vsftpd ssl connection timeout on upload (osx, debian)

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

vsftpd ssl connection timeout on upload (osx, debian)

#1 Post by Sefer » 2014-09-06 12:20

hey guys, I have a weird problem.
I have setup an vsftpd 2.3.5 server under debian 7 wheezy running without any problem. I can connect, list and stuff using passive mode and virtual users.

My problem is that I cannot upload files under debian or osx using several ftp clients, also yours. The upload under Ubuntu Filezilla is working without any problems and Windows, too.
This just happens when trying to upload files with secure encryption (ssl_enable=yes). Unencrypted uploads are working without any problems under every system.

The upload is starting, one or more files are being uploaded. Then the progress will stuck at 100% (150 Data Send) for a few seconds and the connection times out. Now the client will reconnect and try to upload the same file again (asking me what to do now)...

Here is my latest log output (way too big to post it here, so please see my attachement)

I really hope you can help me. Is it an OS X related problem? I don't get why FTPeS uploads are working under windows and ubuntu, but not Debian (i.e.) and OS X...

best regards
Sefer

vsftpd.log

Code: Select all

Thu Sep  4 14:52:36 2014 [pid 13791] CONNECT: Client "MY IP"
Thu Sep  4 14:52:36 2014 [pid 13791] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, not reused, no cert"
Thu Sep  4 14:52:36 2014 [pid 13790] [MY USER] OK LOGIN: Client "MY IP"
Thu Sep  4 14:52:36 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:52:36 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: NONE"
Thu Sep  4 14:52:36 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Thu Sep  4 14:52:36 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:52:38 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:52:38 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: NONE"
Thu Sep  4 14:52:38 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Thu Sep  4 14:52:38 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:53:58 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:53:58 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: NONE"
Thu Sep  4 14:53:58 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Thu Sep  4 14:53:58 2014 [pid 13791] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:54:03 2014 [pid 13811] CONNECT: Client "MY IP"
Thu Sep  4 14:54:03 2014 [pid 13812] CONNECT: Client "MY IP"
Thu Sep  4 14:54:03 2014 [pid 13812] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, not reused, no cert"
Thu Sep  4 14:54:03 2014 [pid 13811] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, not reused, no cert"
Thu Sep  4 14:54:03 2014 [pid 13809] [MY USER] OK LOGIN: Client "MY IP"
Thu Sep  4 14:54:04 2014 [pid 13810] [MY USER] OK LOGIN: Client "MY IP"
Thu Sep  4 14:54:04 2014 [pid 13813] [MY USER] OK MKDIR: Client "MY IP", "/upload/Vorlagen"
Thu Sep  4 14:54:04 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:54:04 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: NONE"
Thu Sep  4 14:54:04 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Thu Sep  4 14:54:04 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:54:04 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:54:04 2014 [pid 13811] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:54:05 2014 [pid 13811] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"
Thu Sep  4 14:54:05 2014 [pid 13811] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:54:05 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"
Thu Sep  4 14:54:05 2014 [pid 13812] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Thu Sep  4 14:54:25 2014 [pid 13816] CONNECT: Client "MY IP"
Thu Sep  4 14:54:25 2014 [pid 13816] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, not reused, no cert"
Thu Sep  4 14:54:25 2014 [pid 13815] [MY USER] OK LOGIN: Client "MY IP"
Thu Sep  4 14:54:25 2014 [pid 13816] [MY USER] DEBUG: Client "MY IP", "SSL version: TLSv1/SSLv3, SSL cipher: AES256-GCM-SHA384, reused, no cert"
Thu Sep  4 14:54:25 2014 [pid 13816] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: NONE"
Thu Sep  4 14:54:25 2014 [pid 13816] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Thu Sep  4 14:54:26 2014 [pid 13816] [MY USER] DEBUG: Client "MY IP", "SSL shutdown state is: 3"
Attachments
debug.log
(70.72 KiB) Downloaded 156 times

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: vsftpd ssl connection timeout on upload (osx, debian)

#2 Post by botg » 2014-09-06 14:47

Have you tried FileZilla 3.9.0.4 yet?

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#3 Post by Sefer » 2014-09-06 15:38

Hi,
same problem when using the latest version of filezilla.

I just did the ftptest.net test and everything is reported being alright... Same error (I used a very clean iptables config)
Weird, now even with my iptables config I won't get "Error: Listing" ... Nevertheless the upload isn't working, doesn't matter what happens to iptables. But is my config ok?

Code: Select all

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow FTP connections
-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 49192:50000 -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT

# Allow btsync connections
-A INPUT -p tcp --dport 4242 -j ACCEPT
-A INPUT -p udp --dport 4242 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

# Drop IP Ranges
-A INPUT -s 116.10.0.0/16 -j DROP -m comment --comment "Block China #1"
-A INPUT -s 60.190.0.0/16 -j DROP -m comment --comment "Block China #2"
-A INPUT -s 61.174.0.0/16 -j DROP -m comment --comment "Block China #3"
-A INPUT -s 122.225.0.0/16 -j DROP -m comment --comment "Block China #4"
-A INPUT -s 183.7.0.0/16 -j DROP -m comment --comment "Block China #4"
-A INPUT -s 212.156.0.0/16 -j DROP -m comment --comment "Block Turkey"
-A INPUT -s 62.68.0.0/16 -j DROP -m comment --comment "Block Bosnia"
-A INPUT -s 91.192.0.0/16 -j DROP -m comment --comment "Block Russia"
-A INPUT -s 119.15.0.0/16 -j DROP -m comment --comment "Block Bangladesh"

COMMIT
These are not working rules (and I don't know why, i googled all of them) because Directory Listing is not working

Code: Select all

#-A INPUT -p tcp --sport 49192:50000 --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

#-A INPUT -p tcp --sport 49192:50000 --dport 49192:50000  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp --sport 49192:50000 --dport 49192:50000  -m state --state ESTABLISHED,RELATED -j ACCEPT

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: vsftpd ssl connection timeout on upload (osx, debian)

#4 Post by botg » 2014-09-06 17:49

Does it work if you delete all rules and accept everything?

