Pure-FTPd Breaks with OpenSSL v1.1.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| pure-ftpd (Debian) |
Fix Released
|
Unknown
|
||
| pure-ftpd (Ubuntu) |
Undecided
|
Unassigned | ||
| Bionic |
Undecided
|
Unassigned | ||
| Disco |
Undecided
|
Unassigned | ||
| Eoan |
Undecided
|
Unassigned |
Bug Description
Secure (TLS) connections to Pure-FTPd do not work when the OpenSSL 1.1.1 library is installed. My installation was working perfectly until the system-wide OpenSSL 1.1.1 update was made available a couple days ago. Now, after running apt upgrade, clients are unable to establish TLS connections, as the TLS negotiation tries a couple times and then cancels out.
The current stable version of Pure-FTPd from the developer is 1.0.49, but the apt repository only has version 1.0.46. According to the patch notes (https:/
Ubuntu Server version:
Description: Ubuntu 18.04.2 LTS
Release: 18.04
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: pure-ftpd-mysql 1.0.46-1build1
ProcVersionSign
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Sun Jun 16 16:51:56 2019
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: pure-ftpd
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
Michael Lake (beornlake) wrote : | #1 |
summary: |
- Pure-FTPd Breaks with OpenSSL v1.1.x + Pure-FTPd Breaks with OpenSSL v1.1.1 |
description: | updated |
Florin (flopppy) wrote : | #4 |
Latest version of Filezilla has issues connecting to pure-ftpd-mysql server. I hope this package will be updated any time soon to fix the issue.
Melc Sokat (melcu) wrote : | #5 |
I also have this issue.
shimizu (shimizu-r-hiroaki) wrote : | #6 |
I hope this package will be updated any time soon to fix the issue.
Hugo Ankarloo (hugoa) wrote : | #7 |
I'm still experiencing this issue. I hope it will be fixed soon.
Datapro Services (it-iizj) wrote : | #8 |
Just encountered this.
Ubuntu 18.04 server.
Version in repo: pure-ftpd-
TLS completely broken in this version.
Can confirm that manually installing packages from Ubuntu 19.04 repo fixes issues for me.
```
wget http://
wget http://
dpkg -i pure-ftpd-
```
TLS now working in Pure-FTPd
```
apt-cache policy pure-ftpd-common
pure-ftpd-common:
Installed: 1.0.47-3
Candidate: 1.0.47-3
Version table:
*** 1.0.47-3 100
100 /var/lib/
1.0.46-1build1 500
500 http://
```
Jean-Philippe (jean-philippe-f) wrote : | #9 |
It's strange, I didn't have the pure-ftpd-mysql.
So I tried the @Datapro Services solution without the Mysql package and I always got the same error message.
I exactly followed the instructions of @Datapro Services and it works.
Maybe the workaround will just consist in adding the pure-ftpd-mysql packet as a version of the repository?
Almas (almasd) wrote : | #10 |
Thanl you @Datapro Services (it-iizj)
It's worked. :)
Also for me @Datapro Services solution worked for me
Thank you!
Stephan C (optimaco) wrote : | #12 |
@Jean-Philippe (jean-philippe-f):
The solution from @Datapro Services (it-iizj) also works for the standard package without mysql. You just need to get pure-ftpd instead of pure-ftpd-mysql.
```
wget http://
wget http://
dpkg -i pure-ftpd-
```
Thanks @Datapro Services (it-iizj) !
Stephan C (optimaco) wrote : | #13 |
@Florin (flopppy):
Note that older versions of FileZilla client can connect to pure-ftpd 1.0.46 without any TLS issue.
This is because FileZilla introduced support for TLS 1.3 in their client version 3.40.0 by linking against GnuTLS 3.6.6. TLS 1.3 is not handled properly in pure-ftpd 1.0.46.
https:/
So using versions of FileZilla prior to 3.40.0 (e.g. 3.28, 3.25.2) may be a workaround for the clients, although not a very nice one....
tags: | added: regression-update |
Dimitri John Ledkov (xnox) wrote : | #14 |
If one limits via openssl.cnf to use maximum TLS v1.2 does that make pure-ftpd work with all clients?
Ie. Apply https:/
Dimitri John Ledkov (xnox) wrote : | #15 |
For context:
https:/
simple compat to tlsv1.3 causes regressions and data-loss.
disabling tlsv1.3 makes things work.
upstream fixed this properly in .48 which we don't have yet.
and fedora did backport of all the things to .47 to have both tlsv1.3 & no data-loss.
I thik .48 should be packaged for eoan or possibly ff-series, whilst tlsv1.3 is disabled everywhere. Unless fedora patches apply cleanly onto .46
Dimitri John Ledkov (xnox) wrote : | #16 |
I'd recommend to ship https:/
Florin (flopppy) wrote : | #17 |
@Dimitri John Ledkov (xnox)
Thank you for jumping into this.
To test for comment #14, I updated openssl.cnf on Ubuntu 18.04 to use maximum TLS v1.2 (using the configs from the patch provided there) and it seems pureftpd is working now with latest filezilla client.
tags: | added: bionic-openssl-1.1 |
Florin (flopppy) wrote : | #18 |
Should we expect a new version of pure-ftpd for 18.04 any time soon?
Angry clients using filezilla are stressing me every day. :)
If not possible, will need to use a workaround of the ones mentioned in comments #8 or #14 to update production servers.
Changed in pure-ftpd (Debian): | |
status: | Unknown → New |
Sebastien Bacher (seb128) wrote : | #19 |
I've tried to backported the same patches as fc29 did, if anyone wants to give a try to this version
https:/
Changed in pure-ftpd (Debian): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #20 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in pure-ftpd (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in pure-ftpd (Ubuntu Disco): | |
status: | New → Confirmed |
Andrew (andrew-ubu19) wrote : | #22 |
I'm still experiencing this issue. I hope it will be fixed soon.
Dimitri John Ledkov (xnox) wrote : | #23 |
I think we want to backport https:/
Changed in pure-ftpd (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in pure-ftpd (Ubuntu Disco): | |
status: | Confirmed → Won't Fix |
status: | Won't Fix → Fix Released |
Changed in pure-ftpd (Ubuntu Eoan): | |
status: | Confirmed → Fix Released |
Sebastien Bacher (seb128) wrote : | #24 |
Reminder about the ppa mentioned in the previous comment which is a candidate fix if someone cares about the problem on bionic and would like to see it resolved by a stable update
Matteo Bonora (smart-mbonora) wrote : | #25 |
I've tested the version in comment #19 and it seems ok!
Sebastian Werner (blackw1ng) wrote : | #26 |
I have just verified on Ubuntu 18.04.5 LTS, after hunting down the "[ERROR] TLS renegociation" issue.
#19 ppa version fixed this issue... after a longer client-side debug session, that turned out to be a server-side thingie.
Status changed to 'Confirmed' because the bug affects multiple users.