Error when uploading file with TLS

[mcpat-it]

Hi I have a problem on Windows7 and Window10 when uploading files.

I tried this code:

Using test = New Starksoft.Aspen.Ftps.FtpsClient(host, port, Ftps.FtpsSecurityProtocol.Tls12Explicit)
                    test.AlwaysAcceptServerCertificate = True
                    test.Proxy = New Starksoft.Aspen.Proxy.Socks5ProxyClient(proxyaddress, proxyport, proxyuser, proxypass)
                    test.Open(username, password)
                    MsgBox("Test connected: " & test.IsConnected) 'says TRUE
                    Try
                        Dim dest2 = "hallo"
                        Using stringInMemoryStream As MemoryStream = New MemoryStream(System.Text.Encoding.UTF8.GetBytes(dest2)) 'ASCIIEncoding.Default.GetBytes
                            test.PutFile(stringInMemoryStream, "/tmp/test.txt", Starksoft.Aspen.Ftps.FileAction.Create)
                        End Using
                    Catch ex As Exception
                        MsgBox(ex.Message) 'An error occurred while putting fileName '/tmp/test.txt'. (Last Server Response: Failure reading network stream. ConnectionClosedSoTransferAborted)
                    End Try
                    MsgBox("Test connected: " & test.IsConnected) 'says TRUE!
                    Try
                        Dim dest2 = "hallo2"
                        Using stringInMemoryStream As MemoryStream = New MemoryStream(System.Text.Encoding.UTF8.GetBytes(dest2)) 'ASCIIEncoding.Default.GetBytes
                            test.PutFile(stringInMemoryStream, "/tmp/test2.txt", Starksoft.Aspen.Ftps.FileAction.Create)
                        End Using
                    Catch ex As Exception
                        MsgBox(ex.Message) 'An error occurred while putting fileName '/tmp/test2.txt'. (Last Server Response: Failure reading network stream. ConnectionClosedSoTransferAborted)
                    End Try
                    MsgBox("Test connected: " & test.IsConnected) 'says TRUE!
                    Exit Sub
                End Using

And I will get an error with An error occurred while putting fileName '/tmp/test.txt'. (Last Server Response: Failure reading network stream. ConnectionClosedSoTransferAborted) but the file is there and then the check .IsConnected says True and the second file will be created with the same error but the check after says also True and the second file is also uploaded...

This error happens with TLS1.0 up to TLS1.2 with and without proxy connections (others not tested).

It also happens with:
test.PutFile("d:\test.txt", "/tmp/test2.txt")

BUT it doesn't happen with:

Using test = New Starksoft.Aspen.Ftps.FtpsClient(host, port, Ftps.FtpsSecurityProtocol.None)
      <same code as above>
End Using

What's wrong?

Thx
Patrick

[mcpat-it]

ok, found out this only happens on vsftpd, tried also use_sendfile=NO but doesn't help. On pure-ftpd this error doesn't come up...

Do you have any idea's?

[bentonstark]

What version of vsftpd are you using?

[mcpat-it]

3.0.3 Regards, Patrick

[bentonstark]

So the problem most likely is in a change added to 3.0.3 according to the release notes for vsftpd. More recent releases (2015/2016) of FileZilla added logic to require TLS connected clients to reuse data channel connections. Requiring data session connection reuse breaks the FtpClient. There is an easy way to turn that re-use requirement off in FileZilla. It seems the maintainers of vsftpd included those recommend changes in vsftpd 3.0.3 according to their release notes.

"Kill the FTP session if we see session re-use failure. A report from Tim Kosse tim.kosse@filezilla-project.org. (vsftpd-3.0.3pre1)"
https://security.appspot.com/vsftpd/Changelog.txt

So for vsftpd 3.0.3 there may be a way to turn off this new feature as can be done in FileZilla. Some have described this solution as a security "kludge" trying to fix or address fundamental problems in the FTP protocol. Obviously to more widely support data connection re-use I will need to make changes to the FtpClient. Its interesting that this is just now showing up. You are the second person to report it in the past few weeks. I am guessing it has taken maybe taken few years to get the 2016 versions of FileZilla and vsftpd into the distros and deployed to servers.

