Opened 8 years ago

Closed 5 years ago

#7815 closed Bug report (rejected)

reuse SSL session of control connection

Reported by: Dr. Fragment Owned by:
Priority: normal Component: FileZilla Client
Keywords: ftpes, ftp tls Cc: netscout
Component version: Operating system type:
Operating system version: Linux Mint

Description

I've been testing in two Linux and two Windows systems on the same internet line.
Everything works OK in Windows and even in Linux if running the Windows version of Filezilla through Wine!

The problem with the Linux version of Filezilla is, when connected to a FTPES server and trying to upload a file, it is uploading only around half a second, then it stops, timeouts, reconnects, continues the upload again for around half a seconds, timeouts, etc.

Sometimes if inactive for like a minute or two, it gives "425 Unable to build data connection: Operation not permitted" error, when trying to refresh.

Downloading seems OK.

Tested versions: 3.3.5.1, 3.5.1, 3.5.2-rc1.

Should you need more info, let me know.

Change History (14)

comment:1 Changed 8 years ago by Dr. Fragment

Additional note: The 32-bit Linux version works OK! So it's only a problem in the Linux 64-bit Filezilla.

comment:2 Changed 8 years ago by netscout

Cc: netscout added

Have the same problem under Fedora 16 but when i use the windows version via wine it is working.
but i cannot upload with linux version with OR without SSL both have interrups after some seconds.

comment:3 Changed 7 years ago by batfastad

I can confirm the same thing on Linux Mint 14, 64bit, FileZilla 3.5.3 from the repositories.
Trying to connect over FTPES fails but regular unencrypted FTP works perfectly.
Unfortunately I cannot test with implicit TLS.

When booted into Win7 on the same machine with the same internet connection, the connection works over FTPES.

It looks like the certificate is accepted ok and the username and password are correct as it seems like the server logs in.

You can contact me if you need further help debugging or a test server to verify against. I'm the admin of the server in question so would be able to enable trace logging and get some debug logs from the server if required.

Here's the FileZilla log in verbose mode if this is any use...
{{{Status: Disconnected from server
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Status: Resolving address of ftp.domain.com
Status: Connecting to 11.22.33.44:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220 ProFTPD ready and waiting. Explicit TLS connections accepted (and encouraged)!
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: TLS Handshake successful
Trace: Cipher: AES-128-CBC, MAC: SHA1
Status: Verifying certificate...
Trace: CFtpControlSocket::SendNextCommand()
Command: USER upload
Status: TLS/SSL connection established.
Trace: CFtpControlSocket::OnReceive()
Response: 331 Password required for upload
Trace: CFtpControlSocket::SendNextCommand()
Command: PASS *
Trace: CFtpControlSocket::OnReceive()
Response: 230 User upload logged in.
Trace: CFtpControlSocket::SendNextCommand()
Command: PBSZ 0
Trace: CFtpControlSocket::OnReceive()
Response: 200 PBSZ 0 successful
Trace: CFtpControlSocket::SendNextCommand()
Command: PROT P
Trace: CFtpControlSocket::OnReceive()
Response: 200 Protection set to Private
Status: Connected
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Status: Retrieving directory listing...
Trace: CFtpControlSocket::SendNextCommand()
Trace: CFtpControlSocket::ChangeDirSend()
Command: PWD
Trace: CFtpControlSocket::OnReceive()
Response: 257 "/" is the current directory
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpControlSocket::ParseSubcommandResult(0)
Trace: CFtpControlSocket::ListSubcommandResult()
Trace: CFtpControlSocket::SendNextCommand()
Trace: CFtpControlSocket::TransferSend()
Command: TYPE I
Trace: CFtpControlSocket::OnReceive()
Response: 200 Type set to I
Trace: CFtpControlSocket::TransferParseResponse()
Trace: CFtpControlSocket::SendNextCommand()
Trace: CFtpControlSocket::TransferSend()
Command: PASV
Trace: CFtpControlSocket::OnReceive()
Response: 227 Entering Passive Mode (11,22,33,44,234,97).
Trace: CFtpControlSocket::TransferParseResponse()
Trace: CFtpControlSocket::SendNextCommand()
Trace: CFtpControlSocket::TransferSend()
Command: MLSD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CFtpControlSocket::OnReceive()
Response: 150 Opening ASCII mode data connection for MLSD
Trace: CFtpControlSocket::TransferParseResponse()
Trace: CFtpControlSocket::SendNextCommand()
Trace: CFtpControlSocket::TransferSend()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: TLS Handshake successful
Trace: Cipher: AES-128-CBC, MAC: SHA1
Trace: CTransferSocket::OnConnect
Trace: CTransferSocket::TransferEnd(1)
Trace: CFtpControlSocket::OnReceive()
Response: 425 Unable to build data connection: Operation not permitted
Trace: CFtpControlSocket::TransferParseResponse()
Trace: CFtpControlSocket::ResetOperation(2)
Trace: CControlSocket::ResetOperation(2)
Trace: CFtpControlSocket::ParseSubcommandResult(2)
Trace: CFtpControlSocket::ListSubcommandResult()
Trace: CFtpControlSocket::ResetOperation(2)
Trace: CControlSocket::ResetOperation(2)
Error: Failed to retrieve directory listing
Trace: CFtpControlSocket::TransferEnd()
Trace: Call to TransferEnd at unusual time, ignoring}}}

