Public bug reported:
Binary package hint: proftpd-basic
Hi,
Due to a bug in proftpd v1.3.2c clients fail to connect to the server since the
server is abruptly disconnecting when a renegotiation is initiated by the
client. The disconnecting is however a "freshly" added security feature so that
part should be considered normal.
The problem occur when you try to disable this function (which has to be done
since (at least) the commonly used FileZilla Client is not able to handle this
yet). The TLSOptions AllowClientRenegotiations doesn't work and that, I read
somewhere, is due to something regarding to the openssl version presently used
in Ubuntu 10.04.
(I made an attempt to move my up and running FTP server from Ubuntu 9.10
to 10.04. This issue has however made me regroup to 9.10 again.)
I'm adding as much info as I can. I believe that this issue is fixed in
the later versions of proftpd. The version 1.3.2e released 24 Feb 2010
would probably be the wise choice!
Best regards Claes Löfqvist
OUTPUT FROM: lsb_release -rd
============================
Description: Ubuntu 10.04 LTS
Release: 10.04
OUTPUT FROM: uname -a
=====================
Linux myserver 2.6.32-22-generic-pae #33-Ubuntu SMP Wed Apr 28 14:57:29 UTC
2010 i686 GNU/Linux
OUTPUT FROM: apt-cache policy proftpd-basic
==================================
proftpd-basic:
Installed: 1.3.2c-1
Candidate: 1.3.2c-1
Version table:
*** 1.3.2c-1 0
500 http://se.archive.ubuntu.com/ubuntu/ lucid/universe Packages
100 /var/lib/dpkg/status
OUTPUT FROM: apt-cache policy openssl
==================================
openssl:
Installed: 0.9.8k-7ubuntu8
Candidate: 0.9.8k-7ubuntu8
Version table:
*** 0.9.8k-7ubuntu8 0
500 http://se.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
TAIL OF: /var/log/proftpd/proftpd.log
=====================================
May 14 12:15:43 myserver proftpd[3826] myserver.example.com
(192.168.0.2[192.168.0.2]): FTP session opened.
May 14 12:15:43 myserver proftpd[3826] myserver.example.com
(192.168.0.2[192.168.0.2]): USER AUser: Login successful.
May 14 12:15:43 myserver proftpd[3826] myserver.example.com
(192.168.0.2[192.168.0.2]): mod_tls/2.2.2: client-initiated session
renegotiation detected, aborting connection
May 14 12:15:43 myserver proftpd[3826] myserver.example.com
(192.168.0.2[192.168.0.2]): FTP session closed.
TAIL OF: /var/log/proftpd/tls.log
=================================
May 14 12:15:43 mod_tls/2.2.2[3826]: using default OpenSSL verification
locations (see $SSL_CERT_DIR environment variable)
May 14 12:15:43 mod_tls/2.2.2[3826]: TLS/TLS-C requested, starting TLS handshake
May 14 12:15:43 mod_tls/2.2.2[3826]: TLSv1/SSLv3 connection accepted, using
cipher DHE-RSA-AES128-SHA (128 bits)
May 14 12:15:43 mod_tls/2.2.2[3826]: Protection set to Private
May 14 12:15:43 mod_tls/2.2.2[3826]: starting TLS negotiation on data connection
May 14 12:15:43 mod_tls/2.2.2[3826]: warning: client-initiated session
renegotiation detected, aborting connection
EXCERPT FROM: /etc/proftpd/tls.conf
===================================
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
TLSOptions AllowClientRenegotiations
LOG FROM: FileZilla Client (v3.3.2.1)
====================================
Status: Connecting to 192.168.0.202:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.2c Server ready.
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER AUser
Status: TLS/SSL connection established.
Response: 331 Password required for AUser
Command: PASS **************
Response: 230 User AUser logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: MFMT
Response: AUTH TLS
Response: UTF8
Response: MFF modify;UNIX.group;UNIX.mode;
Response: MLST
modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: LANG en-US.UTF-8*
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (192,168,0,202,194,196).
Command: MLSD
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Response: 150 Opening ASCII mode data connection for MLSD
Error: Connection closed by server
LINKS
=====
Someone seems to have reported a similar issue to our Debian friends:
http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/77251f6bd43af40a
** Affects: proftpd-dfsg (Ubuntu)
Importance: Undecided
Status: New
** Tags: allowclientrenegotiations proftpd tls
--
proftpd 1.3.2c with SSL is useless in Ubuntu 10.04
https://bugs.launchpad.net/bugs/580512
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