[bentonstark]

Found this on vsftpd's site.

"You can disable this [connection re-use] requirement by changing require_ssl_reuse to NO."

[mcpat-it]

I hoped it will work, but sorry, with require_ssl_reuse=NO it also doesn't work.

Here is my full vsftpd.conf file:

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
listen_ipv6=NO
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=NO
#
# If enabled, vsftpd will display directory listings with the time
# in  your  local  time  zone.  The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
chown_uploads=NO
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=vsftpd
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=NO
ascii_download_enable=NO
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to the opendreambox FTP service!
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=NO
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty.  Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/usr/share/vsftpd/chroot
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
#implicit_ssl=YES
listen_port=50
#ftp_data_port=989
implicit_ssl=NO
#ssl_tlsv1_2=YES
#ssl_tlsv1_1=YES
ssl_tlsv1=YES
ssl_sslv2=NO
#ssl_sslv3=NO
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
#ssl_ciphers=TLSv1.2
#use_sendfile=NO

[mcpat-it]

you know, the ftp session isn't killed, I will always get a True by checking MsgBox("Test connected: " & test.IsConnected) and the file is uploaded completly. I catch it with try - catch - end try and the second file is also uploaded...

[bentonstark]

So the FTP session consists of two connections. The control channel which is the "session" and that is not getting shutdown and the "data" channel which is the secondary connection opened by your server to all for data to transfer down an assigned server port if you are using Passive FTP. Note that Active FTP sets the data port specifically and the server binds forever to that port. But in Passive FTP the data port is transmitted to the client via the FTP control channel as text. The FTP client then reads that text and turns around and uses it to connect to the FTP server. The errors you are receiving all pertain to the data channel. Have you confirmed that other clients can connect to the same vsftpd server? The reason I ask is that firewalls and whatnot can interfere or block clients from access the server ports used by Passive FTP.

[mcpat-it]

Thank you for the explanation! Yes I tried with another client. I got a successful connection with WinSCP, so the PC shouldn't be the problem. With Winscp (yes in FTP mode with SSL) I can up and download files without problems. Regards Patrick

[bentonstark]

Can you clear the vsftpd log, reproduce the failure and provide the error lines from the log so I can see them? Based on your vsftpd profile the log should be in the following location on your FTP server.

/var/log/vsftpd.log

[mcpat-it]

Here we go:

Sat May 13 08:46:45 2017 [pid 1261] CONNECT: Client "192.168.0.1"
Sat May 13 08:46:46 2017 [pid 1260] [root] OK LOGIN: Client "192.168.0.1"
Sat May 13 08:46:47 2017 [pid 1261] [root] DEBUG: Client "192.168.0.1", "DATA connection terminated without SSL shutdown. Buggy client! Integrity of upload cannot be asserted."
Sat May 13 08:46:47 2017 [pid 1262] [root] FAIL UPLOAD: Client "192.168.0.1", "/tmp/IC_0000_000C.tpl", 10138 bytes, 242.93Kbyte/sec

File exists on /tmp with size 10.138 Bytes...

Here the full log:

