proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
proftpd-dfsg (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: proftpd-basic
Hi,
Due to a bug in proftpd v1.3.2c clients fail to connect to the server since the server is abruptly disconnecting when a renegotiation is initiated by the client. The disconnecting is however a "freshly" added security feature so that part should be considered normal.
The problem occur when you try to disable this function (which has to be done since (at least) the commonly used FileZilla Client is not able to handle this yet). The TLSOptions AllowClientRene
(I made an attempt to move my up and running FTP server from Ubuntu 9.10 to 10.04. This issue has however made me regroup to 9.10 again.)
I'm adding as much info as I can. I believe that this issue is fixed in the later versions of proftpd. The version 1.3.2e released 24 Feb 2010 would probably be the wise choice!
Best regards Claes Löfqvist
OUTPUT FROM: lsb_release -rd
=======
Description: Ubuntu 10.04 LTS
Release: 10.04
OUTPUT FROM: uname -a
=======
Linux myserver 2.6.32-
OUTPUT FROM: apt-cache policy proftpd-basic
=======
proftpd-basic:
Installed: 1.3.2c-1
Candidate: 1.3.2c-1
Version table:
*** 1.3.2c-1 0
500 http://
100 /var/lib/
OUTPUT FROM: apt-cache policy openssl
=======
openssl:
Installed: 0.9.8k-7ubuntu8
Candidate: 0.9.8k-7ubuntu8
Version table:
*** 0.9.8k-7ubuntu8 0
500 http://
100 /var/lib/
TAIL OF: /var/log/
=======
May 14 12:15:43 myserver proftpd[3826] myserver.
May 14 12:15:43 myserver proftpd[3826] myserver.
May 14 12:15:43 myserver proftpd[3826] myserver.
May 14 12:15:43 myserver proftpd[3826] myserver.
TAIL OF: /var/log/
=======
May 14 12:15:43 mod_tls/
May 14 12:15:43 mod_tls/
May 14 12:15:43 mod_tls/
May 14 12:15:43 mod_tls/
May 14 12:15:43 mod_tls/
May 14 12:15:43 mod_tls/
EXCERPT FROM: /etc/proftpd/
=======
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
TLSOptions AllowClientRene
LOG FROM: FileZilla Client (v3.3.2.1)
=======
Status: Connecting to 192.168.0.202:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.2c Server ready.
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER AUser
Status: TLS/SSL connection established.
Response: 331 Password required for AUser
Command: PASS **************
Response: 230 User AUser logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: MFMT
Response: AUTH TLS
Response: UTF8
Response: MFF modify;
Response: MLST modify*
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: LANG en-US.UTF-8*
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (192,168,
Command: MLSD
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Response: 150 Opening ASCII mode data connection for MLSD
Error: Connection closed by server
LINKS
=====
Someone seems to have reported a similar issue to our Debian friends:
http://
Changed in proftpd-dfsg (Ubuntu): | |
status: | Confirmed → Fix Released |
I found a link to a Debian bug that might help: bugs.debian. org/cgi- bin/bugreport. cgi?bug= 558597# 30
http://