I'm not sure whether to consider it a bug or a feature (i.e. "sanitizing the connection"), but since the error messages made me think it was a libressl compat issue and I spent a lot longer than I should figuring it out, I'll at least get the messages into list archives so people searching can find it.
ftp-proxy can't handle an FTPS (ftp-over-ssl) "explicit mode" connection (this is where the client connects on port 21 and sends "AUTH SSL" or "AUTH TLS", as opposed to "implicit mode" usually on port 990 where it goes straight into an encrypted connection). Obviously ftp-proxy won't be able see the PORT/EPRT/PASV/EPSV to do its work of opening ports, but it actually kills the connection as soon as it sees the ClientHello. Example with a test server: $ curl --ssl ftp://abc:[email protected]/ curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.rebex.net:21 For ease of list archive searching, on system with older libressl it looks like this: $ curl --ssl ftp://abc:[email protected]/ curl: (35) Unknown SSL protocol error in connection to test.rebex.net:21 # tshark -i vlan2 host test.rebex.net Capturing on 'vlan2' 1 0.000000 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [SYN] Seq=0 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=544002543 TSecr=0 2 0.000439 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1307122283 TSecr=544002543 3 0.000474 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=1 Ack=1 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002543 TSecr=1307122283 4 0.081018 195.144.107.198 → 82.68.199.130 FTP Response: 220 Microsoft FTP Service 5 0.081499 82.68.199.130 → 195.144.107.198 FTP Request: AUTH SSL 6 0.121012 195.144.107.198 → 82.68.199.130 FTP Response: 234 AUTH command ok. Expecting TLS Negotiation. 7 0.146223 82.68.199.130 → 195.144.107.198 FTP Request: \026\003\001\000\332\001\000\000\326\003\003e\314\375#)\033\277qa\340,\263f\235\344Q\342\f\au+\371\343?l\003\a\036\262vEe\000\000Z\3000\300,\300(\300$\300\024\300 8 0.146742 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [FIN, ACK] Seq=77 Ack=234 Win=17344 Len=0 TSval=1307122283 TSecr=544002544 9 0.146779 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283 10 0.152329 82.68.199.130 → 195.144.107.198 TCP 20285 → ftp(21) [FIN, ACK] Seq=234 Ack=78 Win=16384 [TCP CHECKSUM INCORRECT] Len=0 TSval=544002544 TSecr=1307122283 11 0.152762 195.144.107.198 → 82.68.199.130 TCP ftp(21) → 20285 [ACK] Seq=78 Ack=235 Win=17344 Len=0 TSval=1307122283 TSecr=544002544
