Pure-FTPd Breaks with OpenSSL v1.1.1

Status changed to 'Confirmed' because the bug affects multiple users.

Latest version of Filezilla has issues connecting to pure-ftpd-mysql server. I hope this package will be updated any time soon to fix the issue.

I also have this issue.

I hope this package will be updated any time soon to fix the issue.

I'm still experiencing this issue. I hope it will be fixed soon.

Just encountered this.

Ubuntu 18.04 server.
Version in repo: pure-ftpd-mysql-1.0.46-1build1

TLS completely broken in this version.

Can confirm that manually installing packages from Ubuntu 19.04 repo fixes issues for me.

```
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-mysql_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd-mysql_1.0.47-3_amd64.deb
```

TLS now working in Pure-FTPd

```
apt-cache policy pure-ftpd-common
pure-ftpd-common:
  Installed: 1.0.47-3
  Candidate: 1.0.47-3
  Version table:
 *** 1.0.47-3 100
        100 /var/lib/dpkg/status
     1.0.46-1build1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic/universe amd64 Packages
```

It's strange, I didn't have the pure-ftpd-mysql.
So I tried the @Datapro Services solution without the Mysql package and I always got the same error message.
I exactly followed the instructions of @Datapro Services and it works.
Maybe the workaround will just consist in adding the pure-ftpd-mysql packet as a version of the repository?

Thanl you @Datapro Services (it-iizj)

It's worked. :)

Also for me @Datapro Services solution worked for me

Thank you!

@Jean-Philippe (jean-philippe-f):

The solution from @Datapro Services (it-iizj) also works for the standard package without mysql. You just need to get pure-ftpd instead of pure-ftpd-mysql.

```
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd_1.0.47-3_amd64.deb
```
Thanks @Datapro Services (it-iizj) !

@Florin (flopppy):
Note that older versions of FileZilla client can connect to pure-ftpd 1.0.46 without any TLS issue.

This is because FileZilla introduced support for TLS 1.3 in their client version 3.40.0 by linking against GnuTLS 3.6.6. TLS 1.3 is not handled properly in pure-ftpd 1.0.46.

https://filezilla-project.org/versions.php

So using versions of FileZilla prior to 3.40.0 (e.g. 3.28, 3.25.2) may be a workaround for the clients, although not a very nice one....

If one limits via openssl.cnf to use maximum TLS v1.2 does that make pure-ftpd work with all clients?

Ie. Apply https://launchpadlibrarian.net/428208982/cap-to-tls1.2.patch to /etc/ssl/openssl.cnf

For context:

https://src.fedoraproject.org/rpms/pure-ftpd/commits/f29

simple compat to tlsv1.3 causes regressions and data-loss.
disabling tlsv1.3 makes things work.
upstream fixed this properly in .48 which we don't have yet.
and fedora did backport of all the things to .47 to have both tlsv1.3 & no data-loss.

I thik .48 should be packaged for eoan or possibly ff-series, whilst tlsv1.3 is disabled everywhere. Unless fedora patches apply cleanly onto .46

I'd recommend to ship https://src.fedoraproject.org/rpms/pure-ftpd/blob/e1d0271dd51956e4c115363285482088b8610698/f/0001-Temporarily-disable-TLSv1.3-support.patch everywhere for now.

@Dimitri John Ledkov (xnox)

Thank you for jumping into this.

To test for comment #14, I updated openssl.cnf on Ubuntu 18.04 to use maximum TLS v1.2 (using the configs from the patch provided there) and it seems pureftpd is working now with latest filezilla client.

Should we expect a new version of pure-ftpd for 18.04 any time soon?
Angry clients using filezilla are stressing me every day. :)
If not possible, will need to use a workaround of the ones mentioned in comments #8 or #14 to update production servers.

I've tried to backported the same patches as fc29 did, if anyone wants to give a try to this version
https://launchpad.net/~ubuntu-desktop/+archive/ubuntu/ppa/+build/17998128

Status changed to 'Confirmed' because the bug affects multiple users.

I'm still experiencing this issue. I hope it will be fixed soon.

I think we want to backport https://launchpad.net/ubuntu/+source/pure-ftpd/1.0.47-3 but i don't know that's enough.

Reminder about the ppa mentioned in the previous comment which is a candidate fix if someone cares about the problem on bionic and would like to see it resolved by a stable update

I've tested the version in comment #19 and it seems ok!

I have just verified on Ubuntu 18.04.5 LTS, after hunting down the "[ERROR] TLS renegociation" issue.

#19 ppa version fixed this issue... after a longer client-side debug session, that turned out to be a server-side thingie.