ProFTPD Server Software

> proftpd-1.3.0rc2

Is this a regression, or do you see the same issues with proftpd-1.3.0rc1?

> Following are some examples from the logs that show some of the odd
> behavior:

What does server debugging output show?  Note that server debugging
output is separate from the ExtendedLog and TLSLog excerpts provided.

> Jul 26 09:58:20 mod_tls/2.1[32741]: received CCC, clearing control channel protection
> Jul 26 09:58:20 mod_tls/2.1[32741]: SSL_shutdown() error:
>   (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

The above error, from OpenSSL, needs to diagnosed, as I suspect it is
indicating a problem.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   But let there be spaces in your togetherness.

     -Kahlil Gibran

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Tue, Jul 26, 2005 at 11:39:36AM -0700, TJ Saunders wrote:
> 
> > proftpd-1.3.0rc2
> 
> Is this a regression, or do you see the same issues with proftpd-1.3.0rc1?

I was unable to get proftpd-1.3.0rc1 to work either, but have focused
more effort on testing rc2 than I did with rc1.

> > Following are some examples from the logs that show some of the odd
> > behavior:
> 
> What does server debugging output show?  Note that server debugging
> output is separate from the ExtendedLog and TLSLog excerpts provided.

I have not (yet) enabled server debugging, what level would you suggest?

> > Jul 26 09:58:20 mod_tls/2.1[32741]: received CCC, clearing control channel protection
> > Jul 26 09:58:20 mod_tls/2.1[32741]: SSL_shutdown() error:
> >   (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> 
> The above error, from OpenSSL, needs to diagnosed, as I suspect it is
> indicating a problem.

I see this error somewhat consistently with the Windows clients, but I
don't know what I should be looking for (I'm not an SSL guru).  Any
suggestions on what to look for or debugging strategies?

> TJ
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>    But let there be spaces in your togetherness.
> 
>      -Kahlil Gibran
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> ProFTPD Developers List
> <proftpd-devel@...>
> https://lists.sourceforge.net/lists/listinfo/proftp-devel

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe@...
952/925-0744      Minneapolis, Minnesota       http://www.FahnoeTech.com

Okay, I have additional data to offer.  First I moved to an internal
server so there are no firewalls to worry about, though that also
means I'm switching from an RHEL3 system to an RHEL4 system.  

First AUTH TLS test using CuteFTP without CCC works just fine.

Second AUTH TLS test using CuteFTP wit CCC fails just like the others
do. 

Here's what the client thinks is going on:

------------------------------------------------------------------------
*** CuteFTP 7.0 - build Jun  6 2005 ***

STATUS:>  Getting listing ""...
STATUS:>  Resolving host name relay1.stp.mrll.com...
STATUS:>  Host name relay1.stp.mrll.com resolved: ip = 150.228.20.20.
STATUS:>  Connecting to FTP server relay1.stp.mrll.com:21 (ip = 150.228.20.20)...
STATUS:>  Socket connected. Waiting for welcome message...
220 FTP Server ready.
STATUS:>  Connected. Authenticating...
COMMAND:>AUTH TLS
234 AUTH TLS successful
STATUS:>  Establishing SSL session.
STATUS:>  Initializing SSL module.
STATUS:>  Connected. Exchanging encryption keys...
STATUS:>  SSL Connect time: 621 ms.
STATUS:>  SSL encrypted session established.
COMMAND:>PBSZ 0
200 PBSZ 0 successful
COMMAND:>USER lfahnoe
331 Password required for lfahnoe.
COMMAND:>PASS *****
230 User lfahnoe logged in.
STATUS:>  Login successful.
COMMAND:>PWD
257 "/home/lfahnoe" is current directory.
STATUS:>  Home directory: /home/lfahnoe
COMMAND:>FEAT
211-Features:
 MDTM
 REST STREAM
 SIZE
 AUTH TLS
 PBSZ
 PROT
211 End
STATUS:>  This site supports features.
STATUS:>  This site supports SIZE.
STATUS:>  This site can resume broken downloads.
COMMAND:>REST 0
501 REST: Resuming transfers not allowed in ASCII mode
COMMAND:>PBSZ 0
200 PBSZ 0 successful
COMMAND:>PROT P
200 Protection set to Private
COMMAND:>CCC
200 Clearing control channel protection
COMMAND:>PASV
ERROR:>   Timeout (60000 ms) occurred on receiving server response.
ERROR:>   Failed to establish data socket.
------------------------------------------------------------------------

