Page 1 of 2

GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 17:53
by Claudiu
My issue is related to latest version 3.40.0-rc2 for Windows 64bit. Version 3.39 is working perfectly, https://ftptest.net/ shows no errors.

I own a Fedora 29 server with pure-ftpd-1.0.47, openssl-1.1.1a, gnutls-3.6.5. Trying to connect with Windows client 3.40 I get this error:
GnuTLS error -110: The TLS connection was non-properly terminated.
I have downgraded to 3.39 and it's working perfectly, again. I never had this issue before.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 18:35
by botg
If you click the lock icon in the status bar of FileZilla it'll display the used cryptographic algorithms. What is shown in both 3.39 and 30.40.0-rc2?

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 18:57
by Claudiu
Ahh, the icon is there only with version 3.39 when I'm successfully connected.

Public algorithm RSA with 2048 bits
Signature algorithm RSA-SHA256

Protocol TLS1.2 Cypher CHACHA20-POLY1305
Key exchange ECDHE-RSA

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 19:01
by Claudiu
From server logs, on successful connection with version 3.39 I have these.

Jan 23 20:58:49 serv.com pure-ftpd[8726]: (?@1.1.111.1) [INFO] userx is now logged in
Jan 23 20:58:51 serv.com pure-ftpd[8726]: (userx@1.1.111.1) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305, 256 secret bits cipher

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 19:09
by botg

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 19:17
by Claudiu
Yes, I saw it. with version 3.40 the icon disappears after "Could not connect to server message". But I was able to get the data,

The same algorithms, but

Protocol TLS1.3 Cipher: AES-256-GCM

Key exchange similar to 3.39 data,

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 19:47
by Claudiu
I found this thread with users dealing with the same issue
https://github.com/jedisct1/pure-ftpd/issues/99

It is possible to add a patch to run on TLS v1.2, if v1.3 is not enabled or it's not working correctly?

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 21:37
by botg
It's a bug in pure-ftpd.

I don't do workarounds if security is involved, the only way to fix this is to update pure-ftpd.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 21:43
by Claudiu
TLS v1.2 is still very secure, I don't understand why you dropped it completely and rely only on TLSv1.3 with the risk to create compatibility issues.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-23 23:19
by botg
TLS 1.2 hasn't been dropped, it is still fully supported.

The version that is used it always the highest supported by both the client and the server. Using a lower version than supported by both isn't possible as that can and will be exploited in downgrade attacks.

If pure-ftpd advertises TLS 1.3 support but doesn't implement it correctly, then pure-ftpd needs to be fixed. It's this simple.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-24 05:59
by Claudiu
My pure-ftpd server (latest official version 1.0.47) is not compiled with TLSv1.3.

| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A



So, if v1.3 is not supported by the server, why the client is trying to connect on this version? In my case, TLSv1.3 is not supported by both client and server, as you said, it is only supported by Filezilla. This is a Filezilla bug trying to connect using an unsupported server protocol!

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-24 08:44
by botg
How did you generate that list of ciphers? Does the tool generating this list support TLS 1.3?
So, if v1.3 is not supported by the server, why the client is trying to connect on this version?
Because the server says it supports it.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-24 11:22
by Claudiu
I'm using nmap
nmap --script ssl-cert,ssl-enum-ciphers -p 21 localhost

This is the complete output and TLSv1.3 is not in the list.

PORT STATE SERVICE
21/tcp open ftp
| ssl-cert: Subject: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Subject Alternative Name: DNS:censored
| Issuer: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-31T12:48:11
| Not valid after: 2029-02-17T05:28:11
| MD5: f7ea febb bdbf 652d cdff 6fed xxxx xxxx
|_SHA-1: b9f2 db86 fbe6 ce38 6a00 d776 b066 8d24 xxxx xxxx
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-24 12:03
by botg
That nmap script simply isn't aware of TLS 1.3, that's why it doesn't show it in its output.

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Posted: 2019-01-25 10:08
by Claudiu
Thank you for your advice! I have installed the git version of pure-ftpd and I can confirm that issue is solved and now I can connect correctly.