Discussion topic: It's the server's fault!

[Merlin2000]

This is the discussion thread for: viewtopic.php?f=2&t=7688 - all explained there.

- I went to that link, it states "Please discuss in the new discussion thread. The sticky got rather messed up so let's keep it clean. Moved all posts there, have fun!"

Which takes you to this thread... where I'm trying to figure out why it's ok for FileZilla to have this major change made that results in FileZilla not functioning correctly.

Using the logic presented here, it would be safe to assume that I could build a website that fully validates against standards, and doesn't display correctly. It's the browser's problem (as in not adhering to the standards correctly). I made a website and I'm going to require thousands of people using IE/FF to have their devs update their sepcs so MY website will not stop working.

How does that make sense?

[boco]

The servers are not following the standards correctly.

If you get this error if listing a directory or if downloading a file, it means that your server did not send the SSL/TLS closure notification as required by the SSL/TLS specifications.

From the 2nd post of this discussion thread:

The answer is in RFC 4346 which clearly states the following in section 7.2.1.:

Code: Select all

Unless some other fatal alert has been transmitted, each party is
required to send a close_notify alert before closing the write side
of the connection

The write side is the server sending the directory listing or the file to the client.

The discussion thread was created by me, because nobody would read a multi-page-monster-sticky. It's common in forums to have seperate discussion threads for stickies/announcements, as stickies/announcement are usually locked (mostly due to spam).

[Merlin2000]

That's fine, every other FTP client that's popular includes proper error checking, that doesn't halt when that happens. FileZilla on the other hand, is setup to break when a server doesn't follow the guidelines.

Which program would you rather use? One with better error handling? Or one that works only when the server is standardized 100% and completely up to date?

We're not talking about just a few old servers, there are hundreds of thousands of servers that have this problem.

I'm glad you guys are at least open about knowing about this problem, and publicly stating that it isn't something that's going to be fixed. I hate it when people try to hide things like this.

v2 is an amazing program, hopefully when the next version comes out, it will be compatible with more servers.

[botg]

That's fine, every other FTP client that's popular includes proper error checking, that doesn't halt when that happens. FileZilla on the other hand, is setup to break when a server doesn't follow the guidelines.

Wrong. Every other client has a security vulnerability.

We're not talking about just a few old servers, there are hundreds of thousands of servers that have this problem.

So if everyone else would jump off a cliff, would you do the same? Broken is broken, no matter how many are doing it wrong.

v2 is an amazing program

No, it has a security vulnerability.

[Gianina]

I believed every FTP clients has security vulnerability. It is just up you on how you manage it.

I've been working with a web hosting company for over 2 years and we know exactly about every FTP client's comparison with the other. None is perfect. Mostly used for better protection is putty/shell. It is much safer.

[jgowen]

Mon 6/15/2009 5:43 pm. Vote me with the rabble who want FileZilla to work with as many FTP servers as possible, even if they *do* have bad ideas and contemptible tendencies. ... And I gave guys $20 in *2005*! ... I mean this "it's the server's fault" -- it is literally embarrassing. So make it an option;

[x] Allow dangerous security flaws so you can ftp to at&t and other despicable servers

-- best wishes

j.g. owen
web:

[boco]

Allow dangerous security flaws so you can ftp to at&t and other despicable servers

So you actually trust such servers?

[botg]

Guess why spammers, scammers and phishers still make profit. And all those Nigerian exile kings and bank managers, filthy rich I tell you.

[ThinkOutSideTheBox]

botg... I have to agree with you as a developer myself. In my case, 3.2 isnt working anymore. The FTP Server is owned and maintenanced by Oracle.. believe or not... I told my administrator, which told me that Oracle told us to use 3.0.1 and not to upgrade. I SO laughed at the fact that a company so large and a company that hosts clients very valuable data would actually not care to solve this problem!