Sat May 13 09:07:04 2017 [pid 1743] CONNECT: Client "192.168.0.1"
Sat May 13 09:07:04 2017 [pid 1743] FTP response: Client "192.168.0.1", "220 Welcome to the opendreambox FTP service!"
Sat May 13 09:07:04 2017 [pid 1743] FTP command: Client "192.168.0.1", "AUTH TLS"
Sat May 13 09:07:04 2017 [pid 1743] FTP response: Client "192.168.0.1", "234 Proceed with negotiation."
Sat May 13 09:07:04 2017 [pid 1743] FTP command: Client "192.168.0.1", "PBSZ 0"
Sat May 13 09:07:04 2017 [pid 1743] FTP response: Client "192.168.0.1", "200 PBSZ set to 0."
Sat May 13 09:07:04 2017 [pid 1743] FTP command: Client "192.168.0.1", "PROT P"
Sat May 13 09:07:04 2017 [pid 1743] FTP response: Client "192.168.0.1", "200 PROT now Private."
Sat May 13 09:07:05 2017 [pid 1743] FTP command: Client "192.168.0.1", "USER root"
Sat May 13 09:07:05 2017 [pid 1743] [root] FTP response: Client "192.168.0.1", "331 Please specify the password."
Sat May 13 09:07:05 2017 [pid 1743] [root] FTP command: Client "192.168.0.1", "PASS <password>"
Sat May 13 09:07:05 2017 [pid 1742] [root] OK LOGIN: Client "192.168.0.1"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "230 Login successful."
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "FEAT"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "211-Features:"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " AUTH SSL??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " AUTH TLS??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " EPRT??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " EPSV??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " MDTM??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " PASV??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " PBSZ??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " PROT??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " REST STREAM??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " SIZE??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " TVFS??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", " UTF8??"
Sat May 13 09:07:05 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "211 End"
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "OPTS UTF8 ON"
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "200 Always in UTF8 mode."
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "TYPE I"
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "200 Switching to Binary mode."
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "PASV"
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "227 Entering Passive Mode (192,168,0,246,133,26)."
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "STOR /tmp/IC_0000_000C.tpl"
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "150 Ok to send data."
Sat May 13 09:07:06 2017 [pid 1743] [root] DEBUG: Client "192.168.0.1", "DATA connection terminated without SSL shutdown. Buggy client! Integrity of upload cannot be asserted."
Sat May 13 09:07:06 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "426 Failure reading network stream."
Sat May 13 09:07:06 2017 [pid 1744] [root] FAIL UPLOAD: Client "192.168.0.1", "/tmp/IC_0000_000C.tpl", 10138 bytes, 248.45Kbyte/sec
Sat May 13 09:07:07 2017 [pid 1744] [root] FTP command: Client "192.168.0.1", "QUIT"
Sat May 13 09:07:07 2017 [pid 1744] [root] FTP response: Client "192.168.0.1", "221 Goodbye."

[mcpat-it]

with winscp with same settings (user/pass/port) it works:

Sat May 13 08:53:07 2017 [pid 1406] CONNECT: Client "192.168.0.1"
Sat May 13 08:53:09 2017 [pid 1405] [root] OK LOGIN: Client "192.168.0.1"
Sat May 13 08:53:54 2017 [pid 1408] [root] OK UPLOAD: Client "192.168.0.1", "/tmp/IC_0000_000C.tpl", 10138 bytes, 1200.19Kbyte/sec

[bentonstark]

So I installed vsftpd 3.0.3 on my development machine and used some of the settings you posted from your config file. Interestingly vsftpd does not support anything higher than TLS 1.0 in the conf file but it does seem to support it when I connect with TLS v1.2. Oddly I am unable to force TLS v1.2 for clients as there is no option in conf file to do that. Pretty weird.

So I am unable to exactly fix the issue. It seems to be related around the TLS connections and how they expect the connection to be presented on the data connection. I was able to disable the TLS Session ID requirement but then I got the error "Failure Reading Network Stream."

The FtpsClient relies on the Mono and .NET run-times to manage and reuse TLS sessions. I have no way to force the data connections to reuse TLS Session IDs when they connect on the data channel. That is a very low level trick which some FTP clients are able to get away with if they are using something like openssl to negotiate the connections.

Below are the settings I used in the vsftpd conf file. At this point I don't think I can really fix the issue as I still don't understand why vsftpd doesn't like the TLS connections but FileZilla has no issue with it. Note that FileZilla is my test FTP server that I make sure I am compatible with.

`#debug switches
debug_ssl=yes
log_ftp_protocol=yes

#ssl config
ssl_enable=yes
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
rsa_private_key_file=/usr/share/ssl/certs/vsftpd.pem
require_ssl_reuse=no
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
`

[mcpat-it]

You can force TLS1.2 with ssl_ciphers=TLSv1.2

What does this error means? DATA connection terminated without SSL shutdown. How can we terminate the DATA connection with a SSL shutdown?

I will help you as much as I can!

