GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#1 Post by Claudiu » 2019-01-23 17:53

My issue is related to latest version 3.40.0-rc2 for Windows 64bit. Version 3.39 is working perfectly, https://ftptest.net/ shows no errors.

I own a Fedora 29 server with pure-ftpd-1.0.47, openssl-1.1.1a, gnutls-3.6.5. Trying to connect with Windows client 3.40 I get this error:
GnuTLS error -110: The TLS connection was non-properly terminated.
I have downgraded to 3.39 and it's working perfectly, again. I never had this issue before.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#2 Post by botg » 2019-01-23 18:35

If you click the lock icon in the status bar of FileZilla it'll display the used cryptographic algorithms. What is shown in both 3.39 and 30.40.0-rc2?

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#3 Post by Claudiu » 2019-01-23 18:57

Ahh, the icon is there only with version 3.39 when I'm successfully connected.

Public algorithm RSA with 2048 bits
Signature algorithm RSA-SHA256

Protocol TLS1.2 Cypher CHACHA20-POLY1305
Key exchange ECDHE-RSA
Last edited by Claudiu on 2019-01-23 19:13, edited 1 time in total.

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#4 Post by Claudiu » 2019-01-23 19:01

From server logs, on successful connection with version 3.39 I have these.

Jan 23 20:58:49 serv.com pure-ftpd[8726]: (?@1.1.111.1) [INFO] userx is now logged in
Jan 23 20:58:51 serv.com pure-ftpd[8726]: (userx@1.1.111.1) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305, 256 secret bits cipher

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#5 Post by botg » 2019-01-23 19:09


Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#6 Post by Claudiu » 2019-01-23 19:17

Yes, I saw it. with version 3.40 the icon disappears after "Could not connect to server message". But I was able to get the data,

The same algorithms, but

Protocol TLS1.3 Cipher: AES-256-GCM

Key exchange similar to 3.39 data,

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#7 Post by Claudiu » 2019-01-23 19:47

I found this thread with users dealing with the same issue
https://github.com/jedisct1/pure-ftpd/issues/99

It is possible to add a patch to run on TLS v1.2, if v1.3 is not enabled or it's not working correctly?

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#8 Post by botg » 2019-01-23 21:37

It's a bug in pure-ftpd.

I don't do workarounds if security is involved, the only way to fix this is to update pure-ftpd.

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#9 Post by Claudiu » 2019-01-23 21:43

TLS v1.2 is still very secure, I don't understand why you dropped it completely and rely only on TLSv1.3 with the risk to create compatibility issues.

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#10 Post by botg » 2019-01-23 23:19

TLS 1.2 hasn't been dropped, it is still fully supported.

The version that is used it always the highest supported by both the client and the server. Using a lower version than supported by both isn't possible as that can and will be exploited in downgrade attacks.

If pure-ftpd advertises TLS 1.3 support but doesn't implement it correctly, then pure-ftpd needs to be fixed. It's this simple.

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#11 Post by Claudiu » 2019-01-24 05:59

My pure-ftpd server (latest official version 1.0.47) is not compiled with TLSv1.3.

| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A



So, if v1.3 is not supported by the server, why the client is trying to connect on this version? In my case, TLSv1.3 is not supported by both client and server, as you said, it is only supported by Filezilla. This is a Filezilla bug trying to connect using an unsupported server protocol!

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#12 Post by botg » 2019-01-24 08:44

How did you generate that list of ciphers? Does the tool generating this list support TLS 1.3?
So, if v1.3 is not supported by the server, why the client is trying to connect on this version?
Because the server says it supports it.

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#13 Post by Claudiu » 2019-01-24 11:22

I'm using nmap
nmap --script ssl-cert,ssl-enum-ciphers -p 21 localhost

This is the complete output and TLSv1.3 is not in the list.

PORT STATE SERVICE
21/tcp open ftp
| ssl-cert: Subject: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Subject Alternative Name: DNS:censored
| Issuer: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-31T12:48:11
| Not valid after: 2029-02-17T05:28:11
| MD5: f7ea febb bdbf 652d cdff 6fed xxxx xxxx
|_SHA-1: b9f2 db86 fbe6 ce38 6a00 d776 b066 8d24 xxxx xxxx
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

User avatar
botg
Site Admin
Posts: 35508
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#14 Post by botg » 2019-01-24 12:03

That nmap script simply isn't aware of TLS 1.3, that's why it doesn't show it in its output.

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#15 Post by Claudiu » 2019-01-25 10:08

Thank you for your advice! I have installed the git version of pure-ftpd and I can confirm that issue is solved and now I can connect correctly.

Post Reply