Here's the proftpd log:

------------------------------------------------------------------------
150.228.8.21 UNKNOWN nobody [26/Jul/2005:14:34:20 -0500] "AUTH TLS" - -
150.228.8.21 UNKNOWN nobody [26/Jul/2005:14:34:20 -0500] "PBSZ 0" 200 -
150.228.8.21 UNKNOWN nobody [26/Jul/2005:14:34:20 -0500] "USER lfahnoe" 331 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:22 -0500] "PASS (hidden)" 230 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:22 -0500] "PWD" 257 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:22 -0500] "FEAT" 211 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:23 -0500] "REST 0" 501 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:23 -0500] "PBSZ 0" 200 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:23 -0500] "PROT P" 200 -
150.228.8.21 UNKNOWN lfahnoe [26/Jul/2005:14:34:23 -0500] "CCC" - -
------------------------------------------------------------------------

The TLS log (with some editing to make it readable):

------------------------------------------------------------------------
14:34:19 mod_tls/2.1: using default OpenSSL verification locations (see $SSL_CERT_DIR)
14:34:19 mod_tls/2.1: TLS/TLS-C requested, starting TLS handshake
14:34:20 mod_tls/2.1: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
14:34:20 mod_tls/2.1: set RSA blinding on
14:34:23 mod_tls/2.1: Protection set to Private
14:34:23 mod_tls/2.1: received CCC, clearing control channel protection
14:34:23 mod_tls/2.1: SSL_shutdown() error:
  (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
------------------------------------------------------------------------

Note that the "SSL3_GET_RECORD:wrong version number" error only
happens when the client issues the CCC command.

The server side debug is set to level 9 (leading data stripped out to
make it more readable):

