GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
Moderator: Project members
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
My issue is related to latest version 3.40.0-rc2 for Windows 64bit. Version 3.39 is working perfectly, https://ftptest.net/ shows no errors.
I own a Fedora 29 server with pure-ftpd-1.0.47, openssl-1.1.1a, gnutls-3.6.5. Trying to connect with Windows client 3.40 I get this error:
GnuTLS error -110: The TLS connection was non-properly terminated.
I have downgraded to 3.39 and it's working perfectly, again. I never had this issue before.
I own a Fedora 29 server with pure-ftpd-1.0.47, openssl-1.1.1a, gnutls-3.6.5. Trying to connect with Windows client 3.40 I get this error:
GnuTLS error -110: The TLS connection was non-properly terminated.
I have downgraded to 3.39 and it's working perfectly, again. I never had this issue before.
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
If you click the lock icon in the status bar of FileZilla it'll display the used cryptographic algorithms. What is shown in both 3.39 and 30.40.0-rc2?
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
Ahh, the icon is there only with version 3.39 when I'm successfully connected.
Public algorithm RSA with 2048 bits
Signature algorithm RSA-SHA256
Protocol TLS1.2 Cypher CHACHA20-POLY1305
Key exchange ECDHE-RSA
Public algorithm RSA with 2048 bits
Signature algorithm RSA-SHA256
Protocol TLS1.2 Cypher CHACHA20-POLY1305
Key exchange ECDHE-RSA
Last edited by Claudiu on 2019-01-23 19:13, edited 1 time in total.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
From server logs, on successful connection with version 3.39 I have these.
Jan 23 20:58:49 serv.com pure-ftpd[8726]: (?@1.1.111.1) [INFO] userx is now logged in
Jan 23 20:58:51 serv.com pure-ftpd[8726]: (userx@1.1.111.1) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305, 256 secret bits cipher
Jan 23 20:58:49 serv.com pure-ftpd[8726]: (?@1.1.111.1) [INFO] userx is now logged in
Jan 23 20:58:51 serv.com pure-ftpd[8726]: (userx@1.1.111.1) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305, 256 secret bits cipher
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
Yes, I saw it. with version 3.40 the icon disappears after "Could not connect to server message". But I was able to get the data,
The same algorithms, but
Protocol TLS1.3 Cipher: AES-256-GCM
Key exchange similar to 3.39 data,
The same algorithms, but
Protocol TLS1.3 Cipher: AES-256-GCM
Key exchange similar to 3.39 data,
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
I found this thread with users dealing with the same issue
https://github.com/jedisct1/pure-ftpd/issues/99
It is possible to add a patch to run on TLS v1.2, if v1.3 is not enabled or it's not working correctly?
https://github.com/jedisct1/pure-ftpd/issues/99
It is possible to add a patch to run on TLS v1.2, if v1.3 is not enabled or it's not working correctly?
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
It's a bug in pure-ftpd.
I don't do workarounds if security is involved, the only way to fix this is to update pure-ftpd.
I don't do workarounds if security is involved, the only way to fix this is to update pure-ftpd.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
TLS v1.2 is still very secure, I don't understand why you dropped it completely and rely only on TLSv1.3 with the risk to create compatibility issues.
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
TLS 1.2 hasn't been dropped, it is still fully supported.
The version that is used it always the highest supported by both the client and the server. Using a lower version than supported by both isn't possible as that can and will be exploited in downgrade attacks.
If pure-ftpd advertises TLS 1.3 support but doesn't implement it correctly, then pure-ftpd needs to be fixed. It's this simple.
The version that is used it always the highest supported by both the client and the server. Using a lower version than supported by both isn't possible as that can and will be exploited in downgrade attacks.
If pure-ftpd advertises TLS 1.3 support but doesn't implement it correctly, then pure-ftpd needs to be fixed. It's this simple.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
My pure-ftpd server (latest official version 1.0.47) is not compiled with TLSv1.3.
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
So, if v1.3 is not supported by the server, why the client is trying to connect on this version? In my case, TLSv1.3 is not supported by both client and server, as you said, it is only supported by Filezilla. This is a Filezilla bug trying to connect using an unsupported server protocol!
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
So, if v1.3 is not supported by the server, why the client is trying to connect on this version? In my case, TLSv1.3 is not supported by both client and server, as you said, it is only supported by Filezilla. This is a Filezilla bug trying to connect using an unsupported server protocol!
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
How did you generate that list of ciphers? Does the tool generating this list support TLS 1.3?
Because the server says it supports it.So, if v1.3 is not supported by the server, why the client is trying to connect on this version?
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
I'm using nmap
nmap --script ssl-cert,ssl-enum-ciphers -p 21 localhost
This is the complete output and TLSv1.3 is not in the list.
PORT STATE SERVICE
21/tcp open ftp
| ssl-cert: Subject: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Subject Alternative Name: DNS:censored
| Issuer: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-31T12:48:11
| Not valid after: 2029-02-17T05:28:11
| MD5: f7ea febb bdbf 652d cdff 6fed xxxx xxxx
|_SHA-1: b9f2 db86 fbe6 ce38 6a00 d776 b066 8d24 xxxx xxxx
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
nmap --script ssl-cert,ssl-enum-ciphers -p 21 localhost
This is the complete output and TLSv1.3 is not in the list.
PORT STATE SERVICE
21/tcp open ftp
| ssl-cert: Subject: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Subject Alternative Name: DNS:censored
| Issuer: commonName=censored/organizationName=censored/stateOrProvinceName=censored/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-12-31T12:48:11
| Not valid after: 2029-02-17T05:28:11
| MD5: f7ea febb bdbf 652d cdff 6fed xxxx xxxx
|_SHA-1: b9f2 db86 fbe6 ce38 6a00 d776 b066 8d24 xxxx xxxx
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
That nmap script simply isn't aware of TLS 1.3, that's why it doesn't show it in its output.
-
- 504 Command not implemented
- Posts: 11
- Joined: 2019-01-23 17:37
- First name: Mr
- Last name: Cla
Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2
Thank you for your advice! I have installed the git version of pure-ftpd and I can confirm that issue is solved and now I can connect correctly.