[Bug 580512] Re: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
** Changed in: proftpd-dfsg (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/580512 Title: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 580512] Re: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
Hi and sorry for not changing the status of this bug earlier... I didn't know I could/should do it! :-/ This issue has been solved in Ubuntu 10.10 as far as I can see. Ubuntu 10.10 is using ProFTPD version 1.3.2e and it works perfectly! Thanks for all the input and help that has been given by so many. This is a good and healty community for sure! Happy New Year! /Claes -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/580512 Title: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 580512] Re: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
Ooh yeah, Christopher's hint nailed it! Now I can keep my system updated again without having to repeat the proftpd downgrade procedure afterwards. Thanks! I guess now we just have to wait for this issue to be fixed by some warm hearted person. The 1.3.2e fix seems actually to have been released by the proftpd team back in FEBRUARY so I don't think anyone could say that it would be overly hasty to include it now? A NOTE to all of us downgraders (put a yellow sticker up right now)... WHEN THIS ISSUE HAS BEEN SOLVED: DON'T FORGET TO DELETE THE DOWNGRADE PIN ( sudo rm /etc/apt/preferences.d/proftpd ) ! otherwise the proftpd server will remain downgraded forever, which of course can get this saga (yes, I'm swedish ;) to end up in security holes! Best regards Claes Löfqvist. -- proftpd 1.3.2c with SSL is useless in Ubuntu 10.04 https://bugs.launchpad.net/bugs/580512 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 580512] Re: proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
Ahh, there it is... I knew I had read it before, but couldn't find it when I was to report this problem. Thanks Laryllan! Lots of information there... possible solutions seems to be: upgrading proftpd, upgrading openssl or even downgrading proftpd. I have now temporarily sidestepped this problem by downgrading proftpd. The following parameters was considered in this decision: 1. I don't want to build stuff and inject manually in my system (too much job to maintain securely in the long run). 2. I couldn't find an upgraded Ubuntu package of openssl (this would otherwise also solved the problem. See Laryllan's link) 3. Reverting to Ubuntu 9.10 seemed like... overreacting! 4. It's a plus if an apt-get upgrade can be used to correct the fix later on. If someone is interested in exactly how I downgraded... here comes details: --- STEP 1: I downloaded an older package of proftpd from the previous Ununtu release: http://packages.ubuntu.com/karmic/proftpd-basic (in my case: proftpd-basic_1.3.2-3_i386.deb) STEP 2: I then removed the proftpd installed in my system: sudo apt-get remove proftpd STEP 3: Thereafter did I install the downloaded version: sudo dpkg --install proftpd-basic_1.3.2-3_i386.deb STEP 4: Next I commented the TLSOption AllowClientRenegotiations line in the tls.conf file: sudo vim /etc/proftpd/tls.conf STEP 4b: The line now looking like this: #TLSOptions AllowClientRenegotiations STEP 5: Starting the downgraded ftp server: sudo /etc/init.d/proftpd start FINAL STEP: I successfully connected to my downgraded ftp server with a Filezilla Client. --- Running apt-get upgrade now will of course upgrade and ruin what we just accomplished. But I guess if I have to upgrade the system I just have to redo the STEPS 1, 2, 3 and 5 from above and I'm back off track again. OUTPUT FROM: sudo apt-get remove proftpd Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting proftpd-basic instead of proftpd The following packages were automatically installed and are no longer required: openbsd-inetd Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: proftpd-basic 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 2,187kB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 56550 files and directories currently installed.) Removing proftpd-basic ... * Stopping ftp server proftpd [ OK ] Processing triggers for man-db ... Processing triggers for ureadahead ... OUTPUT FROM FIRST ATTEMPT: sudo /etc/init.d/proftpd start = * Starting ftp server proftpd - mod_tls/2.2.1: compiled using OpenSSL version 'OpenSSL 0.9.8g 19 Oct 2007' headers, but linked to OpenSSL version 'OpenSSL 0.9.8k 25 Mar 2009' library - Fatal: TLSOptions: : unknown TLSOption 'AllowClientRenegotiations' on line 39 of '/etc/proftpd/tls.conf' [fail] OUTPUT FROM SECOND ATTEMPT (after editing tls.conf): sudo /etc/init.d/proftpd start = * Starting ftp server proftpd - mod_tls/2.2.1: compiled using OpenSSL version 'OpenSSL 0.9.8g 19 Oct 2007' headers, but linked to OpenSSL version 'OpenSSL 0.9.8k 25 Mar 2009' library [ OK ] LOG FROM: FileZilla Client (v3.3.2.1) Status: Connecting to 192.168.0.202:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD 1.3.2 Server ready. Command:AUTH