ssl connection

Jun 9, 2011 at 12:40 AM

I was trying to establish a SSL explicit connection to a pure-ftpd server running on Linux.

The pure-ftpd server was running at "ssl level 1" ( in pure-ftpd jargon), meaning that it could accept a secure control connection, but no requiring the data connections to be secured.

The connection was succesfull, but a later "GetListing()" was hanging forever.

Of course, starting the ftp server without SSL support and setting the client to not use Explicit SSL, yields the expected results.

The only thing I think it's remarkably is some data from the pure-data server log, where it's logging that a 128 bits user data key was requested, being that pure-data certificate / key is 1024 bits.

Can this difference would be the reason to GetListing() hang?

TIA

Marcelo

 

 

 

Coordinator
Jun 9, 2011 at 12:54 AM

I'm not sure, I will setup a pure-ftpd test environment. I have tested against pure-ftpd without ssl only. Only servers I have used SSL with personally are IIS and FileZilla. Anyway, I'll get a test environment setup and get back with you on what I find. For what it's worth, the only time the data channel hangs as described is because:

1) Firewall issues

2) One side is using SSL and the other isn't

3) There is indeed some incompatibility between .net's SslStream and pure-ftpd's ssl implementation.

Here's to hoping it's not number 3 and if it is we can find a work around.

Coordinator
Jun 9, 2011 at 1:04 AM

I'll also have to take another look over the FTP security extensions, it could be that something isn't implemented that should be for setting up the encryption.

Coordinator
Jun 9, 2011 at 3:31 PM

Hey Marcelo,

I'm not able to reproduce this problem with pure-ftpd 1.0.28-3 on debian squeeze. I've tried with -Y 1 and -Y 2 TLS options and it just works. I also generated a 1024 bit key. Which version of pure-ftpd are you using and which OS (and version) exactly is it being run on?

Jun 9, 2011 at 3:55 PM

Thank for your quick answers! 

I'm running pure-ftpd 1.0.24-1 on an Ubuntu 10.04 installation.

1.0.24-1 is the last version available through Synaptic P.Manager, which I prefer to use for complex installations.

I will see the changelog.

Also ( I dont know so much regarding TLS ), I have no certificate on the Windows machine. May I generate one? 

Thank you again

 

Coordinator
Jun 9, 2011 at 4:39 PM

The key generation was on the server side, I let SslStream handle everything on the client side. When you restart pure-ftpd it should list the whole command line that is being run to start it. Please post that information here and I'll compare it to what I'm using:

$ sudo service pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l pam -u 1000 -Y 1 -E -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -B

Jun 9, 2011 at 5:47 PM

Here are my start parameters

 Running: /usr/sbin/pure-ftpd -l pam -8 UTF-8 -u 1000 -E -O clf:/var/log/pure-ftpd/transfer.log -B

As you can see, I must to disable TLS because when the server tells the client he has that capability, the library try to use it. 

Except for that  the command lines are equal.

TIA

Marcelo

 

 

 

 

Coordinator
Jun 9, 2011 at 5:49 PM

Are you using the latest version of the code also?

Jun 9, 2011 at 7:58 PM

 

I'm using the 4402 version of the library, in a WinXP SP3 machine.

Compiling the test program with VS 2008 Express (C#); the project is generating .NET 3.5 compatibility.