comment:4 Changed 7 years ago by Alexander Schuch

Status: newmoreinfo

Are you sure this is a problem with FileZilla Client and not the server you are using?

Command: MLSD
Response: 150 Opening ASCII mode data connection for MLSD
Response: 425 Unable to build data connection: Operation not permitted

FileZilla Client sends an MLSD. The server receives that command and acknowledges it (150). After some time it fails to actually perform it and indicates an error (425).

comment:5 Changed 7 years ago by batfastad

Reasonably sure. The same FTPES connection works on Filezilla on Win 7 64bit, Win Vista 32bit and Win XP. To me that points to a client problem rather than server. I can send you FTP account details if you want, I've got the same username in the forums if you want to PM.

comment:6 Changed 7 years ago by batfastad

Operating system version: Linux Mint Debian EditionLinux Mint
Status: moreinfonew

One thing to add... it works fine in the version from the Fedora 18 64bit repos.
So it must be something in the packaging for Mint (and possibly Ubuntu?). I'll try and investigate to see if there's any difference in the compile options.

comment:7 Changed 7 years ago by batfastad

It appears it might be my server after all as I am able to connect to other servers with FTPES using this version of FileZilla.

It's just strange that my server works with FTPES on Fedora and Windows but not the 3.5.3-2ubuntu1 from the repositories on Linux Mint 14. I have never seen this problem with this FTP server before. It's running ProFTPD if that makes any difference?

comment:8 Changed 7 years ago by batfastad

After a brief bit of debugging I have got FileZilla working with my server on Linux Mint.

Server is ProFTPD 1.3.4a on CentOS. Here's the relevant bits from the logs...
This is what I saw in my server logs...

Mar 04 23:20:16 mod_tls/2.4.3[1665]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Mar 04 23:20:17 mod_tls/2.4.3[1665]: TLS/TLS-C requested, starting TLS handshake
Mar 04 23:20:17 mod_tls/2.4.3[1665]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
Mar 04 23:20:17 mod_tls/2.4.3[1665]: Protection set to Private
Mar 04 23:20:18 mod_tls/2.4.3[1665]: starting TLS negotiation on data connection
Mar 04 23:20:18 mod_tls/2.4.3[1665]: TLSv1/SSLv3 renegotiation accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
Mar 04 23:20:18 mod_tls/2.4.3[1665]: client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
Mar 04 23:20:18 mod_tls/2.4.3[1665]: unable to open data connection: TLS negotiation failed

