FileZilla 3.55.0-rc1 ALPN error

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

FileZilla 3.55.0-rc1 ALPN error

#1 Post by xeon » 2021-07-04 10:29

Hi, after updating to 3.55.0-rc1, connecting to my FTP server running vsftpd 3.0.4 gives the following error and fails to connect.

Code: Select all

06:24:06	Trace:	CControlSocket::SendNextCommand()
06:24:06	Trace:	CFtpLogonOpData::Send() in state 0
06:24:06	Status:	Resolving address of ftp.snow.jp
06:24:06	Status:	Connecting to 157.7.107.43:21...
06:24:06	Status:	Connection established, waiting for welcome message...
06:24:06	Trace:	CFtpControlSocket::OnReceive()
06:24:06	Response:	220 (vsFTPd 3.0.4)
06:24:06	Trace:	CFtpLogonOpData::ParseResponse() in state 1
06:24:06	Trace:	CControlSocket::SendNextCommand()
06:24:06	Trace:	CFtpLogonOpData::Send() in state 2
06:24:06	Command:	AUTH TLS
06:24:06	Trace:	CFtpControlSocket::OnReceive()
06:24:06	Response:	234 Proceed with negotiation.
06:24:06	Trace:	CFtpLogonOpData::ParseResponse() in state 2
06:24:06	Status:	Initializing TLS...
06:24:06	Trace:	tls_layer_impl::client_handshake()
06:24:06	Trace:	tls_layer_impl::continue_handshake()
06:24:06	Trace:	TLS handshake: About to send CLIENT HELLO
06:24:06	Trace:	TLS handshake: Sent CLIENT HELLO
06:24:06	Trace:	tls_layer_impl::on_send()
06:24:06	Trace:	tls_layer_impl::continue_handshake()
06:24:06	Trace:	tls_layer_impl::on_read()
06:24:06	Trace:	tls_layer_impl::continue_handshake()
06:24:06	Trace:	tls_layer_impl::on_read()
06:24:06	Trace:	tls_layer_impl::continue_handshake()
06:24:06	Trace:	TLS handshake: Received SERVER HELLO
06:24:06	Trace:	TLS handshake: Processed SERVER HELLO
06:24:06	Trace:	TLS handshake: Received ENCRYPTED EXTENSIONS
06:24:06	Trace:	TLS handshake: Processed ENCRYPTED EXTENSIONS
06:24:06	Trace:	tls_layer_impl::failure(-344)
06:24:06	Error:	GnuTLS error -344: No common application protocol could be negotiated.
06:24:06	Status:	Connection attempt failed with "ECONNABORTED - Connection aborted".
06:24:06	Trace:	CRealControlSocket::OnSocketError(106)
06:24:06	Trace:	CRealControlSocket::DoClose(66)
06:24:06	Trace:	CControlSocket::DoClose(66)
06:24:06	Trace:	CFtpControlSocket::ResetOperation(66)
06:24:06	Trace:	CControlSocket::ResetOperation(66)
06:24:06	Trace:	CFtpLogonOpData::Reset(66) in state 4
06:24:06	Error:	Could not connect to server
06:24:06	Trace:	CFileZillaEnginePrivate::ResetOperation(66)
06:24:06	Status:	Waiting to retry...

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.55.0-rc1 ALPN error

#2 Post by botg » 2021-07-04 13:06

That's a new bug in vsftpd, I've reported it.

xeon
226 Transfer OK
Posts: 131
Joined: 2009-08-19 03:18

Re: FileZilla 3.55.0-rc1 ALPN error

#3 Post by xeon » 2021-07-09 22:57

Thanks, have you looked at the source code and identified the exact problem? Just curious if this is something that can be easily fixed, otherwise people will need to either comment out the ALPN code or revert to a previous version of vsftpd until the developer can resolve it.

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla 3.55.0-rc1 ALPN error

#4 Post by botg » 2021-07-10 08:29

Yes. vsftpd returns the wrong data from the alpn callback.

As per https://www.openssl.org/docs/man1.1.0/m ... ct_cb.html:
The value of the out, outlen vector should be set to the value of a single protocol selected from the in, inlen vector. The out buffer may point directly into in, or to a buffer that outlives the handshake
vsftpd however returns the entire protocol list including length prefixes, which makes no sense.

I'd implement the callback as this:

Code: Select all

static int
ssl_alpn_callback(SSL* p_ssl,
                  const unsigned char** p_out,
                  unsigned char* outlen,
                  const unsigned char* p_in,
                  unsigned int inlen,
                  void* p_arg) {
  const unsigned char* end = p_in + inlen;
  while (p_in != end) {
    unsigned char l = *(p_in++);
    if (l == 3 && !memcmp(p_in, "ftp", 3)) {
      *p_out = p_in;
      *outlen = 3;
      return SSL_TLSEXT_ERR_OK;
    }
    p_in += l;
  }
  return SSL_TLSEXT_ERR_ALERT_FATAL;
}

Post Reply