GnuTLS error -110 in gnutls_record_recv & ECONNABORTED - Connection aborted

[Labsy]

Hi,

the latest versions of FileZilla CLIENT (seems like versions, newer than 3.39) cannot utilize Explicit FTP over TLS at least with pure-ftpd server on Ubuntu 18.04. While older versions of Filezilla CLIENT have no errors, and can work with the same server just fine.

On CLIENTS, newer than 3.39, I get this error:

Status: Resolving address of my.example.com
Status: Connecting to 1.2.3.4:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 22:43. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Command: USER ftpuseronmyserver
Error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from socket: ECONNABORTED - Connection aborted
Error: Could not connect to server

On server logs only this for FAILED client newer than 3.39:
Sep 3 22:43:46 enginex3 pure-ftpd: (?@22.33.44.55) [INFO] New connection from 22.33.44.55
Sep 3 22:43:46 enginex3 pure-ftpd: (?@22.33.44.55) [ERROR] TLS renegociation

But with OLDER client, lower than 3.39, on SERVER I see this:
Sep 3 22:48:17 enginex3 pure-ftpd: (?@22.33.44.55) [INFO] New connection from 22.33.44.55
Sep 3 22:48:17 enginex3 pure-ftpd: (?@22.33.44.55) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
Sep 3 22:48:19 enginex3 pure-ftpd: (?@22.33.44.55) [INFO] ftpuseronmyserveris now logged in
Sep 3 22:48:19 enginex3 pure-ftpd: (ftpuseronmyserver@22.33.44.55) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher

Seems like FileZilla versions including 3.40 and newer have problems dropping down to TLS 1.2 and try to force TLS 1.3 - might that be the issue?

[boco]

Clients after 3.39 enable TLS 1.3 support. It seems your server indicates support for TLS 1.3 while in reality not supporting it (this can happen if the dependencies add TLS 1.3 support and pure-ftpd is unaware).

You might be able to explicitly limit TLS support in the server configuration to TLS 1.2 until the server software is updated.

Seems like FileZilla versions including 3.40 and newer have problems dropping down to TLS 1.2 and try to force TLS 1.3 - might that be the issue?

Lowering the version while in negotiation is not possible, intentionally. Doing so would allow downgrade attacks (like this was the case with POODLE). Allowing that would create a security vulnerability; the dev will never do that, don't ask.