------------------------------------------------------------------------
Jul 26 14:34:19 - AuthOrder in effect, resetting auth module order
Jul 26 14:34:19 - ident lookup disabled
Jul 26 14:34:19 - connected - local  : 150.228.20.20:21
Jul 26 14:34:19 - connected - remote : 150.228.8.21:2529
Jul 26 14:34:19 - FTP session opened.
Jul 26 14:34:19 - dispatching PRE_CMD command 'AUTH TLS' to mod_tls
Jul 26 14:34:19 - dispatching PRE_CMD command 'AUTH TLS' to mod_core
Jul 26 14:34:19 - dispatching PRE_CMD command 'AUTH TLS' to mod_core
Jul 26 14:34:19 - dispatching CMD command 'AUTH TLS' to mod_tls
Jul 26 14:34:20 - dispatching LOG_CMD command 'AUTH TLS' to mod_log
Jul 26 14:34:20 - dispatching PRE_CMD command 'PBSZ 0' to mod_tls
Jul 26 14:34:20 - dispatching PRE_CMD command 'PBSZ 0' to mod_core
Jul 26 14:34:20 - dispatching PRE_CMD command 'PBSZ 0' to mod_core
Jul 26 14:34:20 - dispatching CMD command 'PBSZ 0' to mod_tls
Jul 26 14:34:20 - dispatching LOG_CMD command 'PBSZ 0' to mod_log
Jul 26 14:34:20 - dispatching PRE_CMD command 'USER lfahnoe' to mod_tls
Jul 26 14:34:20 - dispatching PRE_CMD command 'USER lfahnoe' to mod_core
Jul 26 14:34:20 - dispatching PRE_CMD command 'USER lfahnoe' to mod_core
Jul 26 14:34:20 - dispatching PRE_CMD command 'USER lfahnoe' to mod_delay
Jul 26 14:34:20 - dispatching PRE_CMD command 'USER lfahnoe' to mod_auth
Jul 26 14:34:20 - dispatching auth request "endpwent" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "endgrent" to module mod_auth_unix
Jul 26 14:34:20 - dispatching CMD command 'USER lfahnoe' to mod_auth
Jul 26 14:34:20 - dispatching auth request "getgroups" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "requires_pass" to module mod_tls
Jul 26 14:34:20 - dispatching POST_CMD command 'USER lfahnoe' to mod_delay
Jul 26 14:34:20 - mod_delay/0.5: selecting median interval from 1 value
Jul 26 14:34:20 - dispatching LOG_CMD command 'USER lfahnoe' to mod_log
Jul 26 14:34:20 - dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
Jul 26 14:34:20 - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Jul 26 14:34:20 - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
Jul 26 14:34:20 - dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
Jul 26 14:34:20 - dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
Jul 26 14:34:20 - dispatching auth request "endpwent" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "endgrent" to module mod_auth_unix
Jul 26 14:34:20 - dispatching CMD command 'PASS (hidden)' to mod_auth
Jul 26 14:34:20 - dispatching auth request "getgroups" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "getpwnam" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "gid2name" to module mod_auth_unix
Jul 26 14:34:20 - dispatching auth request "auth" to module mod_auth_pam
Jul 26 14:34:20 - ROOT PRIVS at mod_auth_pam.c:262
Jul 26 14:34:20 - RELINQUISH PRIVS at mod_auth_pam.c:421
Jul 26 14:34:20 - user lfahnoe authenticated by mod_auth_pam.c
Jul 26 14:34:20 - dispatching auth request "setgrent" to module mod_auth_unix
Jul 26 14:34:20 - ROOT PRIVS at mod_auth.c:447
Jul 26 14:34:20 - RELINQUISH PRIVS at mod_auth.c:449
Jul 26 14:34:20 - USER PRIVS 501 at mod_auth.c:1026
Jul 26 14:34:20 - RELINQUISH PRIVS at mod_auth.c:1028
Jul 26 14:34:20 -
Jul 26 14:34:20 - Config for corpftp.icrp.mrll.com:
Jul 26 14:34:20 - AccessGrantMsg
Jul 26 14:34:21 - DefaultServer
Jul 26 14:34:21 - ServerIdent
Jul 26 14:34:21 - DebugLevel
Jul 26 14:34:21 - AuthOrder
Jul 26 14:34:21 - IdentLookups
Jul 26 14:34:21 - ListOptions
Jul 26 14:34:21 - AllowRetrieveRestart
Jul 26 14:34:21 - AllowStoreRestart
Jul 26 14:34:21 - UserID
Jul 26 14:34:21 - UserName
Jul 26 14:34:21 - GroupID
Jul 26 14:34:21 - GroupName
Jul 26 14:34:21 - TransferLog
Jul 26 14:34:21 - TLSEngine
Jul 26 14:34:21 - TLSRequired
Jul 26 14:34:21 - TLSRSACertificateFile
Jul 26 14:34:21 - TLSRSACertificateKeyFile
Jul 26 14:34:21 - TLSOptions
Jul 26 14:34:21 - TLSVerifyClient
Jul 26 14:34:21 - TLSRenegotiate
Jul 26 14:34:21 - TLSLog
Jul 26 14:34:21 - Limit
Jul 26 14:34:21 -  AllowAll
Jul 26 14:34:21 - ExtendedLog
Jul 26 14:34:21 - DenyFilter
Jul 26 14:34:21 - IdentLookups