I enabled NoSessionReuseRequired in TLSOptions... http://www.proftpd.org/docs/contrib/mod_tls.html#TLSOptions

As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections that reuse the SSL session of the control connection, as a security measure. Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
To relax the requirement that the SSL session from the control connection be reused for data connections

And FileZilla now connects! Though why this was working ok without me needing to change my server config on Fedora 18 I have no idea. Hope this helps someone out.

comment:9 Changed 7 years ago by Alexander Schuch

Operating system type: Linux
Priority: highlow
Summary: Cannot upload when using FTPES in Linux version of Filezillareuse SSL session of control connection
Type: Bug reportFeature request

I changed this to a feature request. Maybe it will be implemented one day:

Make "reuse SSL session of control connection" an option of FileZilla.

comment:10 Changed 7 years ago by batfastad

If this is now a feature request, I'm curious as to why this only affects Linux builds of FileZilla. Surely FTPES is FTPES and connecting to FTPES servers should be work on Linux as well as Windows?

I can also confirm that using Windows FileZilla under Wine is not affected by this problem and can connect to my ProFTPD server without relaxing the server's TLSOptions setting. FileZilla 3.5.3 on Linux Mint 14 however does not connect and I have to specifically modify my server configuration away from default to allow FZ on Mint to connect.

comment:11 Changed 7 years ago by Dr. Fragment

Priority: lownormal
Type: Feature requestBug report

Indeed, this should be marked as a bug, because the feature is already there, just broken.

comment:12 Changed 6 years ago by Alexander Schuch

Status: newmoreinfo

FileZilla 3.5.3 is quite old by now. Do you still have that issue with a current version of FileZilla? Just because if it only affects Linux builds, it might be a used library which is the issue of that, and this library might be updated already. No idea. :)

So can you please test current version of FileZilla on a current Linux distribution?

comment:13 Changed 5 years ago by Barry Staes

Status: moreinfonew

I routinely experience the problem here.
Sometimes Filezilla is connected for a minute, and then fails to transfer files because of error 425.
I just updated to Filezilla 3.10.0.2 (i686-w64-mingw32 built on 2015-01-16) and reproduced the problem.

For every attempt the server log "/var/log/proftpd/proftpd.tls.log" says:

Jan 20 15:16:44 mod_tls/2.4.3[29723]: starting TLS negotiation on data connection
Jan 20 15:16:44 mod_tls/2.4.3[29723]: TLSv1/SSLv3 renegotiation accepted, using cipher AES256-GCM-SHA384 (256 bits)
Jan 20 15:16:44 mod_tls/2.4.3[29723]: client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter)
Jan 20 15:16:44 mod_tls/2.4.3[29723]: unable to open data connection: TLS negotiation failed

While Filezilla log says:

Opdracht:	TYPE I
Antwoord:	200 Type set to I
Opdracht:	PASV
Antwoord:	227 Entering Passive Mode (***,***,***,***,137,172).
Opdracht:	MLSD
Antwoord:	150 Opening BINARY mode data connection for MLSD
Antwoord:	425 Unable to build data connection: Operation not permitted
Opdracht:	SIZE et_EE.php
Antwoord:	550 et_EE.php: No such file or directory
Opdracht:	TYPE A
Antwoord:	200 Type set to A
Opdracht:	PASV
Antwoord:	227 Entering Passive Mode (***,***,***,***,139,68).
Opdracht:	STOR et_EE.php
Antwoord:	150 Opening ASCII mode data connection for et_EE.php
Antwoord:	425 Unable to build data connection: Operation not permitted
Fout:	Bestandsoverdracht mislukt

A workaround is lowering server security using NoSessionReuseRequired but i would rather avoid that.
Strange this is that this works for a minute or so after a reconnecting / pausing the queue for a while.

comment:14 Changed 5 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

This is a known bug in old ProFTPd versions. Please update to the most recent ProFTPd version.

See http://bugs.proftpd.org/show_bug.cgi?id=3869

Note: See TracTickets for help on using tickets.