GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
negrusti
500 Command not understood
Posts: 2
Joined: 2019-01-26 11:47
First name: Gregory
Last name: Morozov

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#16 Post by negrusti » 2019-01-26 11:50

This breaks connectivity to all servers with Ubuntu Bionic LTS where pure-ftpd is installed from repo and TLS is enforced. Can TLS1.3 be disabled by setting in FileZilla?

User avatar
botg
Site Admin
Posts: 32070
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#17 Post by botg » 2019-01-26 18:26

No, cannot be disabled. Please contact Ubuntu support for assistance to have their pureftpd package fixed.

sudoranger
500 Syntax error
Posts: 15
Joined: 2019-01-27 06:33
First name: Sudo
Last name: Ranger

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#18 Post by sudoranger » 2019-01-27 06:41

Oh shit, I just updated my FileZilla to 3.40.0 and got this error.

Code: Select all

Status:	Connecting to [HIDDEN]:21...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Status:	Verifying certificate...
Status:	TLS connection established.
Command:	USER HIDDEN
Error:	GnuTLS error -110: The TLS connection was non-properly terminated.
Status:	Server did not properly shut down TLS connection
Error:	Could not connect to server
Status:	Waiting to retry...
Status:	Resolving address of HIDDEN
Status:	Connecting to [HIDDEN]:21...
Status:	Connection established, waiting for welcome message...
Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:	220-You are user number 1 of 5 allowed.
Response:	220-Local time is now 14:35. Server port: 21.
Response:	220-This is a private system - No anonymous login
Response:	220 You will be disconnected after 60 minutes of inactivity.
Command:	AUTH TLS
Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Status:	Verifying certificate...
Status:	TLS connection established.
Command:	USER HIDDEN
Error:	Could not connect to server
I installed and configured pure-ftpd correctly via Ubuntu's official repository (apt install pure-ftpd) and my FTP server was working just fine before I update to this FileZilla version...

Code: Select all

$ systemctl status pure-ftpd
● pure-ftpd.service
   Loaded: loaded (/etc/init.d/pure-ftpd; generated)
   Active: active (running) since Sun 2019-01-27 14:26:10 +08; 12min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1058 ExecStart=/etc/init.d/pure-ftpd start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 1152)
   CGroup: /system.slice/pure-ftpd.service
           └─1091 pure-ftpd (SERVER)
Any workaround other than:

1. Pure-ftpd seems buggy, use other ftp server
2. Report the bug to Ubuntu package maintainers
3. Downgrade FileZilla version

So, how do I fix this "TLS connection was non-properly terminated" and make my server "properly terminate the TLS connection"?

I read the pure-ftpd's GitHub issues conversation and it was rather interesting...

"Filezilla starting with 3.40-rc1 is using TLSv1.3 only, pure-ftpd doesn't have support for TLSv1.3 yet. Let's hope that pure-ftpd is upgraded soon or Filezilla maintainer will add complementary support for TLSv1.2 with the newest version."

From what I understand in this thread, FileZilla isn't going to add a complimentary support for TLSv1.2...

I think, I'll uninstall the OS repo version and compile pure-ftpd from git. They seem to fix this https://github.com/jedisct1/pure-ftpd/c ... 43c3be59ad but not officially release yet.

Edit: ahhh, nevermind that... i'm just too lazy to do manual compiling or wait the official release... i'll change to other ftp server instead..

/thanks

User avatar
botg
Site Admin
Posts: 32070
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#19 Post by botg » 2019-01-27 09:08

"Filezilla starting with 3.40-rc1 is using TLSv1.3 only, pure-ftpd doesn't have support for TLSv1.3 yet. Let's hope that pure-ftpd is upgraded soon or Filezilla maintainer will add complementary support for TLSv1.2 with the newest version."
These are two incorrect statements.

First: FileZilla still supports TLS 1.2 on servers not supporting TLS 1.3.
Second: pure-ftpd supports TLS 1.3, it advertises support for it in the TLS handshake.


It is important to always use the highest TLS version advertised by both the client and the server. Not doing so leads to downgrade attacks where an attacker can manipulate the connection so that an earlier TLS version is used, see POODLE as one example. This can of worms I won't open.

sudoranger
500 Syntax error
Posts: 15
Joined: 2019-01-27 06:33
First name: Sudo
Last name: Ranger

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#20 Post by sudoranger » 2019-01-27 09:27

Thanks for your quick reply.

I understand your concern on having the best security practice which is also the reason why FileZilla still exist over decades and still rocking. Although, I personally think FTP will finally die of natural death like IRC and becomes irrelevant years to come (or I might be wrong). Anyway,

I gave up on pure-ftpd so I tried vsftpd awhile ago. Everything is fine now. I need to study more of its configuration documentation first since I'm totally new.

