Pure-FTPd Breaks with OpenSSL v1.1.1

Bug #1832998 reported by Michael Lake on 2019-06-16
This bug affects 13 people
Affects Status Importance Assigned to Milestone
pure-ftpd (Debian)
Fix Released
pure-ftpd (Ubuntu)

Bug Description

Secure (TLS) connections to Pure-FTPd do not work when the OpenSSL 1.1.1 library is installed. My installation was working perfectly until the system-wide OpenSSL 1.1.1 update was made available a couple days ago. Now, after running apt upgrade, clients are unable to establish TLS connections, as the TLS negotiation tries a couple times and then cancels out.

The current stable version of Pure-FTPd from the developer is 1.0.49, but the apt repository only has version 1.0.46. According to the patch notes (https://www.pureftpd.org/project/pure-ftpd/news/), there have been some OpenSSL-related changes made since the 1.0.46 release. However, there are also some other major changes, so this may not be the case of a simple update.

Ubuntu Server version:
Description: Ubuntu 18.04.2 LTS
Release: 18.04

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: pure-ftpd-mysql 1.0.46-1build1
ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Sun Jun 16 16:51:56 2019
 PATH=(custom, no user)
SourcePackage: pure-ftpd
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.pure-ftpd.db.mysql.conf: [modified]
mtime.conffile..etc.pure-ftpd.db.mysql.conf: 2019-05-03T23:51:59.782344

Michael Lake (beornlake) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pure-ftpd (Ubuntu):
status: New → Confirmed
Michael Lake (beornlake) on 2019-06-17
summary: - Pure-FTPd Breaks with OpenSSL v1.1.x
+ Pure-FTPd Breaks with OpenSSL v1.1.1
Michael Lake (beornlake) on 2019-06-17
description: updated
Florin (flopppy) wrote :

Latest version of Filezilla has issues connecting to pure-ftpd-mysql server. I hope this package will be updated any time soon to fix the issue.

Melc Sokat (melcu) wrote :

I also have this issue.

shimizu (shimizu-r-hiroaki) wrote :

I hope this package will be updated any time soon to fix the issue.

Hugo Ankarloo (hugoa) wrote :

I'm still experiencing this issue. I hope it will be fixed soon.

Datapro Services (it-iizj) wrote :

Just encountered this.

Ubuntu 18.04 server.
Version in repo: pure-ftpd-mysql-1.0.46-1build1

TLS completely broken in this version.

Can confirm that manually installing packages from Ubuntu 19.04 repo fixes issues for me.

wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-mysql_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd-mysql_1.0.47-3_amd64.deb

TLS now working in Pure-FTPd

apt-cache policy pure-ftpd-common
  Installed: 1.0.47-3
  Candidate: 1.0.47-3
  Version table:
 *** 1.0.47-3 100
        100 /var/lib/dpkg/status
     1.0.46-1build1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic/universe amd64 Packages

Jean-Philippe (jean-philippe-f) wrote :

It's strange, I didn't have the pure-ftpd-mysql.
So I tried the @Datapro Services solution without the Mysql package and I always got the same error message.
I exactly followed the instructions of @Datapro Services and it works.
Maybe the workaround will just consist in adding the pure-ftpd-mysql packet as a version of the repository?

Almas (almasd) wrote :

Thanl you @Datapro Services (it-iizj)

It's worked. :)

Also for me @Datapro Services solution worked for me

Thank you!

Stephan C (optimaco) wrote :

@Jean-Philippe (jean-philippe-f):

The solution from @Datapro Services (it-iizj) also works for the standard package without mysql. You just need to get pure-ftpd instead of pure-ftpd-mysql.

wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd_1.0.47-3_amd64.deb
Thanks @Datapro Services (it-iizj) !

Stephan C (optimaco) wrote :

@Florin (flopppy):
Note that older versions of FileZilla client can connect to pure-ftpd 1.0.46 without any TLS issue.

This is because FileZilla introduced support for TLS 1.3 in their client version 3.40.0 by linking against GnuTLS 3.6.6. TLS 1.3 is not handled properly in pure-ftpd 1.0.46.


So using versions of FileZilla prior to 3.40.0 (e.g. 3.28, 3.25.2) may be a workaround for the clients, although not a very nice one....

Robie Basak (racb) on 2019-10-08
tags: added: regression-update
Dimitri John Ledkov (xnox) wrote :

If one limits via openssl.cnf to use maximum TLS v1.2 does that make pure-ftpd work with all clients?

Ie. Apply https://launchpadlibrarian.net/428208982/cap-to-tls1.2.patch to /etc/ssl/openssl.cnf

Dimitri John Ledkov (xnox) wrote :

For context:


simple compat to tlsv1.3 causes regressions and data-loss.
disabling tlsv1.3 makes things work.
upstream fixed this properly in .48 which we don't have yet.
and fedora did backport of all the things to .47 to have both tlsv1.3 & no data-loss.

I thik .48 should be packaged for eoan or possibly ff-series, whilst tlsv1.3 is disabled everywhere. Unless fedora patches apply cleanly onto .46

Florin (flopppy) wrote :

@Dimitri John Ledkov (xnox)

Thank you for jumping into this.

To test for comment #14, I updated openssl.cnf on Ubuntu 18.04 to use maximum TLS v1.2 (using the configs from the patch provided there) and it seems pureftpd is working now with latest filezilla client.

Robie Basak (racb) on 2019-10-08
tags: added: bionic-openssl-1.1
Florin (flopppy) wrote :

Should we expect a new version of pure-ftpd for 18.04 any time soon?
Angry clients using filezilla are stressing me every day. :)
If not possible, will need to use a workaround of the ones mentioned in comments #8 or #14 to update production servers.

Changed in pure-ftpd (Debian):
status: Unknown → New
Sebastien Bacher (seb128) wrote :

I've tried to backported the same patches as fc29 did, if anyone wants to give a try to this version

Changed in pure-ftpd (Debian):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pure-ftpd (Ubuntu Bionic):
status: New → Confirmed
Changed in pure-ftpd (Ubuntu Disco):
status: New → Confirmed
Andrew (andrew-ubu19) wrote :

I'm still experiencing this issue. I hope it will be fixed soon.

Dimitri John Ledkov (xnox) wrote :

I think we want to backport https://launchpad.net/ubuntu/+source/pure-ftpd/1.0.47-3 but i don't know that's enough.

Changed in pure-ftpd (Ubuntu):
status: Confirmed → Fix Released
Changed in pure-ftpd (Ubuntu Disco):
status: Confirmed → Won't Fix
status: Won't Fix → Fix Released
Changed in pure-ftpd (Ubuntu Eoan):
status: Confirmed → Fix Released
Sebastien Bacher (seb128) wrote :

Reminder about the ppa mentioned in the previous comment which is a candidate fix if someone cares about the problem on bionic and would like to see it resolved by a stable update

Matteo Bonora (smart-mbonora) wrote :

I've tested the version in comment #19 and it seems ok!

Sebastian Werner (blackw1ng) wrote :

I have just verified on Ubuntu 18.04.5 LTS, after hunting down the "[ERROR] TLS renegociation" issue.

#19 ppa version fixed this issue... after a longer client-side debug session, that turned out to be a server-side thingie.

MKay (the-mkay) wrote :

In case you use a 32bit system, the packages in #19 will not work (they are 64bit).
Here you can read how to create your own 32bit deb packages for Ubuntu 18.04 based on the source packages of Ubuntu 20.04:

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.