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#5 Post by Sefer » 2014-09-06 18:31

No, doesn't work. Same on my colleagues server (same specs, VPS openVZ... and always clean iptable!)!
Just with FileZilla/Cyberduck/Yummy FTP under Mac OS X, FileZilla and lftp under Debian ... Weird thing that it is working under Ubuntu.

EDIT: ok 3.7.3 (ubuntu) + lftp and debian (manual download 3.9.0.5) + lftp working properly... Just Mac is not working, doesn't matter which ftp program!

EDIT2: May the reason is the old openssl version shipped with os x? Dunno, you are the devs :D

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#6 Post by Sefer » 2014-09-07 18:07

Hello,

I just setup an OS X vm and used MacPorts to upgrade OpenSSL to version 1.0.1i and... oh wonder, it works! The upload is working properly...
There is an issue with the old openssl version 0.9.8y which is being delivered by Apples OS X ...

Is it possible for you to look into this issue? I can provide you an ftp access if you want to

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: vsftpd ssl connection timeout on upload (osx, debian)

#7 Post by botg » 2014-09-07 20:40

FileZilla does not even use OpenSSL.

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#8 Post by Sefer » 2014-09-07 20:44

Weird, why is it working then? Any ideas?

EDIT: Just to make it clear. I had setup an VM with OS 10.9. Clean. Tried a FileZilla upload and got the same erros and log. Then I downloaded MacPorts and installed the most recent OpenSSL version and the upload worked flawless... Are you sure?

User avatar
boco
Contributor
Posts: 25334
Joined: 2006-05-01 03:28
Location: Germany

Re: vsftpd ssl connection timeout on upload (osx, debian)

#9 Post by boco » 2014-09-08 00:42

FileZilla uses GNUTLS, not OpenSSL. As the FileZilla developer, he's damn sure, I guess. :roll:
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#10 Post by Sefer » 2014-09-08 09:31

Sorry, didn't want to offend you :-) It's just, I was able to recreate and somehow fix the issue with installing a newer OpenSSL version. That'S why I am confused and thought that could be the reason. Maybe the system uses openssl instead or somehow is connected to some libraries?

User avatar
boco
Contributor
Posts: 25334
Joined: 2006-05-01 03:28
Location: Germany

Re: vsftpd ssl connection timeout on upload (osx, debian)

#11 Post by boco » 2014-09-08 11:14

No offense taken.

That would be a good question, indeed. Unlike in Windows, Linux and Apple OS provide the dependencies themselves. Now I don't know the innards of OSX, but Apple could provide both OpenSSL and GnuTLS using the same crypto libraries/dependencies of their own (if that's even possible). Then updating the libraries using OpenSSL updates could have influence on GnuTLS, too.

That's pure speculation, though.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: vsftpd ssl connection timeout on upload (osx, debian)

#12 Post by botg » 2014-09-08 16:00

The official FileZilla binaries statically link to GnuTLS even.

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#13 Post by Sefer » 2014-09-08 17:44

Something must be wrong on OS X's side...

As I said before I had setup an OS 10.9 VM. The upload wasn't working. Afterwards I installed MacPorts with a recent OpenSSL version and the upload was working.
I just thought, try it again with a fresh copy again, so I removed the VM, reloaded it and tried the Upload without MacPorts. The upload was working.

Weird? Wait...

I deleted my volume on my macbook and redownloaded OSX 10.9.4 ... A fresh copy if MacOS without any installations! Guess what? The upload wasn't working!

There must be something wrong with 10.9.4 in my opinion...


EDIT: Alright, I tried it with an hotspot from my mobile phone after using an updated VM to 10.9.4 without any problems and 10.9.1 VM ... The mobile hotspot upload worked flawless... and after switching back to standard WLAN I got the same problems again... I don't know how to fix this now :-(

EDIT2: On the other hand the upload from the same laptop is working under ubuntu parallels vm. I f***** dont get it

User avatar
botg
Site Admin
Posts: 33242
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: vsftpd ssl connection timeout on upload (osx, debian)

#14 Post by botg » 2014-09-09 08:23

Could be caused by some firewall or NAT router in your environment.

Sefer
504 Command not implemented
Posts: 11
Joined: 2014-09-06 12:03

Re: vsftpd ssl connection timeout on upload (osx, debian)

#15 Post by Sefer » 2014-09-09 10:23

But I don't know which...

My PC is connected via LAN to the router. No Problems so far (Windows and OSX VM).
My MacBook is connected via WLAN to the router. No Problems running a Ubuntu/Debian VM with recent FileZilla version), but I cannot upload via OS X...

I cannot find any WLAN options or rules which would prevent OS X from uploading but allowing Ubuntu over WLAN...

EDIT: I was thinking about some MTU settings and stuff, but the throughput would still be the same even inside Ubuntu... It's using the same network adapter

EDIT2: Alright, no upload problems with my mothers Windows Laptop connected to the same WLAN! It is not the router.

EDIT3: OSX 10.10 Parallels on OSX 10.9.4 ... upload working... God what the heck is wrong with this

Post Reply