Package: lftp Version: 4.6.0-1+deb8u1 Severity: important After Upgrading from wheezy to jessie I tried to upload a backup onto a backup server using FTPES. This failed with "425 Unable to build data connection: Operation not permitted"
I tried a simle "ls" after that, which still failed. Curl was able to connect successfully, so it couldn't have been the server. After that I downloaded lftp 4.6.2-1 from stretch, installed it and it worked correctly. So I assume 4.6.0-1+deb8u1 does something wrong when trying to establish the data connection, maybe something to do with SSL session reuse, since that's the most common error that comes up when googling the error message. Transcript and error messages attached. -- regards, brainpower
server:~ # lftp --debug -u u#####,################ u#####.your-backup.de lftp u#####@u#####.your-backup.de:~> ls ---- Verbinde mit u#####.your-backup.de (2a01:4f8:b10:1000::##) Port 21 <--- 220 ProFTPD 1.3.5 Server (Hetzner Backup) [2a01:4f8:b10:1000::##] ---> FEAT <--- 211-Features: <--- CCC <--- PBSZ <--- AUTH TLS <--- MFF modify;UNIX.group;UNIX.mode; <--- REST STREAM <--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; <--- UTF8 <--- EPRT <--- EPSV <--- LANG zh-CN.UTF-8;zh-CN;zh-TW.UTF-8;zh-TW;en-US.UTF-8;en-US*;es-ES.UTF-8;es-ES;it-IT.UTF-8;it-IT;ja-JP.UTF-8;ja-JP;ru-RU.UTF-8;ru-RU;bg-BG.UTF-8;bg-BG;fr-FR.UTF-8;fr-FR;ko-KR.UTF-8;ko-KR <--- MDTM <--- SSCN <--- TVFS <--- MFMT <--- SIZE <--- PROT <--- 211 End ---> AUTH TLS <--- 234 AUTH TLS successful ---> LANG Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted <--- 200 Using default language en_US ---> OPTS UTF8 ON <--- 200 UTF8 set to on ---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; <--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; ---> USER u##### <--- 331 Password required for u##### ---> PASS ################ <--- 230 User u##### logged in ---> PWD <--- 257 "/" is the current directory ---> PBSZ 0 <--- 200 PBSZ 0 successful ---> PROT P <--- 200 Protection set to Private ---> EPSV <--- 229 Entering Extended Passive Mode (|||52613|) ---- Verbinde Daten Socket mit (2a01:4f8:b10:1000::33) Port 52613 ---- Datenverbindung hergestellt ---> LIST <--- 150 Opening ASCII mode data connection for file list Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted <--- 425 Unable to build data connection: Operation not permitted ---- Schließe den Daten Socket ---> EPSV <--- 229 Entering Extended Passive Mode (|||63993|) ---- Verbinde Daten Socket mit (2a01:4f8:b10:1000::##) Port 63993 ---- Datenverbindung hergestellt ---> LIST <--- 150 Opening ASCII mode data connection for file list Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted <--- 425 Unable to build data connection: Operation not permitted ---- Schließe den Daten Socket ---> EPSV <--- 229 Entering Extended Passive Mode (|||60723|) ---- Verbinde Daten Socket mit (2a01:4f8:b10:1000::##) Port 60723 ---- Datenverbindung hergestellt ---> LIST <--- 150 Opening ASCII mode data connection for file list Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted <--- 425 Unable to build data connection: Operation not permitted ---- Schließe den Daten Socket ---> EPSV <--- 229 Entering Extended Passive Mode (|||61660|) ---- Verbinde Daten Socket mit (2a01:4f8:b10:1000::##) Port 61660 ---- Datenverbindung hergestellt ---> LIST <--- 150 Opening ASCII mode data connection for file list Abbruch ---> ABOR ---- Schließe die Datenverbindung <--- 425 Unable to build data connection: Operation not permitted <--- 226 Abort successful lftp u#####@u#####.your-backup.de:/> exit ---> QUIT <--- 221 Goodbye. ---- Schließe den Kontroll - Socket server:~ # curl -vvv ftp://u#####:################@u#####.your-backup.de/ --ftp-ssl :( * Hostname was NOT found in DNS cache * Trying 2a01:4f8:b10:1000::##... * Connected to u#####.your-backup.de (2a01:4f8:b10:1000::##) port 21 (#0) < 220 ProFTPD 1.3.5 Server (Hetzner Backup) [2a01:4f8:b10:1000::##] > AUTH SSL < 234 AUTH SSL successful * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA * Server certificate: * subject: OU=GT63049255; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.your-backup.de * start date: 2014-09-30 15:40:55 GMT * expire date: 2015-10-04 18:48:05 GMT * subjectAltName: u#####.your-backup.de matched * issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3 * SSL certificate verify ok. > USER u##### < 331 Password required for u##### > PASS ################ < 230 User u##### logged in > PBSZ 0 < 200 PBSZ 0 successful > PROT P < 200 Protection set to Private > PWD < 257 "/" is the current directory * Entry path is '/' > EPSV * Connect data stream passively * ftp_perform ends with SECONDARY: 0 < 229 Entering Extended Passive Mode (|||53598|) * Hostname was NOT found in DNS cache * Trying 2a01:4f8:b10:1000::##... * Connecting to 2a01:4f8:b10:1000::## (2a01:4f8:b10:1000::##) port 53598 * Connected to u#####.your-backup.de (2a01:4f8:b10:1000::##) port 21 (#0) > TYPE A < 200 Type set to A > LIST < 150 Opening ASCII mode data connection for file list * Maxdownload = -1 * Doing the SSL/TLS handshake on the data stream * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSL re-using session ID * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA * Server certificate: * subject: OU=GT63049255; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.your-backup.de * start date: 2014-09-30 15:40:55 GMT * expire date: 2015-10-04 18:48:05 GMT * subjectAltName: u#####.your-backup.de matched * issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3 * SSL certificate verify ok. drwxr-xr-x 2 u##### u##### 74 May 23 02:58 fs1 drwxr-xr-x 2 u##### u##### 524 May 23 02:58 mysql drwxr-xr-x 2 u##### u##### 909 May 23 02:59 sc1 * SSLv3, TLS alert, Client hello (1): * Remembering we are in dir "" * SSLv3, TLS alert, Client hello (1): < 226 Transfer complete * Connection #0 to host u#####.your-backup.de left intact server:~ # lftp --version | head 1 LFTP | Version 4.6.0 | Copyright (c) 1996-2014 Alexander V. Lukyanov server:~ # wget http://ftp.de.debian.org/debian/pool/main/l/lftp/lftp_4.6.2-1_amd64.deb --2015-05-25 17:17:50-- http://ftp.de.debian.org/debian/pool/main/l/lftp/lftp_4.6.2-1_amd64.deb Auflösen des Hostnamen »ftp.de.debian.org (ftp.de.debian.org)«... 141.76.2.4 Verbindungsaufbau zu ftp.de.debian.org (ftp.de.debian.org)|141.76.2.4|:80... verbunden. HTTP-Anforderung gesendet, warte auf Antwort... 200 OK Länge: 586912 (573K) [application/x-debian-package] In »»lftp_4.6.2-1_amd64.deb«« speichern. lftp_4.6.2-1_amd64.deb 100%[==============================================================================>] 573,16K --.-KB/s in 0,1s 2015-05-25 17:17:50 (5,36 MB/s) - »»lftp_4.6.2-1_amd64.deb«« gespeichert [586912/586912] server:~ # dpkg -i lftp_4.6.2-1_amd64.deb (Lese Datenbank ... 72865 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereitung zum Entpacken von lftp_4.6.2-1_amd64.deb ... Entpacken von lftp (4.6.2-1) über (4.6.0-1+deb8u1) ... lftp (4.6.2-1) wird eingerichtet ... Neue Version der Konfigurationsdatei /etc/lftp.conf wird installiert ... Trigger für man-db (2.7.0.2-5) werden verarbeitet ... server:~ # lftp --debug -u u#####,################ u#####.your-backup.de lftp u#####@u#####.your-backup.de:~> ls ---- Verbinde mit u#####.your-backup.de (2a01:4f8:b10:1000::##) Port 21 <--- 220 ProFTPD 1.3.5 Server (Hetzner Backup) [2a01:4f8:b10:1000::##] ---> FEAT <--- 211-Features: <--- CCC <--- PBSZ <--- AUTH TLS <--- MFF modify;UNIX.group;UNIX.mode; <--- REST STREAM <--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; <--- UTF8 <--- EPRT <--- EPSV <--- LANG zh-CN.UTF-8;zh-CN;zh-TW.UTF-8;zh-TW;en-US.UTF-8;en-US*;es-ES.UTF-8;es-ES;it-IT.UTF-8;it-IT;ja-JP.UTF-8;ja-JP;ru-RU.UTF-8;ru-RU;bg-BG.UTF-8;bg-BG;fr-FR.UTF-8;fr-FR;ko-KR.UTF-8;ko-KR <--- MDTM <--- SSCN <--- TVFS <--- MFMT <--- SIZE <--- PROT <--- 211 End ---> AUTH TLS <--- 234 AUTH TLS successful ---> LANG Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted <--- 200 Using default language en_US ---> OPTS UTF8 ON <--- 200 UTF8 set to on ---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner <--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode; ---> USER u##### <--- 331 Password required for u##### ---> PASS ################ <--- 230 User u##### logged in ---> PWD <--- 257 "/" is the current directory ---> PBSZ 0 <--- 200 PBSZ 0 successful ---> PROT P <--- 200 Protection set to Private ---> EPSV <--- 229 Entering Extended Passive Mode (|||64763|) ---- Verbinde Daten Socket mit (2a01:4f8:b10:1000::##) Port 64763 ---- Datenverbindung hergestellt ---> LIST <--- 150 Opening ASCII mode data connection for file list Certificate: OU=GT63049255,OU=See www.rapidssl.com/resources/cps (c)14,OU=Domain Control Validated - RapidSSL(R),CN=*.your-backup.de Issued by: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Checking against: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Trusted Certificate: C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3 Issued by: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Checking against: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Trusted Certificate: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Issued by: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Trusted ---- Got EOF on data connection ---- Schließe den Daten Socket drwxr-xr-x 2 u##### u##### 74 May 23 02:58 fs1 drwxr-xr-x 2 u##### u##### 524 May 23 02:58 mysql drwxr-xr-x 2 u##### u##### 909 May 23 02:59 sc1 <--- 226 Transfer complete lftp u#####@u#####.your-backup.de:/> exit ---> QUIT <--- 221 Goodbye. ---- Schließe den Kontroll - Socket
signature.asc
Description: OpenPGP digital signature
