[Proftpd-user] Problem with FTPES - Recent Clients

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

we use a proftp server to allow 

.       FTP connections
·       FTPES connections (FTP over explicit TLS/SSL)

For what concerns the FTP connection, they always work fine.
For what concerns the FTPES connection, we have a problem with connections 
coming from “actual” FTP clients:

·       old Filezilla (Version 3.0.9.3)  FTPES OK
·       actual  Filezilla (Version 3.2.7.1)  FTPES ERROR
·       actual SmartFTP (Professional) (Version 4.0.1072.0)  FTPES ERROR
·       actual CoreFTP (Version 2.1)  FTPES ERROR
·       actual PSFTP Professional (Version 1.8)  FTPES ERROR

The TLS logs from the server side look like:

old filezilla (Version 3.0.9.3)  FTPES OK 

Jan 25 11:09:26 mod_tls/2.4.1[29095]: using default OpenSSL verification 
locations (see $SSL_CERT_DIR environment variable)
Jan 25 11:09:26 mod_tls/2.4.1[29095]: TLS/TLS-C requested, starting TLS 
handshake
Jan 25 11:09:26 mod_tls/2.4.1[29095]: TLSv1/SSLv3 connection accepted, 
using cipher DHE-RSA-AES128-SHA (128 bits)
Jan 25 10:09:29 mod_tls/2.4.1[29095]: Protection set to Private
Jan 25 10:09:29 mod_tls/2.4.1[29095]: starting TLS negotiation on data 
connection
Jan 25 10:09:29 mod_tls/2.4.1[29095]: TLSv1/SSLv3 renegotiation accepted, 
using cipher DHE-RSA-AES128-SHA (128 bits)
Jan 25 10:09:29 mod_tls/2.4.1[29095]: TLSv1/SSLv3 data connection 
accepted, using cipher DHE-RSA-AES128-SHA (128 bits)

All new clients  FTPES ERROR 

Jan 25 11:11:07 mod_tls/2.4.1[29097]: using default OpenSSL verification 
locations (see $SSL_CERT_DIR environment variable)
Jan 25 11:11:07 mod_tls/2.4.1[29097]: TLS/TLS-C requested, starting TLS 
handshake
Jan 25 11:11:28 mod_tls/2.4.1[29097]: unable to accept TLS connection: 
received EOF that violates protocol
Jan 25 11:11:28 mod_tls/2.4.1[29097]: TLS/TLS-C negotiation failed on 
control channel
Jan 25 11:11:33 mod_tls/2.4.1[29098]: using default OpenSSL verification 
locations (see $SSL_CERT_DIR environment variable)
Jan 25 11:11:33 mod_tls/2.4.1[29098]: TLS/TLS-C requested, starting TLS 
handshake
Jan 25 11:11:54 mod_tls/2.4.1[29098]: unable to accept TLS connection: 
received EOF that violates protocol
Jan 25 11:11:54 mod_tls/2.4.1[29098]: TLS/TLS-C negotiation failed on 
control channel

Do you have any idea on what’s going wrong and how to fix it?

I have performed different test on different hosts (different OS different 
proftp version), always with the same result.
Here my settings:

CERTS CREATION:

openssl req -newkey rsa:1024 -x509 -nodes -out testhost.pem -keyout 
testhost.key -days 365

PROFTP TLS CONFIGURATION:

<IfModule mod_tls.c>
TLSEngine                       on
TLSLog                          /proftp_pkg/logs/tls.log
TLSProtocol                     SSLv23
TLSOptions                      NoCertRequest NoSessionReuseRequired

TLSRSACertificateFile           /proftp_pkg/conf/testhost.pem
TLSRSACertificateKeyFile        /proftp_pkg/conf/testhost.key

TLSVerifyClient                 off
TLSRequired                     off
TLSRenegotiate                  required off
TLSCipherSuite                  ALL
</IfModule>

SETUP)
Linux behedrt1 2.6.26-2-amd64 #1 SMP Thu May 28 21:28:49 UTC 2009 x86_64 
GNU/Linux
Debian GNU/Linux 5.0 \n \l
(up-to-date)
ii  openssl             0.9.8g-15+lenny6         Secure Socket Layer (SSL) 
binary and related cryptographic tool

self compiled proftp ==>
proftpd-1.3.3rc3
./configure --prefix=/proftp --enable-ctrls 
-with-modules=mod_ctrls_admin:mod_tls:mod_ldap:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_wrap:mod_rewrite:mod_ban:mod_ifsession

Regards,
Simon