4

It took some time while I tried to find solution over the net. Nothing helped. The story: I have Ubuntu 10.10 (Amazon EC2 instance). ProFTPD Version 1.3.2e (latest via apt-get). I changed nothing on server and ftp clients, but suddenly my clients (filezilla 3.5.3, TotalCmd) ceased to connect via FTPS to server.

Log from Filezilla:

Status: Connecting to 7x.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response:   220 ProFTPD 1.3.2e Server (XXX) [7x.xxx.xxx.xxx]
Command:    AUTH TLS
Response:   234 AUTH TLS successful
Status: Initializing TLS...
Error:  GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Error:  Could not connect to server

Here is from ProFTPD tls.log:

May 04 14:28:32 mod_tls/2.2.2[1057]: TLS/TLS-C requested, starting TLS handshake
May 04 14:28:34 mod_tls/2.2.2[1057]: unable to accept TLS connection: received EOF that violates protocol
May 04 14:28:34 mod_tls/2.2.2[1057]: TLS/TLS-C negotiation failed on control channel

Proftpd tls config:

<IfModule mod_tls.c>
  TLSEngine                               on
  TLSLog                                  /var/log/proftpd/tls.log
  TLSProtocol                             SSLv3 TLSv1

  TLSRSACertificateFile                   /usr/local/apache2/conf/crt/server/srv.crt
  TLSRSACertificateKeyFile                /usr/local/apache2/conf/crt/server/srv.nopass.key
  TLSCACertificateFile                     /usr/local/apache2/conf/crt/ca/ca.crt

  TLSOptions                             NoCertRequest
  TLSVerifyClient                         off
  TLSRequired                             on
</IfModule>

Clients verified on ftps://ftp.secureftp-test.com:990 (test server for FTPS), connection is ok. Then I tried adding TLSRenegotiation none and other options I found over the net - for no result. Tried reboot - no result.

Tried: openssl s_client -connect 127.0.0.1:21 -starttls ftp:

CONNECTED(00000003)
depth=1 /C=...
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
...
Server certificate
-----BEGIN CERTIFICATE-----
MII...
...hC
-----END CERTIFICATE-----
subject=/C...
---
No client certificate CA names sent
---
SSL handshake has read 3615 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 5E9090B0AC306334847BEC665D069DD90CED941C23E7911CCFA120DDF2B8E016
Session-ID-ctx: 
Master-Key: 5708...DCB
Key-Arg   : None
TLS session ticket:
0000 - ff 21 19 28 26 0b 21 28-57 29 5a 97 95 58 b5 90   .!.(&.!(W)Z..X..
...
00a0 - 04 7b e0 4b 1c e7 53 d1-3d 8c 5c 19 30 09 c8 b9   .{.K..S.=.\.0...

Compression: 1 (zlib compression)
Start Time: 1336143573
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 ProFTPD 1.3.2e Server (xxx) [7x.xxx.xxx.xxx]
QUIT
DONE

What can be done else? I want my ftps back. What is typical behaviour in similar situations if no exact solution?

Castaglia
  • 3,239
  • 3
  • 19
  • 40
confused-demon
  • 155
  • 1
  • 9
  • Suddenly server started to work properly, but this all is anxiously disturbing. The question is still on - maybe I had missed something to diagnose my problem? Maybe problem was in connection (but I used passive mode and other ftps server worked properly)? – confused-demon May 05 '12 at 10:03

0 Answers0