Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FileZilla Client 3.40.0: TLS 1.3 file upload bug #99

Closed
mvegetto opened this Issue Jan 21, 2019 · 21 comments

Comments

Projects
None yet
5 participants
@mvegetto
Copy link

mvegetto commented Jan 21, 2019

New features FileZilla
Added TLS 1.3 support by linking official binaries against GnuTLS 3.6.5

I have the latest pure-ftpd version.
pure-ftpd --help | head -1
pure-ftpd v1.0.48 [privsep]

OpenSSL 1.1.1a 20 Nov 2018

Jan 21 22:48:33 test pure-ftpd: (.....) [INFO] New connection from ....
Jan 21 22:48:33 test pure-ftpd: (.....) [DEBUG] Command [auth] [TLS]
Jan 21 22:48:33 test pure-ftpd: (.....) [ERROR] TLS renegociation

Debug log:
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 23:00. Server port: 24724.
Response: 220-This is a private system - No anonymous login
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received HELLO RETRY REQUEST
Trace: TLS handshake: Processed HELLO RETRY REQUEST
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: TLS handshake: Received ENCRYPTED EXTENSIONS
Trace: TLS handshake: Processed ENCRYPTED EXTENSIONS
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received CERTIFICATE VERIFY
Trace: TLS handshake: Processed CERTIFICATE VERIFY
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.3, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CRealControlSocket::OnSocketError(106)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFtpLogonOpData::Reset(66) in state 5
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

Could anyone verify this?

@jedisct1

This comment has been minimized.

Copy link
Owner

jedisct1 commented Jan 21, 2019

That was fixed quite some time ago. You can try the current code in Git, or wait for the next release :)

@jedisct1 jedisct1 closed this Jan 21, 2019

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 21, 2019

Hello jedisct1

I am actually running the current code in git but I am still getting that message?

@jedisct1 jedisct1 reopened this Jan 21, 2019

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 23, 2019

3.40.0-rc2 same result. Looking at the trace it might be related to the verification of the certificate. In my situation this is a letsencrypt certificate.

Below the way it's configured:

cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem

Anyone else who can confirm this?

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Jan 23, 2019

Yes, I have this issue myself as well. I have a self-signed certificate for pure-ftpd generated with sscg. Working fine with Filezilla 3.39, not working starting with 3.40-rc1. I want to know how to add TLS 1.3 support into pure-ftpd.

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 23, 2019

Thanks for confirming MrJohnyk. All my hope is in jedisct1, are you able to confirm if this is a bug in FileZilla or in pure-ftpd?

@mvegetto mvegetto changed the title FileZilla Client 3.40.0-rc1: TLS 1.3 not working FileZilla Client 3.40.0-rc2: TLS 1.3 not working with certificate Jan 23, 2019

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Jan 23, 2019

Filezilla starting with 3.40-rc1 is using TLSv1.3 only, pure-ftpd doesn't have support for TLSv1.3 yet. Let's hope that pure-ftpd is upgraded soon or Filezilla maintainer will add complementary support for TLSv1.2 with the newest version.

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 23, 2019

MrJohnyk I assume you're running the current code in git? See also issue 94 --> 4a495c6

Which version of pure-ftpd are you running? You can check this using the following command:

pure-ftpd --help | head -1

Version:
pure-ftpd v1.0.48 [privsep]

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Jan 23, 2019

I'm using latest released version 1.0.47 provided by my OS repository. If you still have issues, then bug exists in the "git" version as well.

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Jan 25, 2019

I have installed the git version and I can confirm that I no longer have issues with Filezilla 3.40-rc2. It is working just fine now.
I also can confirm that insecure protocol TLS v1.1 is no longer active.
Thank you Frank Denis! Maybe you should make this available to the public ASAP.

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 25, 2019

MrJohnyK could you tell me how you have installed the git version? Did you remove the version 1.047 provided by OS repository first?

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Jan 25, 2019

Actually not, I have just used ./configure and make; make install.
But I don't think it matters. Probably uninstalling then installing git version from the scratch would not make any difference, because binaries are replaced any way.

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Jan 25, 2019

Hello MrJohnyK, thx for your reply, looks like it does, see below, this is issue 94 --> 4a495c6

Connected to 127.0.0.1 (127.0.0.1) port 24724 (#0)
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 3 of 50 allowed.
< 220-Local time is now 22:19. Server port: 24724.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.

AUTH SSL
< 500 This security scheme is not implemented
AUTH TLS
< 234 AUTH TLS OK.

  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
    } [5 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [88 bytes data]
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [155 bytes data]
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    { [6 bytes data]
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
    { [2919 bytes data]
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
    { [520 bytes data]
  • TLSv1.3 (IN), TLS handshake, Finished (20):
    { [52 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
    } [52 bytes data]
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • Server certificate:
  • subject: CN=...
  • start date: Jan 10 19:29:20 2019 GMT
  • expire date: Apr 10 19:29:20 2019 GMT
  • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
  • SSL certificate verify ok.
    } [5 bytes data]

USER download

  • OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
    0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
  • Closing connection 0
    } [5 bytes data]
    curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

@mvegetto mvegetto closed this Jan 25, 2019

@alienmindbender

This comment has been minimized.

Copy link

alienmindbender commented Jan 31, 2019

Hi!

