TLS problem with pureftpd and FileZilla

Discussion in 'General' started by Elayne, Apr 26, 2016.

  1. Elayne

    Elayne Member

    I've got a little problem that I'm just not able to explain because it's really odd. I read about it on FileZilla forums about the TLS problem and that it was the servers fault and after that the other side (clients) blaming Filezilla that the problem was in the client itself and I could reasonably agree with both sides. But while reading I was getting nowhere and just becoming confused as hell.

    Status:   Starting download of /web/Sources/ManageMail.php
    Command:   PASV
    Response:   227 Entering Passive Mode (217,174,155,59,178,83)
    Command:   RETR ManageMail.php
    Response:   150-Accepted data connection
    Response:   150 12.6 kbytes to download
    Error:   GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
    Status:   Server did not properly shut down TLS connection
    Error:   Could not read from transfer socket: ECONNABORTED - Connection aborted
    Response:   226-File successfully transferred
    Response:   226 0.000 seconds (measured here), 41.22 Mbytes per second
    Error:   File transfer failed after transferring 13,313 bytes in 1 second
    Why am I confused?
    Some files are getting transferred without error, some files are transferred with error while other are not transferred at all with error. They have nothing in common, absolutely nothing.

    What I did...
    Installed gnutls-bin as it wasn't, updated and then upgraded all packages, tried checking any error log, I see only transfer log which doesn't contain any error log. Updated FileZilla to latest version (after which actually everything started), tried checking the TLS version at the server if it was 3.4.10 which is the GnuTLS version of FileZilla. Made a gnutls-cli test in the SSH which didn't return anything useful as information on port 443, only that it is using TLS protocol version 1.2 and after that ran a test on port 21 which actually showed something interesting but nothing that rings a bell to me:

    |<2>| ASSERT: gnutls_record.c:538
    |<2>| ASSERT: gnutls_record.c:995
    |<2>| ASSERT: gnutls_handshake.c:2762
    *** Fatal error: An unexpected TLS packet was received.
    |<4>| REC: Sending Alert[2|10] - Unexpected message
    |<4>| REC[0x9664b0]: Sending Packet[1] Alert(21) with length: 2
    |<4>| REC[0x9664b0]: Sent Packet[2] Alert(21) with length: 7
    *** Handshake has failed
    GnuTLS error: An unexpected TLS packet was received.
    |<4>| REC[0x9664b0]: Epoch #0 freed
    |<4>| REC[0x9664b0]: Epoch #1 freed
    Any idea?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Reminds me of another post on the forums recently, and IIRC, the solution (or recommendation?) was to generate a new certificate for the server.
  3. Elayne

    Elayne Member

    Yes I also thought of that but sounds kinda non-logical, because as I said previously I can transfer some files but others I can't and if the certificate itself was the problem it would be for every connection and file wouldn't it? Seems like I don't have much of a choice and I have to try it... any other possible solution? I could easily try to restart the server but I'm willing to fix the problem is it's happening so I can know what causes it. By the way restarting pureftpd doesn't fix it.

    Edit -------------------------------------------

    Generated a new certificate and the problem remains. Deleted the job queue for certain files and issued them to get downloaded again but the problem occurs again. It's like the SSL certificate is securing the information irreversibly.
    Last edited: Apr 27, 2016
  4. gbe

    gbe New Member HowtoForge Supporter

    Hey Elayne, did you ever manage to solve this?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    To resolve this you'll need to compile pure-ftpd on your own. Read more about it here:

    Your server may also need Open SSL 1.1.1 too.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There are actually several options to resolve or work around the issue:

    1) Use a different FTP client.
    2) switch back to the prior FileZilla version.
    3) Compile a newer pure-ftpd-mysql version.
    4) On Debian and Ubuntu: Try to install a precompiled version which has this patch inside via apt pinning as the version from Debian 10 should not be affected and the version from latest Ubuntu 19.04 or upcoming 19.10 might work too.
    ahrasis likes this.

Share This Page