See this log, maybe it helps (extended with debug_ssl=YES):

Sun May 14 08:29:29 2017 [pid 8955] CONNECT: Client "192.168.0.1"
Sun May 14 08:29:29 2017 [pid 8955] FTP response: Client "192.168.0.1", "220 Welcome to the opendreambox FTP service!"
Sun May 14 08:29:29 2017 [pid 8955] FTP command: Client "192.168.0.1", "AUTH TLS"
Sun May 14 08:29:29 2017 [pid 8955] FTP response: Client "192.168.0.1", "234 Proceed with negotiation."
Sun May 14 08:29:29 2017 [pid 8955] DEBUG: Client "192.168.0.1", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, not reused, no cert"
Sun May 14 08:29:29 2017 [pid 8955] FTP command: Client "192.168.0.1", "PBSZ 0"
Sun May 14 08:29:29 2017 [pid 8955] FTP response: Client "192.168.0.1", "200 PBSZ set to 0."
Sun May 14 08:29:29 2017 [pid 8955] FTP command: Client "192.168.0.1", "PROT P"
Sun May 14 08:29:29 2017 [pid 8955] FTP response: Client "192.168.0.1", "200 PROT now Private."
Sun May 14 08:29:29 2017 [pid 8955] FTP command: Client "192.168.0.1", "USER root"
Sun May 14 08:29:29 2017 [pid 8955] [root] FTP response: Client "192.168.0.1", "331 Please specify the password."
Sun May 14 08:29:30 2017 [pid 8955] [root] FTP command: Client "192.168.0.1", "PASS <password>"
Sun May 14 08:29:30 2017 [pid 8954] [root] OK LOGIN: Client "192.168.0.1"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "230 Login successful."
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "FEAT"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "211-Features:"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " AUTH SSL??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " AUTH TLS??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " EPRT??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " EPSV??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " MDTM??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " PASV??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " PBSZ??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " PROT??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " REST STREAM??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " SIZE??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " TVFS??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", " UTF8??"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "211 End"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "OPTS UTF8 ON"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "200 Always in UTF8 mode."
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "TYPE I"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "200 Switching to Binary mode."
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "PASV"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "227 Entering Passive Mode (192,168,0,246,23,144)."
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "STOR /tmp/IC_0000_000C.tpl"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "150 Ok to send data."
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, reused, no cert"
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "DATA connection terminated without SSL shutdown. Buggy client! Integrity of upload cannot be asserted."
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: NONE"
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Sun May 14 08:29:30 2017 [pid 8955] [root] DEBUG: Client "192.168.0.1", "SSL ret: 4294967295, SSL error: error:00000000:lib(0):func(0):reason(0), errno: 0"
Sun May 14 08:29:30 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "426 Failure reading network stream."
Sun May 14 08:29:30 2017 [pid 8956] [root] FAIL UPLOAD: Client "192.168.0.1", "/tmp/IC_0000_000C.tpl", 10138 bytes, 252.27Kbyte/sec
Sun May 14 08:29:32 2017 [pid 8956] [root] FTP command: Client "192.168.0.1", "QUIT"
Sun May 14 08:29:32 2017 [pid 8956] [root] FTP response: Client "192.168.0.1", "221 Goodbye."

Look here, maybe it helps: here

[mcpat-it]

See here

Unless some other fatal alert has been transmitted, each party is
required to send a close_notify alert before closing the write side
of the connection

And here I see in the log "ssl_received_shutdown"

Sat May 24 17:21:59 2014 [pid 3] [richard] OK UPLOAD: Client "192.168.51.4", "/media/store/Richard/Pictures/2010/01/29/SDC10422.JPG", 2732610 bytes, 484.82Kbyte/sec
Sat May 24 17:21:59 2014 [pid 2] [richard] DEBUG: Client "192.168.51.4", "SSL version: TLSv1/SSLv3, SSL cipher: AES128-SHA, reused, no cert"
Sat May 24 17:22:05 2014 [pid 2] [richard] DEBUG: Client "192.168.51.4", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"
Sat May 24 17:22:05 2014 [pid 2] [richard] DEBUG: Client "192.168.51.4", "SSL shutdown state is: 3"

See shutdown

See discussion

And maybe this

Winscp on my PC send's this shutdown to my vsftpd server:

Sun May 14 09:13:48 2017 [pid 9095] [root] FTP command: Client "192.168.0.1", "TYPE I"
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP response: Client "192.168.0.1", "200 Switching to Binary mode."
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP command: Client "192.168.0.1", "PASV"
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP response: Client "192.168.0.1", "227 Entering Passive Mode (192,168,0,246,23,155)."
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP command: Client "192.168.0.1", "STOR IC_0000_000C.tpl"
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP response: Client "192.168.0.1", "150 Ok to send data."
Sun May 14 09:13:48 2017 [pid 9094] [root] DEBUG: Client "192.168.0.1", "SSL version: SSLv3, SSL cipher: ECDHE-RSA-AES256-SHA, reused, no cert"
Sun May 14 09:13:48 2017 [pid 9094] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: SSL_RECEIVED_SHUTDOWN"
Sun May 14 09:13:48 2017 [pid 9094] [root] DEBUG: Client "192.168.0.1", "SSL shutdown state is: 3"
Sun May 14 09:13:48 2017 [pid 9095] [root] OK UPLOAD: Client "192.168.0.1", "/tmp/IC_0000_000C.tpl", 10138 bytes, 1187.10Kbyte/sec
Sun May 14 09:13:48 2017 [pid 9095] [root] FTP response: Client "192.168.0.1", "226 Transfer complete."

[bentonstark]

So the .NET/Mono SslStream doesn't give me a whole lot of control as to how the SSL/TLS protocol is working. Session ID caching, reusing connections, opening and closing TLS is all handled inside the SslStream which is powerful when it works as you want it to. Interestingly FileZilla is accepting the FtpsClient without any issue as long as I disable the security "feature" for requiring reuse of SSL Session IDs.

I think you are correct and have got some good DEBUG information there concerning SSL. What I am seeing in my testing is that the PASV command is accepted by vsftpd, the STOR command is also accepted, and data is fully transferred from the client to server in its entirety and written to the file system by vsftpd. The next step accepted by other FTP servers such as FileZilla is to close the connection to signify the transfer is complete by the client. But vsftpd doesn't like that. It is expecting to receive a very specific SSL protocol shutdown state of 3 before the connection is actually closed by the client. The SslStream doesn't seem to do it in the way the vsftpd demands but FileZilla accepts. I imagine the vsftpd maintainers added this code when they implemented the SSL Session ID reuse logic and it bled into the normal flow of code even if the SSL Session ID reuse is disabled.
https://linux.die.net/man/3/ssl_shutdown

What happens after I shutdown the TLS passive data connection after transferring all the bytes for a STOR command is that vsftpd gets all upset and sends the following response.
426 Failure reading network stream. ConnectionClosedSoTransferAborted

Could we ignore that 426 error? That's one way to go about it. 4xx errors are defined as the following.

Transient Negative Completion reply: The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again
What's interesting is the transfer was not aborted actually but vsftpd reports it was. From its perspective the connection was dropped even though all bytes were transferred as expected by the client. I made a change to the code that accepts 426 as a positive response and the vsftpd server keeps happily running along. It doesn't work yet on subsequent commands due other unexpected sequence of responses from vsftpd with it comes to directory listings but I should be able to resolve that.

Another individual reported similar problematic behavior with the SslStream and he went to great lengths to reflect into the Microsoft SSI APIs to force SslStream to send a close_notify code 3 to the server before closing the connection. This solution might work but it also causes another problem which is that it only works on .NET and not Mono. I will give it a try on my Windows VM later in the week and see if that makes any difference.

http://stackoverflow.com/questions/237807/net-sslstream-doesnt-close-tls-connection-properly/22626756#22626756

[mcpat-it]

Did you find out any work-around?

Thx

[bentonstark]

I did not.

[npiasecki]

For what it is worth, some 4 years later, on Ubunto 20.04, and with a different application running .NET's FtpWebRequest, I was able to fix this by adding

    strict_ssl_read_eof=NO
    strict_ssl_write_shutdown=NO
    require_ssl_reuse=NO

to vsftpd.conf. Which one fixed I don't know but I'm slowly backing away....

[bentonstark]

Wow. My money is on "require_ssl_reuse=NO".

[npiasecki]

require_ssl_reuse=NO didn't do it on its own. Even though the man page says they all default to NO, so specifying these three should be a no-op, the Ubuntu build must have changed some of these defaults is my guess. Probably why people are banging their heads.