Jul 26 14:34:21 - AllowOverwrite
Jul 26 14:34:21 - Umask
Jul 26 14:34:21 - TimesGMT
Jul 26 14:34:21 - TimeoutLogin
Jul 26 14:34:21 - TimeoutIdle
Jul 26 14:34:21 - TimeoutNoTransfer
Jul 26 14:34:21 - TimeoutStalled
Jul 26 14:34:21 - CURRENT-CLIENTS
Jul 26 14:34:21 - USER
Jul 26 14:34:21 - ROOT PRIVS at mod_auth.c:1097
Jul 26 14:34:21 - opening TransferLog '/var/log/xferlog'
Jul 26 14:34:21 - RELINQUISH PRIVS at mod_auth.c:1126
Jul 26 14:34:21 - ROOT PRIVS at mod_auth.c:1169
Jul 26 14:34:21 - SETUP PRIVS at mod_auth.c:1176
Jul 26 14:34:21 - FS: using system chdir()
Jul 26 14:34:21 - in dir_check_full(): path = '/home/lfahnoe', fullpath = '/home/lfahnoe'.
Jul 26 14:34:22 - FS: using system stat()
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
Jul 26 14:34:22 - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_tls
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_readme
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
Jul 26 14:34:22 - mod_delay/0.5: selecting median interval from 1 value
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_log
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
Jul 26 14:34:22 - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
Jul 26 14:34:22 - ROOT PRIVS: ID switching disabled
Jul 26 14:34:22 - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
Jul 26 14:34:22 - dispatching PRE_CMD command 'PWD' to mod_tls
Jul 26 14:34:22 - dispatching PRE_CMD command 'PWD' to mod_core
Jul 26 14:34:22 - dispatching PRE_CMD command 'PWD' to mod_core
Jul 26 14:34:22 - dispatching CMD command 'PWD' to mod_core
Jul 26 14:34:22 - in dir_check_full(): path = '/home/lfahnoe', fullpath = '/home/lfahnoe'.
Jul 26 14:34:22 - FS: using system stat()
Jul 26 14:34:22 - dispatching LOG_CMD command 'PWD' to mod_log
Jul 26 14:34:22 - dispatching PRE_CMD command 'FEAT' to mod_tls
Jul 26 14:34:22 - dispatching PRE_CMD command 'FEAT' to mod_core
Jul 26 14:34:22 - dispatching PRE_CMD command 'FEAT' to mod_core
Jul 26 14:34:22 - dispatching CMD command 'FEAT' to mod_core
Jul 26 14:34:22 - dispatching LOG_CMD command 'FEAT' to mod_log
Jul 26 14:34:23 - dispatching PRE_CMD command 'REST 0' to mod_tls
Jul 26 14:34:23 - dispatching PRE_CMD command 'REST 0' to mod_core
Jul 26 14:34:23 - dispatching PRE_CMD command 'REST 0' to mod_core
Jul 26 14:34:23 - dispatching CMD command 'REST 0' to mod_xfer
Jul 26 14:34:23 - REST not allowed in ASCII mode
Jul 26 14:34:23 - dispatching LOG_CMD_ERR command 'REST 0' to mod_log
Jul 26 14:34:23 - dispatching PRE_CMD command 'PBSZ 0' to mod_tls
Jul 26 14:34:23 - dispatching PRE_CMD command 'PBSZ 0' to mod_core
Jul 26 14:34:23 - dispatching PRE_CMD command 'PBSZ 0' to mod_core
Jul 26 14:34:23 - dispatching CMD command 'PBSZ 0' to mod_tls
Jul 26 14:34:23 - dispatching LOG_CMD command 'PBSZ 0' to mod_log
Jul 26 14:34:23 - dispatching PRE_CMD command 'PROT P' to mod_tls
Jul 26 14:34:23 - dispatching PRE_CMD command 'PROT P' to mod_core
Jul 26 14:34:23 - dispatching PRE_CMD command 'PROT P' to mod_core
Jul 26 14:34:23 - dispatching CMD command 'PROT P' to mod_tls
Jul 26 14:34:23 - dispatching POST_CMD command 'PROT P' to mod_xfer
Jul 26 14:34:23 - dispatching LOG_CMD command 'PROT P' to mod_log
Jul 26 14:34:23 - dispatching PRE_CMD command 'CCC' to mod_tls
Jul 26 14:34:23 - dispatching PRE_CMD command 'CCC' to mod_core
Jul 26 14:34:23 - dispatching PRE_CMD command 'CCC' to mod_core
Jul 26 14:34:23 - dispatching CMD command 'CCC' to mod_tls
Jul 26 14:34:23 - in dir_check_full(): path = '/home/lfahnoe', fullpath = '/home/lfahnoe'.
Jul 26 14:34:23 - FS: using system stat()
Jul 26 14:34:23 - mod_tls/2.1: SSL_shutdown() error: (unknown)
Jul 26 14:34:23 - dispatching LOG_CMD command 'CCC' to mod_log
Jul 26 14:35:24 - mod_tls/2.1: scrubbing all passphrases from memory
Jul 26 14:35:24 - dispatching auth request "endpwent" to module mod_auth_unix
Jul 26 14:35:24 - dispatching auth request "endgrent" to module mod_auth_unix
Jul 26 14:35:24 - ROOT PRIVS: ID switching disabled
Jul 26 14:35:24 - ROOT PRIVS: ID switching disabled
Jul 26 14:35:24 - FTP session closed.
------------------------------------------------------------------------

