Stuart Henderson
2017-06-29 09:25:52 UTC
I'm not sure whether to consider it a bug or a feature (i.e. "sanitizing
the connection"), but since the error messages made me think it was a
libressl compat issue and I spent a lot longer than I should figuring
it out, I'll at least get the messages into list archives so people
searching can find it.
ftp-proxy can't handle an FTPS (ftp-over-ssl) "explicit mode" connection
(this is where the client connects on port 21 and sends "AUTH SSL" or
"AUTH TLS", as opposed to "implicit mode" usually on port 990 where it
goes straight into an encrypted connection).
Obviously ftp-proxy won't be able see the PORT/EPRT/PASV/EPSV to do
its work of opening ports, but it actually kills the connection as soon
as it sees the ClientHello. Example with a test server:
$ curl --ssl ftp://abc:***@test.rebex.net/
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.rebex.net:21
For ease of list archive searching, on system with older libressl it
looks like this:
$ curl --ssl ftp://abc:***@test.rebex.net/
curl: (35) Unknown SSL protocol error in connection to test.rebex.net:21
# tshark -i vlan2 host test.rebex.net
Capturing on 'vlan2'
1 0.000000 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [SYN] Seq=0 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=544002543 TSecr=0
2 0.000439 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1307122283 TSecr=544002543
3 0.000474 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=1 Ack=1 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002543 TSecr=1307122283
4 0.081018 195.144.107.198 → 82.68.199.130 FTP Response: 220 Microsoft FTP Service
5 0.081499 82.68.199.130 → 195.144.107.198 FTP Request: AUTH SSL
6 0.121012 195.144.107.198 → 82.68.199.130 FTP Response: 234 AUTH command ok. Expecting TLS Negotiation.
7 0.146223 82.68.199.130 → 195.144.107.198 FTP Request: \026\003\001\000\332\001\000\000\326\003\003e\314\375#)\033\277qa\340,\263f\235\344Q\342\f\au+\371\343?l\003\a\036\262vEe\000\000Z\3000\300,\300(\300$\300\024\300
8 0.146742 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [FIN, ACK] Seq=77 Ack=234 Win=17344 Len=0 TSval=1307122283 TSecr=544002544
9 0.146779 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283
10 0.152329 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [FIN, ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283
11 0.152762 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [ACK] Seq=78 Ack=235 Win=17344 Len=0 TSval=1307122283 TSecr=544002544
the connection"), but since the error messages made me think it was a
libressl compat issue and I spent a lot longer than I should figuring
it out, I'll at least get the messages into list archives so people
searching can find it.
ftp-proxy can't handle an FTPS (ftp-over-ssl) "explicit mode" connection
(this is where the client connects on port 21 and sends "AUTH SSL" or
"AUTH TLS", as opposed to "implicit mode" usually on port 990 where it
goes straight into an encrypted connection).
Obviously ftp-proxy won't be able see the PORT/EPRT/PASV/EPSV to do
its work of opening ports, but it actually kills the connection as soon
as it sees the ClientHello. Example with a test server:
$ curl --ssl ftp://abc:***@test.rebex.net/
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.rebex.net:21
For ease of list archive searching, on system with older libressl it
looks like this:
$ curl --ssl ftp://abc:***@test.rebex.net/
curl: (35) Unknown SSL protocol error in connection to test.rebex.net:21
# tshark -i vlan2 host test.rebex.net
Capturing on 'vlan2'
1 0.000000 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [SYN] Seq=0 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=544002543 TSecr=0
2 0.000439 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1307122283 TSecr=544002543
3 0.000474 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=1 Ack=1 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002543 TSecr=1307122283
4 0.081018 195.144.107.198 → 82.68.199.130 FTP Response: 220 Microsoft FTP Service
5 0.081499 82.68.199.130 → 195.144.107.198 FTP Request: AUTH SSL
6 0.121012 195.144.107.198 → 82.68.199.130 FTP Response: 234 AUTH command ok. Expecting TLS Negotiation.
7 0.146223 82.68.199.130 → 195.144.107.198 FTP Request: \026\003\001\000\332\001\000\000\326\003\003e\314\375#)\033\277qa\340,\263f\235\344Q\342\f\au+\371\343?l\003\a\036\262vEe\000\000Z\3000\300,\300(\300$\300\024\300
8 0.146742 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [FIN, ACK] Seq=77 Ack=234 Win=17344 Len=0 TSval=1307122283 TSecr=544002544
9 0.146779 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283
10 0.152329 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [FIN, ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283
11 0.152762 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [ACK] Seq=78 Ack=235 Win=17344 Len=0 TSval=1307122283 TSecr=544002544