Hello, I have made some investigations. I'm stuck, but I give status of these.
1) My server is proftpd, ProFTPD Version 1.3.3a (Debian squeeze). My conf relative to tls is : TLSProtocol SSLv3 TLSv1 #TLSProtocol SSLv23 <-- I have tested with that, or only SSLv3, or only TLSv1, no change <VirtualHost IP> ... TLSEngine on TLSRequired auth+data <-- I have tested with : 'on', 'ctrl', 'data', 'auth', no changes with maximal relaxed other parameters : TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired TLSVerifyClient off TLSRenegotiate required off ... > 2) This server and conf are working completely with clients : - under linux : a) lftp with : set ftp:ssl-allow true set ftp:ssl-force true set ftp:ssl-protect-data yes set ftp:ssl-protect-list yes set ssl:check-hostname no set ssl:verify-certificate no set passive-mode yes set ftp:use-feat/IP off set ftp:ssl-force/IP on b) curl -k -u user --ftp-ssl ftp://IP/some-file - under windows : a) FileZilla b) WinSCP (recent version for support TLS) 3) I use the Debian sources from netkit-ftp-ssl-0.17.23+0.2. A) I have noticed that when I set type to A (ftp> ascii), the download is correct and complete. $ ./ftp/ftp -p -d -z verbose IP (my .netrc is filled with login and password) Connected to IP. 220 FTP SSL eliot IP ftp: setsockopt: Bad file descriptor ---> AUTH SSL 234 AUTH SSL exécuté avec succès SSL_connect:UNKWN before/connect initialization SSL_connect:3WCH_A SSLv3 write client hello A SSL_connect:3RSH_A SSLv3 read server hello A SSL_connect:3RSC_A SSLv3 read server certificate A SSL_connect:3RSKEA SSLv3 read server key exchange A SSL_connect:3RSD_A SSLv3 read server done A SSL_connect:3WCKEA SSLv3 write client key exchange A SSL_connect:3WCCSA SSLv3 write change cipher spec A SSL_connect:3WFINA SSLv3 write finished A SSL_connect:3FLUSH SSLv3 flush data SSL_connect:3RFINA SSLv3 read finished A [SSL Cipher DHE-RSA-AES256-SHA] ---> USER test 331 Mot de passe requis pour test ---> PASS XXXX 230- 230-- FTP HubV2 TLS SSL - 230-- Only Passive Mode - 230- 230 Utilisateur test authentifié ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> ascii ---> TYPE A 200 Type paramétré à A ftp> ls ftp: setsockopt (ignored): Permission denied ---> PASV 227 Entering Passive Mode (11,22,33,44,247,56). ---> LIST 150 Ouverture d'une connexion de données en mode ASCII pour file list ===>START SSL connect on DATA SSL_connect:UNKWN before/connect initialization SSL_connect:3WCH_A SSLv3 write client hello A SSL_connect:3RSH_A SSLv3 read server hello A SSL_connect:3RFINA SSLv3 read finished A SSL_connect:3WCCSA SSLv3 write change cipher spec A SSL_connect:3WFINA SSLv3 write finished A SSL_connect:3FLUSH SSLv3 flush data ===>DONE SSL connect on DATA 7 -rw------- 1 test FTP 1141 Oct 23 19:38 netkit-ftp-ssl.txt 226 Téléchargement terminé ftp> get netkit-ftp-ssl.txt local: netkit-ftp-ssl.txt remote: netkit-ftp-ssl.txt ftp: setsockopt (ignored): Permission denied ---> PASV 227 Entering Passive Mode (11,22,33,44,234,200). ---> RETR netkit-ftp-ssl.txt 150 Opening ASCII mode data connection for netkit-ftp-ssl.txt (1141 bytes) ===>START SSL connect on DATA SSL_connect:UNKWN before/connect initialization SSL_connect:3WCH_A SSLv3 write client hello A SSL_connect:3RSH_A SSLv3 read server hello A SSL_connect:3RFINA SSLv3 read finished A SSL_connect:3WCCSA SSLv3 write change cipher spec A SSL_connect:3WFINA SSLv3 write finished A SSL_connect:3FLUSH SSLv3 flush data ===>DONE SSL connect on DATA 7 226 Téléchargement