Package: ftp-ssl
Version: 0.17.34+0.2-5.1
Severity: normal
Tags: patch
X-Debbugs-Cc: mnalis-debian...@voyager.hr
Dear Maintainer,
* What led up to the situation?
Trying to upload to vsftpd server (3.0.3-12) with ftp-ssl using TLS.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Uploading via plaintext FTP works normally. Tryed changing vsftpd options - did
not help.
Fixing the ftp-ssl code helped.
* What was the outcome of this action?
File uploads, but returns error "426 Failure reading network stream."
* What outcome did you expect instead?
File uploads cleanly, without errors.
here is example transaction:
tekko% date > test.txt
tekko% ls -l test.txt
-rw-r--r-- 1 test test 30 Jul 21 02:34 test.txt
tekko% ftp-ssl -z secure ftp.example.org
Connected to ftp.example.org.
220 Welcome to VSFTPD
Name (ftp.example.org:test): test
234 Proceed with negotiation.
[SSL Cipher TLS_AES_256_GCM_SHA384]
200 PBSZ set to 0.
200 PROT now Private.
[Encrypted data transfer.]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> put test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (195,190,136,132,242,251).
150 Ok to send data.
426 Failure reading network stream.
30 bytes sent in 0.00 secs (770.9705 kB/s)
ftp> dir test.txt
227 Entering Passive Mode (195,190,136,132,240,196).
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 30 Jul 21 02:35 test.txt
226 Directory send OK.
ftp>
I've looked up the ftp-ssl source, as well the official docs and did some
debugging.
Problem seems to be that ftp-ssl is closing file descriptor before doing
SSL_shutdown(),
thus losing unsent SSL data, which vsftpd then complains about.
So when SSL_shutdown() does run in ftp-ssl code, it then returns -1 as socket
is already gone. According to the docs at
https://linux.die.net/man/3/ssl_shutdown,
client should first call SSL_shutdown() (if needed twice), and only then should
the
socket be closed. Attached patch does so as documentation directs, and thus
fixes
the problem for me - uploads now finish with regular "226 Transfer complete."
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-7-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages ftp-ssl depends on:
ii libc6 2.31-12
ii libedit2 3.1-20191231-2+b1
ii libssl1.1 1.1.1k-1
ii netbase 6.3
ftp-ssl recommends no packages.
ftp-ssl suggests no packages.
-- no debconf information
--- netkit-ftp-ssl-0.17.34+0.2/ftp/ftp.c.orig 2021-07-21 02:59:00.000000000
+0200
+++ netkit-ftp-ssl-0.17.34+0.2/ftp/ftp.c 2021-07-21 02:59:30.632103435
+0200
@@ -947,18 +947,20 @@
INTON;
}
INTOFF;
- (void) fclose(dout);
- dout = NULL;
#ifdef USE_SSL
if (ssl_data_active_flag && (ssl_data_con!=NULL)) {
- SSL_shutdown(ssl_data_con);
+ fflush(dout);
+ if (SSL_shutdown(ssl_data_con) == 0) SSL_shutdown(ssl_data_con);
SSL_free(ssl_data_con);
ssl_data_active_flag=0;
ssl_data_con=NULL;
}
#endif /* USE_SSL */
+ (void) fclose(dout);
+ dout = NULL;
+
/* closes data as well, so discard it */
data = -1;
INTON;