But- I truly believe your stern replies about not changing the code is valid. But, (hear me out) if a hosting server is out of a users ablity to get them to upgrade.. Does the user downgrade just to use the unpatched client version to connect to an unpatched server? Or should the user keep using a more secure client version for the rest of the worlds 'patched' servers AND be spammed with a msg that reads along the lines of 'by the way this server u are connecting to isnt secure, want to continue' as an option so these users of this situation dont sacrifice every other ftp connect. See my point. I'm with you, to put it in other words... As developers, we identify a bug/flaw we fix that flaw, we dont let 'users' tell us not to patch... its in our blood not to allow the users to do stupid things.. thats why there's databases hooked up with validation forms, and not notepads were clients used to write down stuff lol. We always want to fix human error... So I really think you should re-consider. Adding this code (however you like, a msg what have you) is the best solution. Here's why - I'm sure if Oracle gets a ton of complains from their clients about this, they will upgrade.. and see this will/could be a 'pro-active' choice/solution on your behave. You are forcing clients that ended up upgrading and running into this issue - to be aware of the security vulnerabilities and getting them to be pro-active to tell/demand their hosts to upgrade WithOut a nofitication or what have you, clients just like my 'admin' would believe their hosts replies about 'oh just stick with 3.0.1 - plz dont upgrade its not compatiable' Instead your msg would tell the users of the client DIRECTLY, no bs'n from the host! Hope my point isnt retarded but... just trying to not have to downgrade and listen to the bs oracle is feeding.. in my gut I believe you and this forum.. and well its easier to back this proof up with a msg that constantly pops up when your demoing this issue to your host

[boco]

botg... I have to agree with you as a developer myself. In my case, 3.2 isnt working anymore. The FTP Server is owned and maintenanced by Oracle.. believe or not... I told my administrator, which told me that Oracle told us to use 3.0.1 and not to upgrade. I SO laughed at the fact that a company so large and a company that hosts clients very valuable data would actually not care to solve this problem!

But- I truly believe your stern replies about not changing the code is valid. But, (hear me out) if a hosting server is out of a users ablity to get them to upgrade.. Does the user downgrade just to use the unpatched client version to connect to an unpatched server? Or should the user keep using a more secure client version for the rest of the worlds 'patched' servers AND be spammed with a msg that reads along the lines of 'by the way this server u are connecting to isnt secure, want to continue' as an option so these users of this situation dont sacrifice every other ftp connect. See my point. I'm with you, to put it in other words... As developers, we identify a bug/flaw we fix that flaw, we dont let 'users' tell us not to patch... its in our blood not to allow the users to do stupid things.. thats why there's databases hooked up with validation forms, and not notepads were clients used to write down stuff lol. We always want to fix human error... So I really think you should re-consider. Adding this code (however you like, a msg what have you) is the best solution. Here's why - I'm sure if Oracle gets a ton of complains from their clients about this, they will upgrade.. and see this will/could be a 'pro-active' choice/solution on your behave. You are forcing clients that ended up upgrading and running into this issue - to be aware of the security vulnerabilities and getting them to be pro-active to tell/demand their hosts to upgrade WithOut a nofitication or what have you, clients just like my 'admin' would believe their hosts replies about 'oh just stick with 3.0.1 - plz dont upgrade its not compatiable' Instead your msg would tell the users of the client DIRECTLY, no bs'n from the host! Hope my point isnt retarded but... just trying to not have to downgrade and listen to the bs oracle is feeding.. in my gut I believe you and this forum.. and well its easier to back this proof up with a msg that constantly pops up when your demoing this issue to your host

100% ACK.

[botg]

Oracle? Isn't that the irresponsible company sitting on fixes for known vulnerabilities for months so that they can then be release on the next patch day?

I think you need to wait until the bi-centuryly patch day before their server admins install a proper server.

[ThinkOutSideTheBox]

Yeah I think everyone here is finally finding that out about Oracle...

Just another thought, how about- Instead of allowing 3.2 client users to connect... you continue to stand your ground about not implementing the option , and rather you just output non-generic error msg about the reason its not allowed to connect.. So I can prove to my admin and f'n oracle to patch their crap and stop feeding us bs.

Watcha think? Do-able?

[botg]

A very clear message is already written in the message log: "Server did not properly shut down TLS connection"

Or do you mean adding <blink> and <marquee> tags?

[boco]

Add a Blue Screen Of Death.

[botg]

And release the magic blue smoke.