pure-ftpd tls connection no longer works with filezilla 3.40

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Post Reply
Message
Author
quincy_jones11
500 Command not understood
Posts: 3
Joined: 2019-02-01 22:00
First name: Quincy
Last name: Jones

pure-ftpd tls connection no longer works with filezilla 3.40

#1 Post by quincy_jones11 » 2019-02-02 12:21

Hi,

Pure-ftpd 1.0.47 no longer works with tls and Filezilla 3.40.0
Filezilla 3.39.0 works fine with the same pure-ftpd and tls. Plain text works fine with Filezilla 3.40.0

There is no option to limit tls connection to a specific version in pure-ftpd.

System:
12.0-RELEASE-p2 AMD64
OpenSSL 1.1.1a-freebsd
pure-ftpd-1.0.47

nmap --script ssl-enum-ciphers --system-dns -p 21 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-02 13:08 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000030s latency).
Other addresses for localhost (not scanned): ::1

PORT STATE SERVICE
21/tcp open ftp
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds



Xferlog pure-ftpd when i try to loggin with filezilla 3.40:
Feb 1 22:40:47 gw pure-ftpd[15117]: (?@YY.YY.YY.YY) [INFO] New connection from YY.YY.YY.YY
Feb 1 22:40:47 gw pure-ftpd[15117]: (?@YY.YY.YY.YY) [DEBUG] Command [auth] [TLS]
Feb 1 22:40:47 gw pure-ftpd[15117]: (?@YY.YY.YY.YY) [ERROR] TLS renegociation
Feb 1 22:40:47 gw pure-ftpd[15117]: (?@YY.YY.YY.YY) [ERROR] TLS renegociation


Filezilla Debug log:
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-(xxxxxxxxx)
Response: 220 This is a private system - No anonymous login
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received HELLO RETRY REQUEST
Trace: TLS handshake: Processed HELLO RETRY REQUEST
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: TLS handshake: Received ENCRYPTED EXTENSIONS
Trace: TLS handshake: Processed ENCRYPTED EXTENSIONS
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received CERTIFICATE VERIFY
Trace: TLS handshake: Processed CERTIFICATE VERIFY
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.3, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CRealControlSocket::OnSocketError(106)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 5
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Status: Connecting to XXX.XXX.XXX.XXX:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-(xxxxxxxxx)
Response: 220 This is a private system - No anonymous login
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received HELLO RETRY REQUEST
Trace: TLS handshake: Processed HELLO RETRY REQUEST
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: TLS handshake: Received ENCRYPTED EXTENSIONS
Trace: TLS handshake: Processed ENCRYPTED EXTENSIONS
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received CERTIFICATE VERIFY
Trace: TLS handshake: Processed CERTIFICATE VERIFY
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.3, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CRealControlSocket::OnSocketError(106)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 5
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

User avatar
botg
Site Admin
Posts: 32391
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: pure-ftpd tls connection no longer works with filezilla 3.40

#2 Post by botg » 2019-02-02 13:18

That's a known pure-ftpd bug, see https://github.com/jedisct1/pure-ftpd/issues/94

Post Reply