TLS Response: 234 AUTH TLS successful Status: Initializing TLS... Status: Verifying certificate... Command:USER AUser Status: TLS/SSL connection established. Response: 331 Password required for AUser Command:PASS Response: 230 User AUser logged in Command:OPTS UTF8 ON Response: 200 UTF8 set to on Command:PBSZ 0 Response: 200 PBSZ 0 successful Command:PROT P Response: 200 Protection set to Private Status: Connected Status: Retrieving directory listing... Command:PWD Response: 257 / is the current directory Status: Directory listing successful OUTPUT FROM: apt-cache policy proftpd-basic == proftpd-basic: Installed: 1.3.2-3 Candidate: 1.3.2c-1 Version table: 1.3.2c-1 0 500 http://se.archive.ubuntu.com/ubuntu/ lucid/universe Packages *** 1.3.2-3 0 100 /var/lib/dpkg/status -- proftpd 1.3.2c with SSL is useless in Ubuntu 10.04 https://bugs.launchpad.net/bugs/580512 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 580512] [NEW] proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
Public bug reported: Binary package hint: proftpd-basic Hi, Due to a bug in proftpd v1.3.2c clients fail to connect to the server since the server is abruptly disconnecting when a renegotiation is initiated by the client. The disconnecting is however a freshly added security feature so that part should be considered normal. The problem occur when you try to disable this function (which has to be done since (at least) the commonly used FileZilla Client is not able to handle this yet). The TLSOptions AllowClientRenegotiations doesn't work and that, I read somewhere, is due to something regarding to the openssl version presently used in Ubuntu 10.04. (I made an attempt to move my up and running FTP server from Ubuntu 9.10 to 10.04. This issue has however made me regroup to 9.10 again.) I'm adding as much info as I can. I believe that this issue is fixed in the later versions of proftpd. The version 1.3.2e released 24 Feb 2010 would probably be the wise choice! Best regards Claes Löfqvist OUTPUT FROM: lsb_release -rd Description:Ubuntu 10.04 LTS Release:10.04 OUTPUT FROM: uname -a = Linux myserver 2.6.32-22-generic-pae #33-Ubuntu SMP Wed Apr 28 14:57:29 UTC 2010 i686 GNU/Linux OUTPUT FROM: apt-cache policy proftpd-basic == proftpd-basic: Installed: 1.3.2c-1 Candidate: 1.3.2c-1 Version table: *** 1.3.2c-1 0 500 http://se.archive.ubuntu.com/ubuntu/ lucid/universe Packages 100 /var/lib/dpkg/status OUTPUT FROM: apt-cache policy openssl == openssl: Installed: 0.9.8k-7ubuntu8 Candidate: 0.9.8k-7ubuntu8 Version table: *** 0.9.8k-7ubuntu8 0 500 http://se.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status TAIL OF: /var/log/proftpd/proftpd.log = May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): FTP session opened. May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): USER AUser: Login successful. May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): mod_tls/2.2.2: client-initiated session renegotiation detected, aborting connection May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): FTP session closed. TAIL OF: /var/log/proftpd/tls.log = May 14 12:15:43 mod_tls/2.2.2[3826]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 14 12:15:43 mod_tls/2.2.2[3826]: TLS/TLS-C requested, starting TLS handshake May 14 12:15:43 mod_tls/2.2.2[3826]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits) May 14 12:15:43 mod_tls/2.2.2[3826]: Protection set to Private May 14 12:15:43 mod_tls/2.2.2[3826]: starting TLS negotiation on data connection May 14 12:15:43 mod_tls/2.2.2[3826]: warning: client-initiated session renegotiation detected, aborting connection EXCERPT FROM: /etc/proftpd/tls.conf === # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # TLSOptions AllowClientRenegotiations LOG FROM: FileZilla Client (v3.3.2.1) Status: Connecting to 192.168.0.202:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD 1.3.2c Server ready. Command:AUTH TLS Response: 234 AUTH TLS successful Status: Initializing TLS... Status: Verifying certificate... Command:USER AUser Status: TLS/SSL connection established. Response: 331 Password required for AUser Command:PASS ** Response: 230 User AUser logged in Command:SYST Response: 215 UNIX Type: L8 Command:FEAT Response: 211-Features: Response:MDTM Response:MFMT Response:AUTH TLS Response:UTF8 Response:MFF modify;UNIX.group;UNIX.mode; Response:MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response:PBSZ Response:PROT Response:REST STREAM Response:LANG en-US.UTF-8* Response:SIZE Response: 211 End Command:OPTS UTF8 ON Response: 200 UTF8 set to on Command:PBSZ 0 Response: 200 PBSZ 0 successful Command:PROT P Response: 200 Protection set to Private Status: Connected Status: Retrieving directory listing... Command:PWD Response: 257 / is the current directory Command:TYPE I Response: 200 Type set to I Command:PASV Response: 227 Entering Passive Mode (192,168,0,202,194,196). Command:MLSD Error: GnuTLS error -9: A TLS packet with unexpected length was received. Status: Server did not properly shut down