TLS broken

Bug #499854 reported by Christian Roessner on 2009-12-23
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
pure-ftpd (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: pure-ftpd

While pure-ftpd was working flawlessly n Jaunty, it is broken in Karmic:

/usr/sbin/pure-ftpd-ldap-virtualchroot -l ldap:/etc/pure-ftpd/db/ldap.conf -l pam -c 50 -b -u 1000 -U 133:022 -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -j -I 15 -p 18188:18240 -A -C 10 -E -Z -B

With TLS enabled, a client can connect, auth, but gets no directory listing. Without TLS, it is working.

Debug-output:

WITH TLS:
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [auth] [TLS]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with RC4-MD5, 128 secret bits cipher
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:27:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pbsz] [0]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [prot] [P]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [noop] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [cwd] [/]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [syst] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [stat] [/]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [port] [192,168,1,10,192,40]
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pasv] []
Dec 23 15:27:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [mlsd] []
Dec 23 15:28:36 www pure-ftpd: (<email address hidden>) [ERROR] SSL/TLS [/etc/ssl/private/pure-ftpd.pem]: error:00000000:lib(0):func(0):reason(0)
Dec 23 15:28:36 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:28:36 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [auth] [TLS]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with RC4-MD5, 128 secret bits cipher
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:28:37 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pbsz] [0]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [prot] [P]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:28:37 www pure-ftpd: (<email address hidden>) [DEBUG] Command [pwd] []
Dec 23 15:29:14 www pure-ftpd: (<email address hidden>) [DEBUG] Command [quit] []
Dec 23 15:29:14 www pure-ftpd: (<email address hidden>) [INFO] Logout.

WITHOUT TLS:
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] New connection from ip-109-91-219-9.unitymediagroup.de
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [user] [de10000]
Dec 23 15:29:25 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [DEBUG] Command [pass] [<*>]
Dec 23 15:29:26 www pure-ftpd: (?@ip-109-91-219-9.unitymediagroup.de) [INFO] de10000 is now logged in
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [feat] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [opts] [UTF8 ON]
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [noop] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [cwd] [/]
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [syst] []
Dec 23 15:29:26 www pure-ftpd: (<email address hidden>) [DEBUG] Command [stat] [/]
Dec 23 15:29:30 www pure-ftpd: (<email address hidden>) [DEBUG] Command [quit] []
Dec 23 15:29:30 www pure-ftpd: (<email address hidden>) [INFO] Logout.

I have recreated the PEM-file like in the README.TLS.gz described, but this does not fix the problem. Also not firewalls active at the moment.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic

pure-ftpd-ldap 1.0.22-1

In 32bit environment in a KVM guest on AMD

Regards
Christian

Tags: tls Edit Tag help

Hi,

not only the TLS side to the client is broken! Also the connection to the LDAP server does not work. I needed to install stunnel to get pure-ftpd working over ssl with the LDAP server. Very bad, because I did not want to open port 636 (old style) :-(

Any plans to fix it?

Christian

Fixed it:

Version 1.0.22 has a known bug with Cyberduck FTP client, which is fixed in later releases.

The TLS problem with LDAP was fixed by replacing my LDAPServer IP with LDAPServer name. So the latter one was a self-made bug.

For the first and originating bug, I rebuild the latest version and it works pretty fine (1.0.27). I downloaded the sourcode, copied the debian folder and modified the changleog. Afer that rebuild the package with pdebuild --use-pbuilder-internal

Installed the debs and everything works perfectly. If you are interested in getting the debs, let me know please.

Christian

frell (lee) wrote :

Same problem here with Transmit/Coda clients. Other clients work fine.

Can anyone confirm if this prob is gone in Lucid?

frell (lee) wrote :

To answer my own questions, Lucid seems to be shipping with 1.0.24-1 which still has this issue.

frell (lee) wrote :

Upgrading to version 1.0.28-2 using the Debian sid packages resolves this issue.

In our case it was the pure-ftpd-mysql version of this package and not the ldap version.

For any user interested in how to perform this upgrade, ive documented it at;

http://blog.leenix.co.uk/2010/04/ubuntu-karmiclucid-pure-ftpd-hangs-when.html

Jim Rhodes (jim-deadlock) wrote :

I've installed 1.0.28-2 as suggested but it's still hanging on directory request (10.4 lucid).

frell (lee) wrote :

Jim, does it only hang when you have TLS enabled in your FTP client?

Because if it hangs without TLS also then your problem is most likely not this bug and are having another issue.

Jim Rhodes (jim-deadlock) wrote :

I'm using the standard FTP shell client (Linux NetKit (0.17)), there's nothing in the manpages about TLS so I assume it's not an option.

Jim Rhodes (jim-deadlock) wrote :

... so I think you're right, in fact I can get a listing if I connect from within my local network but not from outside, so it must be a firewall problem or something.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers