Intermittent TLS 1.2 connection issues with pure-ftpd

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
michaelventraip
500 Command not understood
Posts: 2
Joined: 2020-05-19 00:26

Intermittent TLS 1.2 connection issues with pure-ftpd

#1 Post by michaelventraip » 2020-05-20 06:05

Hi,

We are facing an issue where the Latest Filezilla client (Windows 10, 3.48.0, gnutls 3.6.12) is having intermittent communication issues to our pure-ftpd server over TLS.

We notice when transferring a large amount of files a small amount of data connections (maybe a few hundred out of 5000 file transfers) will fail mid session, and most times the control session will also fail.

I was able to replicate the issue using a fresh docker container on our local network spec'ed out below. I used this container https://hub.docker.com/r/stilliard/pure-ftpd/

pure-ftpd server v1.0.49
TLS1.2 using cipher 0xc030 (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or ECDHE-RSA-AES256-GCM-SHA384)
Server is on same LAN as Client, no firewalls, connected by single basic switch.

Without TLS (plaintext) I see no issues on the latest client.
I found an old version of FileZilla that we had laying around (v3.9.0.6, gnutls 3.2.19) that does NOT have these issues while using TLS. Checking with wireshark, the same cipher (0xc030) is used.

I'm not quite sure where the issue is (the server, or the client) but i can only assume that there is some incompatibility between the versions of OpenSSL/GnuTLS that's being used?


Debug log when PASV DATA connection fails, interesting to note that the connection succeeded but after transferring some data it failed.

Code: Select all

2020-05-18 15:17:48 17536 4 Status: Starting download of /public_html/wp-content/plugins/someplugin/somefile.php
2020-05-18 15:17:48 17536 4 Command: PASV
2020-05-18 15:17:48 17536 4 Response: 227 Entering Passive Mode (10,X,X,105,117,51)
2020-05-18 15:17:48 17536 4 Command: RETR somefile.php
2020-05-18 15:17:48 17536 4 Response: 150-Accepted data connection
2020-05-18 15:17:48 17536 4 Response: 150 11.7 kbytes to download
2020-05-18 15:17:48 17536 4 Error: Could not read from socket: ECONNRESET - Connection reset by peer
2020-05-18 15:17:48 17536 4 Error: Disconnected from server
2020-05-18 15:17:48 17536 4 Error: File transfer failed after transferring 12,419 bytes in 1 second
When the control session fails, you will see what is in filezilla_debuglog_control.txt in the debug log. To add on to this Wireshark_4Ue0cFsobY.png shows the packet capture inbetween both the server/client, no TLS handshake is attempted and the connection is reset immediately.
Force reconnecting the client immediately resolves the "connection" issue.

Any help finding what may be causing this is much appreciated. Thank you!

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

#2 Post by botg » 2020-05-20 06:57

Does it still happen if you disable Windows firewall? It is faulty and cannot handle the sheer speed of FileZilla.

michaelventraip
500 Command not understood
Posts: 2
Joined: 2020-05-19 00:26

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

#3 Post by michaelventraip » 2020-05-21 02:29

Hey botg,

That was, just horribly unfortunately it. My hatred for windows has just grown. even. stronger.

I appreciate your fast response, I found even adding a rule in wouldn't let me get around the issue.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

#4 Post by botg » 2020-05-22 07:12

It's something Windows Firewall does to FTP in particular. Using any port other than 21 and the symptoms go away.

User avatar
boco
Contributor
Posts: 26914
Joined: 2006-05-01 03:28
Location: Germany

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

#5 Post by boco » 2020-05-23 03:19

Wasn't that the case if the Application Layer Gateway (alg.exe) was running? A process that piggybacks other processes and fucks them up (that's what should be written, letter by letter, on its Wikipedia page).

Check your system services, and, if the ALG service is running, stop it and set to "Disabled".
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

#6 Post by botg » 2020-05-23 12:18

That was a different problem.

Post Reply