Page 1 of 1

Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-20 06:05
by michaelventraip
Hi,

We are facing an issue where the Latest Filezilla client (Windows 10, 3.48.0, gnutls 3.6.12) is having intermittent communication issues to our pure-ftpd server over TLS.

We notice when transferring a large amount of files a small amount of data connections (maybe a few hundred out of 5000 file transfers) will fail mid session, and most times the control session will also fail.

I was able to replicate the issue using a fresh docker container on our local network spec'ed out below. I used this container https://hub.docker.com/r/stilliard/pure-ftpd/

pure-ftpd server v1.0.49
TLS1.2 using cipher 0xc030 (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or ECDHE-RSA-AES256-GCM-SHA384)
Server is on same LAN as Client, no firewalls, connected by single basic switch.

Without TLS (plaintext) I see no issues on the latest client.
I found an old version of FileZilla that we had laying around (v3.9.0.6, gnutls 3.2.19) that does NOT have these issues while using TLS. Checking with wireshark, the same cipher (0xc030) is used.

I'm not quite sure where the issue is (the server, or the client) but i can only assume that there is some incompatibility between the versions of OpenSSL/GnuTLS that's being used?


Debug log when PASV DATA connection fails, interesting to note that the connection succeeded but after transferring some data it failed.

Code: Select all

2020-05-18 15:17:48 17536 4 Status: Starting download of /public_html/wp-content/plugins/someplugin/somefile.php
2020-05-18 15:17:48 17536 4 Command: PASV
2020-05-18 15:17:48 17536 4 Response: 227 Entering Passive Mode (10,X,X,105,117,51)
2020-05-18 15:17:48 17536 4 Command: RETR somefile.php
2020-05-18 15:17:48 17536 4 Response: 150-Accepted data connection
2020-05-18 15:17:48 17536 4 Response: 150 11.7 kbytes to download
2020-05-18 15:17:48 17536 4 Error: Could not read from socket: ECONNRESET - Connection reset by peer
2020-05-18 15:17:48 17536 4 Error: Disconnected from server
2020-05-18 15:17:48 17536 4 Error: File transfer failed after transferring 12,419 bytes in 1 second
When the control session fails, you will see what is in filezilla_debuglog_control.txt in the debug log. To add on to this Wireshark_4Ue0cFsobY.png shows the packet capture inbetween both the server/client, no TLS handshake is attempted and the connection is reset immediately.
Force reconnecting the client immediately resolves the "connection" issue.

Any help finding what may be causing this is much appreciated. Thank you!

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-20 06:57
by botg
Does it still happen if you disable Windows firewall? It is faulty and cannot handle the sheer speed of FileZilla.

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-21 02:29
by michaelventraip
Hey botg,

That was, just horribly unfortunately it. My hatred for windows has just grown. even. stronger.

I appreciate your fast response, I found even adding a rule in wouldn't let me get around the issue.

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-22 07:12
by botg
It's something Windows Firewall does to FTP in particular. Using any port other than 21 and the symptoms go away.

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-23 03:19
by boco
Wasn't that the case if the Application Layer Gateway (alg.exe) was running? A process that piggybacks other processes and fucks them up (that's what should be written, letter by letter, on its Wikipedia page).

Check your system services, and, if the ALG service is running, stop it and set to "Disabled".

Re: Intermittent TLS 1.2 connection issues with pure-ftpd

Posted: 2020-05-23 12:18
by botg
That was a different problem.