Public bug reported: Binary package hint: proftpd-basic
Hi, Due to a bug in proftpd v1.3.2c clients fail to connect to the server since the server is abruptly disconnecting when a renegotiation is initiated by the client. The disconnecting is however a "freshly" added security feature so that part should be considered normal. The problem occur when you try to disable this function (which has to be done since (at least) the commonly used FileZilla Client is not able to handle this yet). The TLSOptions AllowClientRenegotiations doesn't work and that, I read somewhere, is due to something regarding to the openssl version presently used in Ubuntu 10.04. (I made an attempt to move my up and running FTP server from Ubuntu 9.10 to 10.04. This issue has however made me regroup to 9.10 again.) I'm adding as much info as I can. I believe that this issue is fixed in the later versions of proftpd. The version 1.3.2e released 24 Feb 2010 would probably be the wise choice! Best regards Claes Löfqvist OUTPUT FROM: lsb_release -rd ============================ Description: Ubuntu 10.04 LTS Release: 10.04 OUTPUT FROM: uname -a ===================== Linux myserver 2.6.32-22-generic-pae #33-Ubuntu SMP Wed Apr 28 14:57:29 UTC 2010 i686 GNU/Linux OUTPUT FROM: apt-cache policy proftpd-basic ================================== proftpd-basic: Installed: 1.3.2c-1 Candidate: 1.3.2c-1 Version table: *** 1.3.2c-1 0 500 http://se.archive.ubuntu.com/ubuntu/ lucid/universe Packages 100 /var/lib/dpkg/status OUTPUT FROM: apt-cache policy openssl ================================== openssl: Installed: 0.9.8k-7ubuntu8 Candidate: 0.9.8k-7ubuntu8 Version table: *** 0.9.8k-7ubuntu8 0 500 http://se.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status TAIL OF: /var/log/proftpd/proftpd.log ===================================== May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): FTP session opened. May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): USER AUser: Login successful. May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): mod_tls/2.2.2: client-initiated session renegotiation detected, aborting connection May 14 12:15:43 myserver proftpd[3826] myserver.example.com (192.168.0.2[192.168.0.2]): FTP session closed. TAIL OF: /var/log/proftpd/tls.log ================================= May 14 12:15:43 mod_tls/2.2.2[3826]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 14 12:15:43 mod_tls/2.2.2[3826]: TLS/TLS-C requested, starting TLS handshake May 14 12:15:43 mod_tls/2.2.2[3826]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits) May 14 12:15:43 mod_tls/2.2.2[3826]: Protection set to Private May 14 12:15:43 mod_tls/2.2.2[3826]: starting TLS negotiation on data connection May 14 12:15:43 mod_tls/2.2.2[3826]: warning: client-initiated session renegotiation detected, aborting connection EXCERPT FROM: /etc/proftpd/tls.conf =================================== # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # TLSOptions AllowClientRenegotiations LOG FROM: FileZilla Client (v3.3.2.1) ==================================== Status: Connecting to 192.168.0.202:21... Status: Connection established, waiting for welcome message... Response: 220 ProFTPD 1.3.2c Server ready. Command: AUTH TLS Response: 234 AUTH TLS successful Status: Initializing TLS... Status: Verifying certificate... Command: USER AUser Status: TLS/SSL connection established. Response: 331 Password required for AUser Command: PASS ************** Response: 230 User AUser logged in Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Features: Response: MDTM Response: MFMT Response: AUTH TLS Response: UTF8 Response: MFF modify;UNIX.group;UNIX.mode; Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response: PBSZ Response: PROT Response: REST STREAM Response: LANG en-US.UTF-8* Response: SIZE Response: 211 End Command: OPTS UTF8 ON Response: 200 UTF8 set to on Command: PBSZ 0 Response: 200 PBSZ 0 successful Command: PROT P Response: 200 Protection set to Private Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Type set to I Command: PASV Response: 227 Entering Passive Mode (192,168,0,202,194,196). Command: MLSD Error: GnuTLS error -9: A TLS packet with unexpected length was received. Status: Server did not properly shut down TLS connection Response: 150 Opening ASCII mode data connection for MLSD Error: Connection closed by server LINKS ===== Someone seems to have reported a similar issue to our Debian friends: http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/77251f6bd43af40a ** Affects: proftpd-dfsg (Ubuntu) Importance: Undecided Status: New ** Tags: allowclientrenegotiations proftpd tls -- proftpd 1.3.2c with SSL is useless in Ubuntu 10.04 https://bugs.launchpad.net/bugs/580512 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs