Discussion topic: It's the server's fault!

[botg]

Really, many many thanks filezilla...

You're welcome.

[botg]

ProFTPD 3.1.2rc2 is out.

[da chicken]

Thanks Filezilla !!!
All my customers who have upgraded their release of filezilla are now completly blocked ! My FTP server is a production server and i can not upgrade it for the moment.

Really, many many thanks filezilla...

Your production server has an outstanding security flaw.

[clvrmonkey]

This is really amazing. I've worked in IT/IS for over 10 years now, and whenever possible recommend open source solutions. The same question comes up every time - what happens if something goes wrong? How do we get it fixed? Not to worry, I say! Open source developers are always quick to find a solution to any problem! Apparently I was wrong. Not only is a solution not forthcoming, the snippy and infantile responses make me have serious doubts about this product.

So what do I do now? Well, let's go over the options presented:

1) Make my "host" fix their ftp server - My host is a unique financial services company that deals with financial services, not technology services. They have an ftp server. It works for everyone else. Taking my business elsewhere is not really an option. It's not a matter of switching ISP's. You do realize there are servers out there that are not hosted by ISP's, right?

2) Fork the code and fix it myself - Easier to find a different client.

3) Use an earlier version - I suppose that's possible. I guess I would need to compare the features of the earlier version to the features of other ftp clients as well as consider all the other new features that client x may be considering, since it appears I'll never be able to use FileZilla to conduct business.

4) Pick a different client - This really seems to make the most sense.

I imagine the response will be something along the lines of "fine, I don't need you anyway," which is true. I don't need you either. My recommendation to others living in the real world and experiencing this problem would be to find another solution.

[boco]

But even that company MUST have an administrator maintaining the server. I think they will be very interested to learn that their server has a security problem. Any attack could affect their business, so they will most likely look into the problem and try to fix it. Or at least I hope so.

Setting up a FTP server and not updating/maintaining it is ignorant at best, such an administrator should be fired immediately.

[djrose2]

But even that company MUST have an administrator maintaining the server. I think they will be very interested to learn that their server has a security problem. Any attack could affect their business, so they will most likely look into the problem and try to fix it.

Would anyone know how to contact the administrator of the AT&T Worldnet Personal Web Page servers at upload.att.net? Worldnet has stopped both its E-mail and help-newsgroup support. FileZilla was the only still free program I could find that provided the explicit TLS connections these servers needed. For now, I am using version 3.0.11.1.

Thank you.

[da chicken]

Try the number on your service bill.

[iluminat23]

Hi,

For users of proftpd, you can finde the patch for 1.3.1 here: http://bugs.proftpd.org/attachment.cgi? ... ction=view

I found it on the proftpd bugzilla here: http://bugs.proftpd.org/show_bug.cgi?id=3094

If your distributor do not include this patch you can patch i your self or send them those links, then it would be easy to fix it for them.

I tested this patch here on my gentoo box with proftpd-1.3.1 and it works well

kind regards,

iluminat23

[Lockness]

ECONNABORTED error appears on versions 3.0.13 not 3.0.11
I tested this 20 minutes ago on 3.0.11 and my files appear, upgraded to 3.0.13 with the same settings and received:
Command: LIST
Response: 125 List started OK
Status: Server did not properly shut down TLS connection
Error: Could not read from transfer socket: ECONNABORTED - Connection aborted
Response: 250 List completed successfully.
Error: Failed to retrieve directory listing

I have noticed this since version 3.0.12 came out.

[botg]

You sir, have a broken server! You have to upgrade to a better one.

[alliZ]

I have a few sites, running on different servers, with the same web host. I've hit this ECONNABORTED - Connection aborted snafu on some, while others seem fine. Running v3.1.3.

Here's a debug listing of 1.) successful FTPS transaction; 2.) failed FTPS transaction:

( '<------------' indicates where differences begin)

SUCCESSFUL

Code: Select all

08:36:55	Status:	Disconnected from server
08:36:55	Trace:	CFtpControlSocket::ResetOperation(66)
08:36:55	Trace:	CControlSocket::ResetOperation(66)
08:36:55	Status:	Resolving address of ftp.anothersite.com
08:36:56	Status:	Connecting to xxx.xxx.232.2:990...
08:36:56	Status:	Connection established, initializing TLS...
08:36:56	Trace:	CTlsSocket::Handshake()
08:36:56	Trace:	CTlsSocket::Handshake()
08:36:56	Trace:	CTlsSocket::Handshake()
08:36:56	Trace:	CTlsSocket::Handshake()
08:36:56	Trace:	Handshake successful
08:36:56	Trace:	Cipher: AES-128-CBC, MAC: SHA1
08:36:56	Status:	Verifying certificate...
08:36:56	Trace:	CFtpControlSocket::SendNextCommand()
08:36:56	Status:	TLS/SSL connection established, waiting for welcome message...
08:36:56	Trace:	CFtpControlSocket::OnReceive()
08:36:56	Response:	220 SurgeFTP xxx.xxx.232.2 (Version 2.3a3)
08:36:56	Trace:	CFtpControlSocket::SendNextCommand()
08:36:56	Command:	USER myusername
08:36:56	Trace:	CFtpControlSocket::OnReceive()
08:36:56	Response:	331 Password required for myusername.
08:36:56	Trace:	CFtpControlSocket::SendNextCommand()
08:36:56	Command:	PASS **********
08:36:56	Trace:	CFtpControlSocket::OnReceive()
08:36:56	Response:	230 User myusername logged in.
08:36:56	Trace:	CFtpControlSocket::SendNextCommand()
08:36:56	Command:	PBSZ 0
08:36:57	Trace:	CFtpControlSocket::OnReceive()
08:36:57	Response:	200 Great whatever you say
08:36:57	Trace:	CFtpControlSocket::SendNextCommand()
08:36:57	Command:	PROT P
08:36:57	Trace:	CFtpControlSocket::OnReceive()
08:36:57	Response:	200 Data channel will be encrypted
08:36:57	Status:	Connected
08:36:57	Trace:	CFtpControlSocket::ResetOperation(0)
08:36:57	Trace:	CControlSocket::ResetOperation(0)
08:36:57	Status:	Retrieving directory listing...
08:36:57	Trace:	CFtpControlSocket::SendNextCommand()
08:36:57	Trace:	CFtpControlSocket::ChangeDirSend()
08:36:57	Command:	PWD
08:36:57	Trace:	CFtpControlSocket::OnReceive()
08:36:57	Response:	257 "\" is current directory.
08:36:57	Trace:	CFtpControlSocket::ResetOperation(0)
08:36:57	Trace:	CControlSocket::ResetOperation(0)
08:36:57	Trace:	CFtpControlSocket::ParseSubcommandResult(0)
08:36:57	Trace:	CFtpControlSocket::ListSubcommandResult() <------------
08:36:57	Trace:	CFtpControlSocket::ResetOperation(0)
08:36:57	Trace:	CControlSocket::ResetOperation(0)
08:36:57	Status:	Directory listing successful