--Larry

On Tue, Jul 26, 2005 at 01:31:31PM -0500, Larry Fahnoe wrote:
> On Tue, Jul 26, 2005 at 11:39:36AM -0700, TJ Saunders wrote:
> > 
> > > proftpd-1.3.0rc2
> > 
> > Is this a regression, or do you see the same issues with proftpd-1.3.0rc1?
> 
> I was unable to get proftpd-1.3.0rc1 to work either, but have focused
> more effort on testing rc2 than I did with rc1.
> 
> > > Following are some examples from the logs that show some of the odd
> > > behavior:
> > 
> > What does server debugging output show?  Note that server debugging
> > output is separate from the ExtendedLog and TLSLog excerpts provided.
> 
> I have not (yet) enabled server debugging, what level would you suggest?
> 
> > > Jul 26 09:58:20 mod_tls/2.1[32741]: received CCC, clearing control channel protection
> > > Jul 26 09:58:20 mod_tls/2.1[32741]: SSL_shutdown() error:
> > >   (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> > 
> > The above error, from OpenSSL, needs to diagnosed, as I suspect it is
> > indicating a problem.
> 
> I see this error somewhat consistently with the Windows clients, but I
> don't know what I should be looking for (I'm not an SSL guru).  Any
> suggestions on what to look for or debugging strategies?
> 
> > TJ
> > 
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> >    But let there be spaces in your togetherness.
> > 
> >      -Kahlil Gibran
> > 
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> > 
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > ProFTPD Developers List
> > <proftpd-devel@...>
> > https://lists.sourceforge.net/lists/listinfo/proftp-devel
> 

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe@...
952/925-0744      Minneapolis, Minnesota       http://www.FahnoeTech.com

> Second AUTH TLS test using CuteFTP wit CCC fails just like the others
> do.

On a related topic:

  http://sourceforge.net/mailarchive/forum.php?thread_id=7020044&forum_id=2637

I don't know whether this is a client issue or a server issue yet, though;
support for the CCC command for both clients and servers is still
spreading, so there are apt to be implementation discrepancies.

One thing to help debug the SSL/TLS shutdown alert failure would be to use
ssldump and show the traces of the FTP control channel traffic.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Your reason and your passion are the rudder and the sails of your seafaring
   soul.

     -Kahlil Gibran

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TJ,

When I started testing with rc1 and had problems with the CCC command
and the SSL/TLS shutdown, I found the messages that Dariusz Pietrzak
had posted as well as others having issues around this area.  I hoped
that by rc2 some of these issues would be ironed out, but as they
remain to be solved, I'll offer whatever help I can in documenting the
problems as I observe them.  I'll start tomorrow with ssldump.

I accept that the CCC stuff is evolving, but my goal is to get a solid
standards-based server in place (proftpd is currently the server of
choice) and then identify what clients actually will work with it
using the CCC command.

--Larry

On Tue, Jul 26, 2005 at 04:57:16PM -0700, TJ Saunders wrote:
> 
> > Second AUTH TLS test using CuteFTP wit CCC fails just like the others
> > do.
> 
> On a related topic:
> 
>   http://sourceforge.net/mailarchive/forum.php?thread_id=7020044&forum_id=2637
> 
> I don't know whether this is a client issue or a server issue yet, though;
> support for the CCC command for both clients and servers is still
> spreading, so there are apt to be implementation discrepancies.
> 
> One thing to help debug the SSL/TLS shutdown alert failure would be to use
> ssldump and show the traces of the FTP control channel traffic.
> 

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe@...
952/925-0744      Minneapolis, Minnesota       http://www.FahnoeTech.com

Okay, further data to report, but first a question for all the folks
on the dev list: what clients have been tested and show that the CCC
command is working?  I have heard one report that Sterling Software's
client works, but nothing about any others.  I'm focusing my efforts
on CuteFTP and FTP Voyager as these are a couple of seemingly common
clients that claim to support CCC.  My goal is to find a few Windows
clients that will do the CCC dance properly with proftpd.

Now, on to the data.  I'm using ssldump 0.9b3 running on the proftpd
server: ssldump -dNnk /usr/share/ssl/certs/proftpd.pem host p72007

I'm not clear as to why it is not decrypting the data as I'm providing
the key that the server is using, and the client does not have a key.

Two tests below, both with CuteFTP.  First test shows CuteFTP working
properly without using the CCC command, the second test shows the
failure immediately after the client attempts to go clear channel.
FTP Voyager fails in much the same way.  Refer to my earlier messages
to see the server debug logs and client traces.  If necessary (and
productive, I can certainly gather all the data and post it again).

I'm open to trying other tests, and other clients.

