Ubuntu
pure-ftpd package

TLS broken

Bug #499854 reported by Christian Roessner
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
pure-ftpd (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: pure-ftpd

While pure-ftpd was working flawlessly n Jaunty, it is broken in Karmic:

/usr/sbin/pure-ftpd-ldap-virtualchroot -l ldap:/etc/pure-ftpd/db/ldap.conf -l pam -c 50 -b -u 1000 -U 133:022 -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -j -I 15 -p 18188:18240 -A -C 10 -E -Z -B

With TLS enabled, a client can connect, auth, but gets no directory listing. Without TLS, it is working.

Debug-output:

WITH TLS:
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [auth] [TLS]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with RC4-MD5, 128 secret bits cipher
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pbsz] [0]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [prot] [P]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [noop] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [cwd] [/]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [syst] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [stat] [/]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [port] [192,168,1,10,192,40]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pasv] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [mlsd] []
Dec 23 15:28:36 www pure-ftpd: (<email address hidden>) [ERROR] SSL/TLS [/etc/ssl/private/pure-ftpd.pem]: error:00000000:lib(0):func(0):reason(0)
Dec 23 15:28:36 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:28:36 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [auth] [TLS]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with RC4-MD5, 128 secret bits cipher
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pbsz] [0]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [prot] [P]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pwd] []
Dec 23 15:29:14 www pure-ftpd: (<email address hidden>) [DEBUG] Command [quit] []
Dec 23 15:29:14 www pure-ftpd: (<email address hidden>) [INFO] Logout.

WITHOUT TLS:
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:29:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [noop] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [cwd] [/]
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [syst] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [stat] [/]
Dec 23 15:29:30 www pure-ftpd: (<email address hidden>) [DEBUG] Command [quit] []
Dec 23 15:29:30 www pure-ftpd: (<email address hidden>) [INFO] Logout.

I have recreated the PEM-file like in the README.TLS.gz described, but this does not fix the problem. Also not firewalls active at the moment.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic

pure-ftpd-ldap 1.0.22-1

In 32bit environment in a KVM guest on AMD

Regards
Christian

Tags: tls
Revision history for this message
Christian Roessner (christian-roessner-net) wrote :

Hi,

not only the TLS side to the client is broken! Also the connection to the LDAP server does not work. I needed to install stunnel to get pure-ftpd working over ssl with the LDAP server. Very bad, because I did not want to open port 636 (old style) :-(

Any plans to fix it?

Christian

Revision history for this message
Christian Roessner (christian-roessner-net) wrote :

Fixed it:

Version 1.0.22 has a known bug with Cyberduck FTP client, which is fixed in later releases.

The TLS problem with LDAP was fixed by replacing my LDAPServer IP with LDAPServer name. So the latter one was a self-made bug.

For the first and originating bug, I rebuild the latest version and it works pretty fine (1.0.27). I downloaded the sourcode, copied the debian folder and modified the changleog. Afer that rebuild the package with pdebuild --use-pbuilder-internal

Installed the debs and everything works perfectly. If you are interested in getting the debs, let me know please.

Christian

Revision history for this message
frell (lee) wrote :

Same problem here with Transmit/Coda clients. Other clients work fine.

Can anyone confirm if this prob is gone in Lucid?

Revision history for this message
frell (lee) wrote :

To answer my own questions, Lucid seems to be shipping with 1.0.24-1 which still has this issue.

Revision history for this message
frell (lee) wrote :

Upgrading to version 1.0.28-2 using the Debian sid packages resolves this issue.

In our case it was the pure-ftpd-mysql version of this package and not the ldap version.

For any user interested in how to perform this upgrade, ive documented it at;

http://blog.leenix.co.uk/2010/04/ubuntu-karmiclucid-pure-ftpd-hangs-when.html

Revision history for this message
Jim Rhodes (jim-deadlock) wrote :

I've installed 1.0.28-2 as suggested but it's still hanging on directory request (10.4 lucid).

Revision history for this message
frell (lee) wrote :

Jim, does it only hang when you have TLS enabled in your FTP client?

Because if it hangs without TLS also then your problem is most likely not this bug and are having another issue.

Revision history for this message
Jim Rhodes (jim-deadlock) wrote :

I'm using the standard FTP shell client (Linux NetKit (0.17)), there's nothing in the manpages about TLS so I assume it's not an option.

Revision history for this message
Jim Rhodes (jim-deadlock) wrote :

... so I think you're right, in fact I can get a listing if I connect from within my local network but not from outside, so it must be a firewall problem or something.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.