1. Welcome banner not showing regardless of already uncommented ftpd_banner=XXX
2. Server does not support non-ASCII characters.
3. Sudden disconnect after several seconds?... GnuTLS error -15: An unexpected TLS packet was received.

For the record, all of the above are not related to FileZilla issues but vsftpd misconfiguration and perhaps some users might be able to give me some heads up.

p/s thanks for this 3.40 update, i didn't notice my server was incompetent if not because of this issue... I tried coreftp and winscp clients they all showed the same TLS error earlier on... any more suggestion for ftp server in 2019? most of them were last updated like 2017 :lol:

Damn, there's a lot to study... Aw, I miss the simplicity of pure-ftpd... Long live pure-ftpd, welcome complicated vsftpd...

Code: Select all

#allow_anon_ssl=NO
#anon_mkdir_write_enable=NO
#anon_other_write_enable=NO
#anon_upload_enable=NO
#anon_world_readable_only=YES
anonymous_enable=NO
#ascii_download_enable=YES
#ascii_upload_enable=YES
#async_abor_enable=NO
#background=NO
#check_shell=YES
#chmod_enable=YES
#chown_uploads=NO
#chroot_list_enable=NO
#chroot_local_user=NO
connect_from_port_20=NO
#debug_ssl=NO
#delete_failed_uploads=YES
#deny_email_enable=NO
#dirlist_enable=YES
dirmessage_enable=YES
#download_enable=YES
#dual_log_enable=NO
force_dot_files=YES
#force_anon_data_ssl=YES
#force_anon_logins_ssl=YES
#force_local_data_ssl=YES
#force_local_logins_ssl=YES
#guest_enable=NO
#hide_ids=NO
#implicit_ssl=NO
listen=NO
listen_ipv6=YES
local_enable=YES
#lock_upload_files=YES
#log_ftp_protocol=NO
#ls_recurse_enable=NO
#mdtm_write=YES
#no_anon_password=NO
#no_log_lock=NO
#one_process_model=NO
#passwd_chroot_enable=NO
#pasv_addr_resolve=NO
#pasv_enable=YES
#pasv_promiscuous=NO
#port_enable=YES
#port_promiscuous=NO
#require_cert=NO
#require_ssl_reuse=NO
#run_as_launching_user=NO
#secure_email_list_enable=NO
#session_support=NO
#setproctitle_enable=NO
ssl_enable=YES
#ssl_request_cert=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
#strict_ssl_read_eof=NO
#strict_ssl_write_shutdown=NO
#syslog_enable=NO
#tcp_wrappers=YES
#text_userdb_names=NO
#tilde_user_enable=NO
use_localtime=YES
#use_sendfile=YES
#userlist_deny=YES
#userlist_enable=NO
#validate_cert=NO
#virtual_use_local_privs=NO
write_enable=YES
xferlog_enable=YES
#xferlog_std_format=YES
#accept_timeout=60
#anon_max_rate=0
#anon_umask=077
#connect_timeout=60
#data_connection_timeout=300
#delay_failed_login=1
#delay_successful_login=0
#file_open_mode=0666
#ftp_data_port=20
idle_session_timeout=3600
#listen_port=21
#local_max_rate=0
local_umask=022
max_clients=5
max_login_fails=3
max_per_ip=8
#pasv_max_port=0
#pasv_min_port=0
#trans_chunk_size=0
#anon_root=
#banned_email_file=
#banner_file=
#ca_certs_file=
#chown_username=
#chroot_list_file=
#cmds_allowed=
#cmds_denied=
#deny_file=
#dsa_cert_file=
#dsa_private_key_file=
#email_password_file=
#ftp_username=ftp
#ftpd_banner=
#guest_username=ftp
#hide_file=
#listen_address=
#listen_address6=
#local_root=
#message_file=.message
#nopriv_user=www-data
#pam_service_name=ftp
#pasv_address=
rsa_cert_file=/etc/letsencrypt/live/HIDDEN/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/HIDDEN/privkey.pem
secure_chroot_dir=/usr/share/empty
#ssl_ciphers=HIGH
#user_config_dir=
#user_sub_token=
#userlist_file=
#vsftpd_log_file=/var/log/vsftpd.log
#xferlog_file=/var/log/xferlog

# https://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
allow_writeable_chroot=YES
No idea not sure where to go about after finding out GnuTLS -15 error:

"Control connection terminated without SSL shutdown."