Test 1, not using CCC:
------------------------------------------------------------------------
New TCP connection #1: 150.228.8.21(2918) <-> 150.228.20.20(21)
0.0176 (0.0176)  S>C
---------------------------------------------------------------
220 FTP Server ready.
---------------------------------------------------------------

0.0597 (0.0420)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0599 (0.0002)  S>C
---------------------------------------------------------------
234 AUTH TLS successful
---------------------------------------------------------------

1 1  0.0986 (0.0386)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x35
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x2f
        TLS_RSA_WITH_IDEA_CBC_SHA
        TLS_DHE_DSS_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.1156 (0.0170)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          67 a2 5b 70 bf 71 f8 cc 34 8e 65 ca 4d b2 39 59
          66 f8 6f 87 5b eb 07 81 57 30 2f e9 af e1 c8 78
        cipherSuite         Unknown value 0x39
        compressionMethod                   NULL
1 3  0.1156 (0.0000)  S>C  Handshake
      Certificate
        Subject
          C=US
          ST=Minnesota
          L=St Paul
          O=Merrill Communications LLC
          CN=relay1.stp.mrll.com
          emailAddress=linux.support@...
        Issuer
          C=US
          ST=Minnesota
          L=St Paul
          O=Merrill Communications LLC
          CN=relay1.stp.mrll.com
          emailAddress=linux.support@...
        Serial         00
        Extensions
          Extension: X509v3 Subject Key Identifier
          Extension: X509v3 Authority Key Identifier
          Extension: X509v3 Basic Constraints
1 4  0.1156 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.1156 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.2395 (0.1239)  C>S  Handshake
      ClientKeyExchange
1 7  0.2395 (0.0000)  C>S  ChangeCipherSpec
1 8  0.2395 (0.0000)  C>S  Handshake
1 9  0.2513 (0.0117)  S>C  ChangeCipherSpec
1 10 0.2513 (0.0000)  S>C  Handshake
1 11 0.2922 (0.0408)  C>S  application_data
1 12 0.2922 (0.0000)  C>S  application_data
1 13 0.2925 (0.0003)  S>C  application_data
1 14 0.3124 (0.0198)  C>S  application_data
1 15 0.3124 (0.0000)  C>S  application_data
1 16 0.3145 (0.0021)  S>C  application_data
1 17 0.3425 (0.0280)  C>S  application_data
1 18 0.3425 (0.0000)  C>S  application_data
1 19 0.5119 (0.1693)  S>C  application_data
1 20 0.5422 (0.0303)  C>S  application_data
1 21 0.5422 (0.0000)  C>S  application_data
1 22 0.5427 (0.0004)  S>C  application_data
1 23 12.1248 (11.5821)  C>S  Alert
1    12.1250 (0.0002)  S>C  TCP FIN
1    12.1253 (0.0002)  C>S  TCP FIN
------------------------------------------------------------------------

Test 2, showing broken CCC:
------------------------------------------------------------------------
New TCP connection #2: 150.228.8.21(2919) <-> 150.228.20.20(21)
0.0117 (0.0117)  S>C
---------------------------------------------------------------
220 FTP Server ready.
---------------------------------------------------------------

0.0520 (0.0403)  C>S
---------------------------------------------------------------
AUTH TLS
---------------------------------------------------------------

0.0521 (0.0001)  S>C
---------------------------------------------------------------
234 AUTH TLS successful
---------------------------------------------------------------