FAILED

Code: Select all

08:37:56	Status:	Disconnected from server
08:37:56	Trace:	CFtpControlSocket::ResetOperation(66)
08:37:56	Trace:	CControlSocket::ResetOperation(66)
08:37:56	Status:	Resolving address of ftp.example.com
08:37:56	Status:	Connecting to xxx.xxx.83:990...
08:37:56	Status:	Connection established, initializing TLS...
08:37:56	Trace:	CTlsSocket::Handshake()
08:37:56	Trace:	CTlsSocket::Handshake()
08:37:56	Trace:	CTlsSocket::Handshake()
08:37:56	Trace:	CTlsSocket::Handshake()
08:37:56	Trace:	Handshake successful
08:37:56	Trace:	Cipher: AES-128-CBC, MAC: SHA1
08:37:56	Status:	Verifying certificate...
08:37:56	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Status:	TLS/SSL connection established, waiting for welcome message...
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	220 SurgeFTP xxx.xxx.217.83 (Version 2.3a3)
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Command:	USER myusername
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	331 Password required for myusername.
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Command:	PASS ***********
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	230 User myusername logged in.
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Command:	PBSZ 0
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	200 Great whatever you say
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Command:	PROT P
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	200 Data channel will be encrypted
08:37:57	Status:	Connected
08:37:57	Trace:	CFtpControlSocket::ResetOperation(0)
08:37:57	Trace:	CControlSocket::ResetOperation(0)
08:37:57	Status:	Retrieving directory listing...
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Trace:	CFtpControlSocket::ChangeDirSend()
08:37:57	Command:	PWD
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	257 "/" is current directory.
08:37:57	Trace:	CFtpControlSocket::ResetOperation(0)
08:37:57	Trace:	CControlSocket::ResetOperation(0)
08:37:57	Trace:	CFtpControlSocket::ParseSubcommandResult(0)
08:37:57	Trace:	CFtpControlSocket::ListSubcommandResult() <------------
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Trace:	CFtpControlSocket::TransferSend()
08:37:57	Command:	TYPE I
08:37:57	Trace:	CFtpControlSocket::OnReceive()
08:37:57	Response:	200 Type set to I
08:37:57	Trace:	CFtpControlSocket::TransferParseResponse()
08:37:57	Trace:	CFtpControlSocket::SendNextCommand()
08:37:57	Trace:	CFtpControlSocket::TransferSend()
08:37:57	Command:	PASV
08:37:58	Trace:	CFtpControlSocket::OnReceive()
08:37:58	Response:	227 Entering Passive Mode (xxx,xxx,217,83,82,22).
08:37:58	Trace:	CFtpControlSocket::TransferParseResponse()
08:37:58	Trace:	CFtpControlSocket::SendNextCommand()
08:37:58	Trace:	CFtpControlSocket::TransferSend()
08:37:58	Command:	LIST
08:37:58	Trace:	CTransferSocket::OnConnect
08:37:58	Trace:	CTlsSocket::Handshake()
08:37:58	Trace:	CTlsSocket::Handshake()
08:37:58	Trace:	CFtpControlSocket::OnReceive()
08:37:58	Response:	150 Opening BINARY connection for \
08:37:58	Trace:	CFtpControlSocket::TransferParseResponse()
08:37:58	Trace:	CFtpControlSocket::SendNextCommand()
08:37:58	Trace:	CFtpControlSocket::TransferSend()
08:37:58	Trace:	CTlsSocket::Handshake()
08:37:58	Trace:	CTlsSocket::Handshake()
08:37:58	Trace:	Handshake successful
08:37:58	Trace:	Cipher: AES-128-CBC, MAC: SHA1
08:37:58	Trace:	CTransferSocket::OnConnect
08:37:58	Listing:	11-21-03  10:34AM                11514 xxxxx.gif
08:37:58	Listing:	04-14-06  07:27PM       <DIR>          XXXXX
08:37:58	Listing:	03-30-04  05:38PM              1506257 xxxxx.JPG
08:37:58	Listing:	03-30-04  05:38PM              1504449 xxxxx.JPG
08:37:58	Listing:	03-30-04  05:38PM              1409854 xxxxx.JPG
08:37:58	Listing:	11-19-01  08:52PM                 2639 xxxxx.asp
08:37:58	Listing:	05-11-01  07:36AM                  240 xxxxx.ASP
08:37:58	Listing:	05-02-07  07:21AM                 3109 xxxxx.asp
08:37:58	Listing:	01-26-02  05:52PM                34834 xxxxx.asp
08:37:58	Listing:	05-11-06  10:02AM                21432 xxxxx.asp
08:37:58	Listing:	09-29-06  01:19PM                21432 xxxxx.asp
08:37:58	Listing:	02-24-02  05:29PM                 1051 xxxxx.ASPX
08:37:58	Listing:	03-31-04  07:55AM                 2159 xxxxx.aspx
08:37:58	Listing:	05-21-04  07:28PM                71676 xxxxx.gif
08:37:58	Listing:	03-04-00  12:35PM                 5413 xxxxx.gif
08:37:58	Listing:	09-04-01  01:05PM                 1981 xxxxx.ASP
08:37:58	Listing:	06-26-02  05:37AM                 3580 xxxxx.asp
08:37:58	Listing:	05-11-01  07:44AM                 1778 xxxxx.ASP
08:37:58	Listing:	03-14-00  05:32PM                 6481 xxxxx.gif
08:37:58	Listing:	04-14-06  07:31PM       <DIR>          XXXXX
08:37:58	Listing:	12-16-99  06:50AM                  436 xxxxx.asp
08:37:58	Listing:	04-14-06  07:31PM       <DIR>          XXXXX
08:37:58	Listing:	07-17-08  10:21AM                 1959 xxxxx.asp
08:37:58	Listing:	12-20-99  06:58PM                 1057 xxxxx.asp