terminé 1170 bytes received in 0.02 secs (52.1 kB/s) ftp> quit ---> QUIT 221 Au revoir. B) With type binary (I) or ascii (A) the upload is correct and complete (SSL_write). C) In ftp/ftp.c, function recvrequest, the problem is with : while ((c = SSL_read(ssl_data_con, buf, bufsize)) > 0) (l. 1206) the SSL_read function fails. I have put just before : ssl_data_active_flag=0; if (ssl_data_active_flag) {... to make the "else" in action, that is : while ((c = read(fileno(din), buf, bufsize)) > 0) {... and then I receive something : the file netkit-ftp-ssl.txt plus some extra bytes inside (from a second packet I have seen in tcpdump, I suppose there are bytes relative to SSL that the server is sending). I see the file netkit-ftp-ssl.txt in clear with tcpdump on data port, this should not be... D) As it works with TYPE A (ssl encrypted, not in clear), I have tried to replace just after case TYPE_I: case TYPE_L: exactly the same code from case type A (that is : DATAGETC --> SSL_read just one byte). But SSL_read fails again. So, I don't know what I can do to make this SSL_read working. I don't understand. Raphael ------- Le mercredi 28 octobre 2015, à 12:19:19 +0100, Raphael Astier (raphael.ast...@eliot-sa.com) a écrit : > Hello, > > I know where in source code the problem is : > > in file ftp.c, line 1203 > #ifdef USE_SSL > if (ssl_data_active_flag) { > while ((c = SSL_read(ssl_data_con, buf, bufsize)) > 0) { <--- pb > is here > fprintf(stderr, "c %d\n",c); > if ((d = write(fileno(fout), buf, c)) != c) > > I have changed few lines after : "if ( c < -1 )" by "if ( c <= -1 ) > then I get the output from : > sprintf(errbuf,"ftp: SSL_read DATA error %s\n", > ERR_error_string(ERR_get_error(),NULL)); > > $ ./ftp mysite-ftp-ssl.xx > > 220 FTP SSL mysite-ftp-ssl.xx > 234 AUTH SSL exécuté avec succès > [SSL Cipher DHE-RSA-AES256-SHA] > 331 Mot de passe requis pour abcdef > 230- > 230-- FTP TLS SSL - > 230-- Only Passive Mode - > 230- > 230 Utilisateur abcdef authentifié > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> passive > Passive mode on. > ftp> ls > 227 Entering Passive Mode (12,33,44,55,252,31). > 150 Ouverture d'une connexion de données en mode ASCII pour file list > -rw------- 1 abcdef FTP 1141 Oct 23 19:38 netkit-ftp-ssl.txt > 226 Téléchargement terminé > ftp> get netkit-ftp-ssl.txt > local: netkit-ftp-ssl.txt remote: netkit-ftp-ssl.txt > 227 Entering Passive Mode (12,33,44,55,250,129). > 150 Opening BINARY mode data connection for netkit-ftp-ssl.txt (1141 bytes) > ftp: SSL_read DATA error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number <--- here is the problem > 226 Téléchargement terminé > ftp> quit > 221 Au revoir. > > So, I know where the problem is, but I don't know HOW to solve it (for the > moment). > > I will try. > > > Raphael > ------- > > Le mardi 27 octobre 2015, à 16:24:15 +0100, Matus UHLAR - fantomas > (uh...@fantomas.sk) a écrit : > > > Hello again, > > > > On 24.10.15 10:54, Raphael Astier wrote: > > >I see exactly the same problem you describe. > > > > > >I will have a look inside the debian patch SSL/TLS code. > > > > I have looked at that but it seems that the data are to be sent to file, BUT > > they are sent via netowrk because of unknown reason... > > -- > > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > > Warning: I wish NOT to receive e-mail advertising to this address. > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > > The only substitute for good manners is fast reflexes.