2 1  0.0920 (0.0398)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x35
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x2f
        TLS_RSA_WITH_IDEA_CBC_SHA
        TLS_DHE_DSS_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_RC2_56_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
2 2  0.1082 (0.0161)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          19 38 4c cd f7 d8 3b 84 b7 24 93 50 e1 33 9f 79
          5b 44 66 fc 6f a1 c4 dc 7f 95 f9 6a aa 9b 56 55
        cipherSuite         Unknown value 0x39
        compressionMethod                   NULL
2 3  0.1082 (0.0000)  S>C  Handshake
      Certificate
        Subject
          C=US
          ST=Minnesota
          L=St Paul
          O=Merrill Communications LLC
          CN=relay1.stp.mrll.com
          emailAddress=linux.support@...
        Issuer
          C=US
          ST=Minnesota
          L=St Paul
          O=Merrill Communications LLC
          CN=relay1.stp.mrll.com
          emailAddress=linux.support@...
        Serial         00
        Extensions
          Extension: X509v3 Subject Key Identifier
          Extension: X509v3 Authority Key Identifier
          Extension: X509v3 Basic Constraints
2 4  0.1082 (0.0000)  S>C  Handshake
      ServerKeyExchange
2 5  0.1082 (0.0000)  S>C  Handshake
      ServerHelloDone
2 6  0.2240 (0.1158)  C>S  Handshake
      ClientKeyExchange
2 7  0.2240 (0.0000)  C>S  ChangeCipherSpec
2 8  0.2240 (0.0000)  C>S  Handshake
2 9  0.2353 (0.0112)  S>C  ChangeCipherSpec
2 10 0.2353 (0.0000)  S>C  Handshake
2 11 0.2694 (0.0341)  C>S  application_data
2 12 0.2694 (0.0000)  C>S  application_data
2 13 0.2696 (0.0002)  S>C  application_data
2 14 0.2974 (0.0277)  C>S  application_data
2 15 0.2974 (0.0000)  C>S  application_data
2 16 0.2983 (0.0009)  S>C  application_data
2 17 0.3249 (0.0265)  C>S  application_data
2 18 0.3249 (0.0000)  C>S  application_data
2 19 0.3986 (0.0737)  S>C  application_data
2 20 0.4282 (0.0295)  C>S  application_data
2 21 0.4282 (0.0000)  C>S  application_data
2 22 0.4287 (0.0005)  S>C  application_data
2 23 0.4603 (0.0315)  C>S  application_data
2 24 0.4603 (0.0000)  C>S  application_data
2 25 0.4606 (0.0003)  S>C  application_data
2 26 0.4606 (0.0000)  S>C  application_data
2 27 0.4661 (0.0055)  S>C  application_data
2 28 0.4661 (0.0000)  S>C  application_data
2 29 0.4661 (0.0000)  S>C  application_data
2 30 0.4661 (0.0000)  S>C  application_data
2 31 0.4661 (0.0000)  S>C  application_data
2 32 0.4661 (0.0000)  S>C  application_data
2 33 0.5434 (0.0772)  C>S  application_data
2 34 0.5434 (0.0000)  C>S  application_data
2 35 0.5437 (0.0003)  S>C  application_data
2 36 0.5629 (0.0191)  C>S  application_data
2 37 0.5629 (0.0000)  C>S  application_data
2 38 0.5632 (0.0003)  S>C  application_data
2 39 0.5813 (0.0181)  C>S  application_data
2 40 0.5813 (0.0000)  C>S  application_data
2 41 0.5817 (0.0003)  S>C  application_data
2 42 0.6076 (0.0259)  C>S  application_data
2 43 0.6076 (0.0000)  C>S  application_data
2 44 0.6080 (0.0003)  S>C  application_data
2 45 0.6080 (0.0000)  S>C  Alert
Unknown SSL content type 80
2 46 0.6398 (0.0317)  S>C  Alert
2 47 0.8137 (0.1739)  C>SShort record
2    61.4294 (60.6156)  C>S  TCP RST
------------------------------------------------------------------------

--Larry

On Tue, Jul 26, 2005 at 08:26:14PM -0500, Larry Fahnoe wrote:
> TJ,
> 
> When I started testing with rc1 and had problems with the CCC command
> and the SSL/TLS shutdown, I found the messages that Dariusz Pietrzak
> had posted as well as others having issues around this area.  I hoped
> that by rc2 some of these issues would be ironed out, but as they
> remain to be solved, I'll offer whatever help I can in documenting the
> problems as I observe them.  I'll start tomorrow with ssldump.
> 
> I accept that the CCC stuff is evolving, but my goal is to get a solid
> standards-based server in place (proftpd is currently the server of
> choice) and then identify what clients actually will work with it
> using the CCC command.
> 
> 
> On Tue, Jul 26, 2005 at 04:57:16PM -0700, TJ Saunders wrote:
> > 
> > > Second AUTH TLS test using CuteFTP wit CCC fails just like the others
> > > do.
> > 
> > On a related topic:
> > 
> >   http://sourceforge.net/mailarchive/forum.php?thread_id=7020044&forum_id=2637
> > 
> > I don't know whether this is a client issue or a server issue yet, though;
> > support for the CCC command for both clients and servers is still
> > spreading, so there are apt to be implementation discrepancies.
> > 
> > One thing to help debug the SSL/TLS shutdown alert failure would be to use
> > ssldump and show the traces of the FTP control channel traffic.
> > 
> 

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe@...
952/925-0744      Minneapolis, Minnesota       http://www.FahnoeTech.com

Thanks for the ssldump output!