<snip - removed mucho listings>

08:37:59	Listing:	02-03-08  05:42AM                  179 xxxxx.php
08:37:59	Trace:	CTlsSocket::OnSocketEvent(): pending data, postponing close event
08:37:59	Trace:	CFtpControlSocket::OnReceive()
08:37:59	Response:	226 Transfer complete. 
08:37:59	Trace:	CFtpControlSocket::TransferParseResponse()
08:37:59	Trace:	CFtpControlSocket::SendNextCommand()
08:37:59	Trace:	CFtpControlSocket::TransferSend()
08:37:59	Trace:	CTlsSocket::OnSocketEvent(): pending data, postponing close event
08:37:59	Trace:	CTlsSocket::OnSocketEvent(): pending data, postponing close event
08:37:59	Listing:	09-06-01  06:09AM                 1159 xxxxx.asp
08:37:59	Listing:	12-15-99  01:15PM                 2506 xxxxx.html
08:37:59	Listing:	07-30-01  10:17AM                55953 xxxxx.jpg
08:37:59	Listing:	09-06-01  06:11AM                  272 xxxxx.txt
08:37:59	Listing:	12-19-99  04:59PM                  117 xxxxx.txt
08:37:59	Listing:	09-17-08  12:38PM       <DIR>          xxxxx
08:37:59	Listing:	02-13-01  05:32PM                16023 xxxxx.cfm
08:37:59	Listing:	10-04-01  07:04PM                 6315 xxxxx.gif

<snip - removed mucho listings>

08:37:59	Listing:	10-17-06  01:17PM                40368 xxxxx.gif
08:37:59	Trace:	GnuTLS error -9: A TLS packet with unexpected length was received.
08:37:59	Status:	Server did not properly shut down TLS connection
08:37:59	Error:	Could not read from transfer socket: ECONNABORTED - Connection aborted
08:37:59	Trace:	CTransferSocket::TransferEnd(3)
08:37:59	Trace:	CFtpControlSocket::TransferEnd()
08:37:59	Trace:	CFtpControlSocket::ResetOperation(2)
08:37:59	Trace:	CControlSocket::ResetOperation(2)
08:37:59	Trace:	CFtpControlSocket::ParseSubcommandResult(2)
08:37:59	Trace:	CFtpControlSocket::ListSubcommandResult()
08:37:59	Trace:	CFtpControlSocket::ResetOperation(2)
08:37:59	Trace:	CControlSocket::ResetOperation(2)
08:37:59	Error:	Failed to retrieve directory listing

Hoping these may assist - somehow.

[botg]

Hoping these may assist - somehow.

YOU NEED TO UPGRADE TO A BETTER SERVER.

[alliZ]

YOU NEED TO UPGRADE TO A BETTER SERVER.

??
Your solution makes no sense and doesn't seem helpful.

Perhaps you meant YOUR FTP SERVER SOFTWARE (SurgeFTP in this case) needs adjusting or upgrading, but not needing an UPGRADE TO A BETTER SERVER!?!?

SurgeFTP
http://www.netwinsite.com/surgeftp/


So, what to do?? Adjust config, ditch this software in favor of something else, or .. BETTER SERVER?? Thanks,

[da chicken]

The software that runs a network service is called a daemon, a service, or a server. This is in addition to the physical hardware being called a server. Yes, same term with two meanings. Remarkably common in English. Context makes it obvious most of the time. Here, he means "upgrade your ftp daemon".

Send a bug report to SurgeFTP. Tell them the exact problem being caused. Give them links to this thread.

The issue here is that there are two RFCs that describe two distinct methods of closing the TLS connection depending on how the TLS connection was established. The first post in this thread has a nice quote from the ProFTPd developers list that describes the problem well. Many servers were doing it only one way. Vsftpd and ProFTPd had to be fixed. So did FileZilla Server. The fact that so many servers not related to FileZilla have issued updates suggests that botg's interpretation of the RFC spec here is the correct one. Otherwise, some developer would have successfully argued against it.

[boco]

Status: Server did not properly shut down TLS connection = Security flaw on the FTP server = The server needs to be fixed and upgraded.

botg cannot fix Filezilla Client because Filezilla Client is not broken. I's just strictly enforcing the RFC which states the connection MUST be shutdown properly by the server.