It seems this is not fully fixed...
I compiled the git version against OpenSSL 1.1.1a 20 Nov 2018 (Ubuntu 18.04).

Connecting to the server with FileZilla 3.4 works fine - as well as changing folders. Uploading files on the other hand only works when file are bigger than 500kb (? I did not test this thoroughly!). Uploading smaller files, results in the connection being terminated and retried three times resulting in a zero sized file on the remote end.

#FileZilla
Response: 	451-Error during read from data connection
Response: 	451 Transfer aborted

#PureFTPd
Jan 31 23:35:52 251 pure-ftpd: (user@ip) [DEBUG] Command [opts] [UTF8 ON]
Jan 31 23:35:52 251 pure-ftpd: (user@ip) [DEBUG] Command [pbsz] [0]
Jan 31 23:35:52 251 pure-ftpd: (user@ip) [DEBUG] Command [prot] [P]
Jan 31 23:35:52 251 pure-ftpd: (user@ip) [DEBUG] Command [cwd] [/private]
Jan 31 23:35:53 251 pure-ftpd: (user@ip) [DEBUG] Command [type] [I]
Jan 31 23:35:53 251 pure-ftpd: (user@ip) [DEBUG] Command [pasv] []
Jan 31 23:35:53 251 pure-ftpd: (user@ip) [DEBUG] Command [stor] [sendEmail]
Jan 31 23:35:53 251 pure-ftpd: (user@ip) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Jan 31 23:35:53 251 pure-ftpd: (user@ip) [NOTICE] /var/www/clients/path/private/testfile uploaded  (0 bytes, 0.00KB/sec)

I added

305,307d304
< # ifdef SSL_OP_NO_TLSv1_3
<     SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_3);
< # endif

to disable TLSv1.3 as a workaround.

@mvegetto

This comment has been minimized.

Copy link
Author

mvegetto commented Feb 1, 2019

Hello I can also confirm this, but doesn't seem to be size related:

See below the trace of FileZilla:

Trace: Protocol: TLS1.3, Key exchange: ECDHE-PSK, Cipher: AES-256-GCM, MAC: AEAD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocketImpl::Shutdown()
Trace: CTransferSocket::TransferEnd(1)
Trace: CFtpControlSocket::TransferEnd()
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 451-Error during read from data connection
Response: 451 Transfer aborted
Trace: CFtpRawTransferOpData::ParseResponse() in state 7
Trace: CFtpControlSocket::ResetOperation(2)
Trace: CControlSocket::ResetOperation(2)
Trace: CFtpRawTransferOpData::Reset(2) in state 7
Trace: CFtpFileTransferOpData::SubcommandResult(2) in state 7
Trace: CFtpControlSocket::ResetOperation(2)
Trace: CControlSocket::ResetOperation(2)
Trace: CFtpFileTransferOpData::Reset(2) in state 7
Error: File transfer failed
Trace: CFileZillaEnginePrivate::ResetOperation(2)
Trace: CFtpControlSocket::FileTransfer()
Trace: CControlSocket::SendNextCommand()
Trace: CFtpFileTransferOpData::Send() in state 0

@alienmindbender

This comment has been minimized.

Copy link

alienmindbender commented Feb 1, 2019

Hi,

why not reopen the issue then? ;-)

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Feb 3, 2019

I can confirm this issue. Users complaining and in logs lots of lines like these

Feb 3 13:32:43 server1 pure-ftpd[1058]: (?@x.x.x.x) [INFO] userx is now logged in
Feb 3 13:32:47 server1 pure-ftpd[1058]: (userx@x.x.x.x) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Feb 3 13:33:29 server1 pure-ftpd[1058]: (userx@x.x.x.x) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Feb 3 13:33:29 server1 pure-ftpd[1058]: (userx@x.x.x.x) [NOTICE] /home/userx//index.html uploaded (0 bytes, 0.00KB/sec)

This looks like a serious bug

@mvegetto mvegetto reopened this Feb 3, 2019

@mvegetto mvegetto changed the title FileZilla Client 3.40.0-rc2: TLS 1.3 not working with certificate FileZilla Client 3.40.0: TLS 1.3 file upload bug Feb 3, 2019

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Feb 3, 2019

I'm not sure if this is only related to Filezilla. I will ask my users what client they use to connect, just to be sure.

@MrJohnyk

This comment has been minimized.

Copy link

MrJohnyk commented Feb 4, 2019

This is a different issue. It has nothing to do with TLS 1.3 or Filezilla. I have users logging in with different clients and facing the same problem. I have opened a new issue
#102

@Railsimulatornet

This comment has been minimized.

Copy link

Railsimulatornet commented Feb 20, 2019

i have the same problem.

Sorry, but how can I disable TLS 1.3? I would like to use TLS 1.2 only? Unfortunately I can not find a solution on the internet.

@alienmindbender

This comment has been minimized.

Copy link

alienmindbender commented Feb 20, 2019

i have the same problem.

Sorry, but how can I disable TLS 1.3? I would like to use TLS 1.2 only? Unfortunately I can not find a solution on the internet.

You have to recompile PureFTPd with TLS1.3 disabled - you'll find the snippet above.
There is no option to turn it off via settings.

@Railsimulatornet

This comment has been minimized.

Copy link

Railsimulatornet commented Feb 21, 2019

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.