> 1 23 12.1248 (11.5821)  C>S  Alert
> 1    12.1250 (0.0002)  S>C  TCP FIN
> 1    12.1253 (0.0002)  C>S  TCP FIN

Here we see the client initiating the shutdown of the SSL/TLS session.

> 2 45 0.6080 (0.0000)  S>C  Alert
> Unknown SSL content type 80
> 2 46 0.6398 (0.0317)  S>C  Alert
> 2 47 0.8137 (0.1739)  C>SShort record
> 2    61.4294 (60.6156)  C>S  TCP RST

In this case, the server is initiating the SSL/TLS session shutdown.  It
sends two Alerts.  But for some reason, the client responds by complaining
of a short record.  This indicates that the server and client are not
agreeing on the exact shutdown sequence.

ProFTPD, once it accepts the CCC command, first sends a 200 response, then
commences the shutdown sequence, as per the FTPS Draft.  Perhaps the
clients are not waiting for the 200 response before doing their own SSL
shutdown?

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   A woman can become a man's friend only in the following stages - first an
   acquaintance, next a mistress, and only then a friend.

   	-Anton Chekhov

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What clients were used to test or benchmark proftpd's implementation
of AUTH TLS?

TJ, thanks for the interpretation of the data.  I'll continue to try
to find clients that support CCC and work with proftpd.  I'll report
my findings (in briefer form!) as I develop them.

--Larry

On Wed, Jul 27, 2005 at 10:22:21AM -0700, TJ Saunders wrote:
> 
> Thanks for the ssldump output!
> 
> > 1 23 12.1248 (11.5821)  C>S  Alert
> > 1    12.1250 (0.0002)  S>C  TCP FIN
> > 1    12.1253 (0.0002)  C>S  TCP FIN
> 
> Here we see the client initiating the shutdown of the SSL/TLS session.
> 
> > 2 45 0.6080 (0.0000)  S>C  Alert
> > Unknown SSL content type 80
> > 2 46 0.6398 (0.0317)  S>C  Alert
> > 2 47 0.8137 (0.1739)  C>SShort record
> > 2    61.4294 (60.6156)  C>S  TCP RST
> 
> In this case, the server is initiating the SSL/TLS session shutdown.  It
> sends two Alerts.  But for some reason, the client responds by complaining
> of a short record.  This indicates that the server and client are not
> agreeing on the exact shutdown sequence.
> 
> ProFTPD, once it accepts the CCC command, first sends a 200 response, then
> commences the shutdown sequence, as per the FTPS Draft.  Perhaps the
> clients are not waiting for the 200 response before doing their own SSL
> shutdown?
> 
> TJ
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>    A woman can become a man's friend only in the following stages - first an
>    acquaintance, next a mistress, and only then a friend.
> 
>    	-Anton Chekhov
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe@...
952/925-0744      Minneapolis, Minnesota       http://www.FahnoeTech.com

> What clients were used to test or benchmark proftpd's implementation
> of AUTH TLS?

When I originally developed mod_tls, I used Peter Runestig's tls-ftp
client for testing.  Then once lftp developed FTPS support, I used that.
I don't use or have access to any Windows machines, so I've been unable to
try any Windows FTPS clients against proftpd; I've relied on other Windows
users to report on compatibility issues.

> TJ, thanks for the interpretation of the data.  I'll continue to try to
> find clients that support CCC and work with proftpd.  I'll report my
> findings (in briefer form!) as I develop them.

The development of CCC support in mod_tls was similar to the above
situation; given the chicken-and-egg nature of client/server feature
agreement, it was difficult.  The Sterling Software client (which I was
not able to use directly) was used by one person testing the proposed CCC
patch; another user tried using the Net::SSLeay module but found a
different Perl module which did work successfully (as seen in the previous
post mentioned).  Paul Ford-Hutchinson, who worked in the original FTPS
Draft, has a custom client that he used for testing his CCC work on
wu-ftpd, but as it is a proprietary client, he was not able to share that
client for testing against proftpd's CCC implementation.

This is why I am prepared (and even expecting) to see proftpd's CCC
implementation change, if necessary, in order to match client
implementations -- as long as it conforms to the FTPS Draft specification.
Client ssldump interactions, such as the ones you provided, are very
helpful in seeing how this client/server interaction is progressing, with
respect to CCC.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Axioms in philosophy are not axioms until they are proved upon our pulses:
   we read fine things but never feel them to the full until we have gone
   the same steps as the author.

   	John Keats

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~