Edit: Ok, so I forgot to uncomment "idle_session_timeout=3600" it should wait 1 hour now before kicking the god damn client...

negrusti
500 Command not understood
Posts: 2
Joined: 2019-01-26 11:47
First name: Gregory
Last name: Morozov

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#21 Post by negrusti » 2019-01-27 22:06

In the ideal world this issue will be fixed in Ubuntu. However in real world I can assure you that users' solution will be simple - they will disable TLS completely where it is allowed, making security situation a lot WORSE that it was before 3.40.

xeon
226 Transfer OK
Posts: 122
Joined: 2009-08-19 03:18

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#22 Post by xeon » 2019-01-28 03:14

sudoranger wrote:
2019-01-27 09:27
1. Welcome banner not showing regardless of already uncommented ftpd_banner=XXX
2. Server does not support non-ASCII characters.
3. Sudden disconnect after several seconds?... GnuTLS error -15: An unexpected TLS packet was received.
The welcome banner works fine for me, as do non-ASCII characters.

Number 3 is actually a long standing bug in vsftpd that was never fixed, it's due to vsftpd sending unencrypted errors/notices in some scenarios, one such time is at the idle timeout.

Some of these instances were fixed by the vsftpd developer years ago, but some still remain.

Here's an old blog post from 2011 going into more depth about it.

https://www.thatsgeeky.com/2011/01/usin ... ugh-vsftp/
negrusti wrote:
2019-01-27 22:06
In the ideal world this issue will be fixed in Ubuntu. However in real world I can assure you that users' solution will be simple - they will disable TLS completely where it is allowed, making security situation a lot WORSE that it was before 3.40.
There's always the option of downloading the git version of pure-ftpd and compiling it. If a system admin is unable to do such a basic task, then there are bigger issues to worry about.

sudoranger
500 Syntax error
Posts: 15
Joined: 2019-01-27 06:33
First name: Sudo
Last name: Ranger

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#23 Post by sudoranger » 2019-01-29 19:05

Hi guys! Just a short update on my journey (if you care) :lol:

It all started when I can't connect to my FTP server on 3.40 then I realized something was wrong. After awhile, I figured, I was using a quite ancient pure-ftpd and slow release from its maintainer. I was too lazy to recompile and do all the manual stuff and learn all the available ./configure so I ended up installing vsftpd. It was good, everything was straight forward until I came across some issues -- reading the documentation takes awhile and quite overwhelmed by its .conf. Hence, I switched to the good-ol' proftpd (first introduced to me) during my cpanel times...

I love it! Settings are great, security in check, SSL/TLS works like a charm. However... I noticed that the official repository for 18.04 bionic is 1.3.5e and the latest one is 1.3.6 which supports ServerAlias and some other new features... Shit! Back to square one. It took me quite some time trying to compile and testing the new conf but ran into some modules issues which i'm too lazy to debug...

Now, I'm figuring how to connect to multiple domains using the same user on the same machine:

user --> domain1.com or domain2.com --> TLS. Since I'm using the Let's Encrypt Wildcard Cert from *.domain1.com I'm not sure how to configure it to use multiple certificates base on the domain (or VirtualHost)? Here, I noticed my nginx 1.15.8 doesn't have TLSv1.3 only 1.2. From one problem to another one. So I read about compiling from scratch and have to apt-mark hold to avoid future official upgrade. That's just a lot to do/maintain next time. What if I suddenly get dementia and forget about it? I'm doom!

I'm that close to enjoy my restless night and now I'm still looking for some solutions. Most probably, I'll just quit FTP and use some file manager script shit since it's only for myself (I don't have other users on the machine btw). LOL... :roll:

Well, just a short update my ass, it's getting too long. Good night! Adios!

> Bye!

Claudiu
504 Command not implemented
Posts: 11
Joined: 2019-01-23 17:37
First name: Mr
Last name: Cla

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#24 Post by Claudiu » 2019-02-04 09:38

Waiting the bugs to be solved, I have compiled pure-ftpd version from git without TLSv1.3 support, as a workaround. I still have small issues, but most of them are gone.

sudoranger
500 Syntax error
Posts: 15
Joined: 2019-01-27 06:33
First name: Sudo
Last name: Ranger

Re: GnuTLS error -110: The TLS connection was non-properly terminated. with 3.40-rc2

#25 Post by sudoranger » 2019-02-09 17:27

Claudiu wrote:
2019-02-04 09:38
Waiting the bugs to be solved, I have compiled pure-ftpd version from git without TLSv1.3 support, as a workaround. I still have small issues, but most of them are gone.
well, that will surely work of course since doing so is a backward compatibility for FZ 3.40. somehow, since FW isn't gonna do a backward compatibility for the <TLS1.3 then we will have to wait for the FTP servers to fully support TLS1.3 otherwise...

1. remove TLS1.3 support from ftp servers and recompile
2. fix TLS1.3 supprot for ftp servers either send a PR or beg for PR
3. use ancient ftp clients that use <TLS1.3
4. downgrade FW 3.40
5. purge ftp servers and use other protocols

ftp is only good for downloading for now... uploading in TLS 1.3 will give me a bunch of headaches...

Post Reply