Hello,
I have tried to compile netkit-ftp-ssl_0.17.33+0.2 (obtained from debian
stretch packages), with debian patches + yours 2 patches.
With same configuration server than before.
First I see the same results :
ftp> get file.bin
local: file.bin remote: file.bin
227 Entering Passive Mode (11,22,33,44,248,39).
150 Opening BINARY mode data connection for file.bin (1141 bytes)
ftp: SSL_read DATA error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
netin: Input/output error
226 Transfer complete
ftp> quit
It seems there is incompatibility between netkit-ftp-ssl code and libssl that I
use on my system :
ldd netkit-ftp-0.17/ftp/ftp
linux-gate.so.1 => (0xf770f000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xf76a6000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xf754e000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xf73ea000)
libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xf73e6000)
libz.so.1 => /usr/lib/libz.so.1 (0xf73d2000)
/lib/ld-linux.so.2 (0xf7710000)
I have tried also under wheezy :
ldd ftp/ftp
linux-vdso.so.1 => (0x00007ffe851df000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f34a1f1e000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f34a1b26000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f34a179a000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f34a1596000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f34a137f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f34a2189000)
before update libssl1.0.0 --> it does not work,
after update libssl1.0.0 (and libssl-dev for compile) : it works.
http://security.debian.org/ wheezy/updates/main libssl1.0.0 amd64
1.0.1e-2+deb7u18
(replace libssl1.0.0:amd64 1.0.1e-2+deb7u14 with libssl1.0.0
1.0.1e-2+deb7u18_amd64.deb)
It also works with the default ftp-ssl package under wheezy AFTER updating
libssl.
So, to my opinion :
1) ftp-ssl (get binary files) does not work with libssl prior to a certain
version, (whereas lftp, curl, etc, does...),
2) ftp-ssl (get binary files) works under wheezy, jessie, (...) after updating
libssl.
Then, THANKS M. Andersson !
(are you Neo ?).
Regards,
Raphael Astier
--------------
Le lundi 30 novembre 2015, à 15:03:42 +0100, Mats Erik Andersson
([email protected]) a écrit :
> Hello again,
>
> I wonder if this problem persists? The first report and all follow-ups
> were made prior to the binary rebuild of the package ftp-ssl, which
> happened on November 3rd, when version 0.17.33+0.2-1+b1 was made
> available. This update was caused by a version step in libopenssl,
> seemingly related to this problem becaus SSL3 was depreciated.
>
> Attached are two patches that are pending for my next upload.
> I hope to hear from you, and would like to express my appreciation
> to both of you for your investigation.
>
> I have yet to identify why and how the control socket becomes the
> channel on which to transfer a copy of the received data file.
>
> Best regards,
> M E Andersson
>
> Tisdag den 3:e november 2015, klockan 10:20, skrev Raphael Astier detta:
> > Hello,
> >
> > I have made some investigations.
> > I'm stuck, but I give status of these.
> >
> > > $ ./ftp mysite-ftp-ssl.xx
> > >
> > > 220 FTP SSL mysite-ftp-ssl.xx
> > > 234 AUTH SSL exécuté avec succès
> > > [SSL Cipher DHE-RSA-AES256-SHA]
> > > 331 Mot de passe requis pour abcdef
> > > 230-
> > > 230-- FTP TLS SSL -
> > > 230-- Only Passive Mode -
> > > 230-
> > > 230 Utilisateur abcdef authentifié
> > > Remote system type is UNIX.
> > > Using binary mode to transfer files.
> > > ftp> passive
> > > Passive mode on.
> > > ftp> ls
> > > 227 Entering Passive Mode (12,33,44,55,252,31).
> > > 150 Ouverture d'une connexion de données en mode ASCII pour file list
> > > -rw------- 1 abcdef FTP 1141 Oct 23 19:38 netkit-ftp-ssl.txt
> > > 226 Téléchargement terminé
> > > ftp> get netkit-ftp-ssl.txt
> > > local: netkit-ftp-ssl.txt remote: netkit-ftp-ssl.txt
> > > 227 Entering Passive Mode (12,33,44,55,250,129).
> > > 150 Opening BINARY mode data connection for netkit-ftp-ssl.txt (1141
> > > bytes)
> > > ftp: SSL_read DATA error error:1408F10B:SSL
> > > routines:SSL3_GET_RECORD:wrong version number <--- here is the problem
> > > 226 Téléchargement terminé
> > > ftp> quit
> > > 221 Au revoir.
> > >
> > > So, I know where the problem is, but I don't know HOW to solve it (for
> > > the moment).
> Description: Consistency of hashes and ticks.
> Encrypted retrieval of binary files did not implement variable
> size for hash marking. Also restrict hashes to RETR commands.
> Support for the tick counter was missing!
> Author: Mats Erik Andersson <[email protected]>
> Forwarded: no
> Last-Update: 2015-11-24
>
> --- netkit-ftp-ssl-0.17.33+0.2/ftp/ftp.c.orig 2015-11-24 00:23:27.000000000
> +0100
> +++ netkit-ftp-ssl-0.17.33+0.2/ftp/ftp.c 2015-11-24 01:17:35.922740374
> +0100
> @@ -1206,13 +1206,18 @@
> if ((d = write(fileno(fout), buf, c)) != c)
> break;
> bytes += c;
> - if (hash) {
> + if (hash && is_retr) {
> while (bytes >= hashbytes) {
> (void) putchar('#');
> - hashbytes += HASHBYTES;
> + hashbytes += hashstep;
> }
> (void) fflush(stdout);
> }
> + if (tick && (bytes >= hashbytes) && is_retr) {
> + printbytes(bytes);
> + while (bytes >= hashbytes)
> + hashbytes += 10 * hashstep;
> + }
> }
> if ( c < -1 ) {
> static char errbuf[1024];
> Description: Broken detection of SSL errors.
> During read of binary data, with active encryption, the detection
> of failed calls with SSL_read() is incomplete. In addition, the
> external variable 'errno' needs manual setting to EIO for proper
> reporting.
> .
> Important problem analysis of code was contributed by Raphael Astier.
> Bug-Debian: http://bugs.debian.org/801948
> Author: Mats Erik Andersson <[email protected]>
> Forwarded: no
> Last-Update: 2015-11-24
>
> --- netkit-ftp-ssl-0.17.33+0.2/ftp/ftp.c.orig2 2015-11-24
> 01:17:35.922740374 +0100
> +++ netkit-ftp-ssl-0.17.33+0.2/ftp/ftp.c 2015-11-24 01:21:18.814739561
> +0100
> @@ -1219,7 +1219,7 @@
> hashbytes += 10 * hashstep;
> }
> }
> - if ( c < -1 ) {
> + if ( c < 0 ) {
> static char errbuf[1024];
>
> sprintf(errbuf,"ftp: SSL_read DATA error %s\n",
> @@ -1228,6 +1228,9 @@
> /* tell the user ... who else */
> fprintf(stderr,"%s", errbuf);
> fflush(stderr);
> +
> + /* Make reports express something sensible. */
> + errno = EIO;
> }
> } else
> #endif /* !USE_SSL */
