system - No anonymous login
    Respuesta: 220-IPv6 connections are also welcome on this server.
    Respuesta: 220 You will be disconnected after 15 minutes of inactivity.
    Comando: AUTH TLS
    Respuesta: 234 AUTH TLS OK.
    Estado: Inicializando TLS...
    Estado: Verificando certificado...
    Estado: Conexión TLS establecida.
    Comando: USER citadela
    Error: Error GnuTLS -110 en gnutls_record_recv: The TLS connection was non-properly terminated.
    Estado: El servidor no cerró la conexión TLS adecuadamente
    Error: No se pudo leer desde el socket: ECONNABORTED - Conexión abortada
    Error: No se pudo conectar al servidor

    other ftp client:

    OpenSSL SSL_read: Connection reset by peer, errno 54. Server returned:
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 3 of 50 allowed.
    220-Local time is now 11:58. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    500 This security scheme is not implemented
    234 AUTH TLS OK.
    -1.)

    this is STATUS pure-ftpd-mysql:
    Jul 01 11:58:25 ns3040218 pure-ftpd[28811]: ([email protected]) [INFO] New connection from 89.129.230.184
    Jul 01 11:58:25 ns3040218 pure-ftpd[28811]: ([email protected]) [ERROR] TLS renegociation
    Jul 01 11:58:26 ns3040218 pure-ftpd[28813]: ([email protected]) [INFO] New connection from 89.129.230.184
    Jul 01 11:58:26 ns3040218 pure-ftpd[28813]: ([email protected]) [ERROR] TLS renegociation
    Jul 01 11:58:26 ns3040218 pure-ftpd[28815]: ([email protected]) [INFO] New connection from 89.129.230.184
    Jul 01 11:58:26 ns3040218 pure-ftpd[28815]: ([email protected]) [ERROR] TLS renegociation
    Jul 01 11:59:35 ns3040218 pure-ftpd[27293]: ([email protected]) [INFO] Timeout - try typing a little faster next time
    Jul 01 11:59:45 ns3040218 pure-ftpd[28922]: ([email protected]) [INFO] New connection from 89.129.230.184
    Jul 01 12:00:06 ns3040218 pure-ftpd[29091]: ([email protected]) [INFO] New connection from 127.0.0.1
    Jul 01 12:00:06 ns3040218 pure-ftpd[29091]: ([email protected]) [INFO] Logout.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Do not revive 5 year old threads.
    If you really have the same problem, the solutions Till mentions should work. If they don't, you should have started a new thread.
     
    till likes this.
  10. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    update the ftp-server to a newer version. i wrote somewhere in this forum how you can do this with ubunu 18.
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Or upgrade the server OS so you'll get newer softwares by default.
     

Share This Page