On Fri, 19 Sep 2014 02:22:08 -0400 (EDT), Alexander Lukyanov wrote:
>
> On 2014-09-19 3:24 GMT+04:00 Stephen Powell wrote:
>>
>> As to your claim that the new development snapshot of lftp
>> does indeed send a close_notify alert to the server prior to
>> closing the control connection when TLS is used, I guess I'll
>> have to take your word for it. I could not find the word "alert"
>> anywhere in the source package, and the word "notify" could only be
>> found in reference to notifying other jobs of some event. Of
>> course, there are lots of references to "close". Too many.
>> I can't separate the wheat from the chaff.
>
> Look for gnutls_bye (gnutls) or SSL_shutdown (openssl) calls. See
> https://github.com/lavv17/lftp/commit/fc468dc987cb45bab4a3d31a1e832601bc239774
> for the change.
That's a good tip. vsftpd is written for openssl only (no gnutls); so
I searched for the character string "SSL_shutdown". It occurs only in
reference to data connections, not in reference to the control connection.
But that also led me to the following server options:
-----
strict_ssl_read_eof
If enabled, SSL data uploads are required to terminate via SSL,
not an EOF on the socket. This option is required to be sure
that an attacker did not terminate an upload prematurely with a
faked TCP FIN. Unfortunately, it is not enabled by default
because so few clients get it right. (New in v2.0.7).
Default: NO
strict_ssl_write_shutdown
If enabled, SSL data downloads are required to terminate via
SSL, not an EOF on the socket. This is off by default as I was
unable to find a single FTP client that does this. It is minor.
All it affects is our ability to tell whether the client con‐
firmed full receipt of the file. Even without this option, the
client is able to check the integrity of the download. (New in
v2.0.7).
Default: NO
-----
I tried setting both of these server options to yes and tried my "get" with
lftp again. The last few lines of output in the debug file are now as follows:
---- Got EOF on data connection
---- Closing data socket
<--- 426 Failure writing network stream.
---- received all data but no EOF
---> QUIT
<--- 221 Goodbye.
gnutls_record_recv: The TLS connection was non-properly terminated. Assuming
EOF.
---- Closing control socket
(You will note that I have applied a local modification to fix the formatting of
the gnutls_record_recv error message.)
In summary, lftp handles the control connection properly, but not the data
connection.
vsftpd handles the data connection properly, but not the control connection.
I'll
get to work on the vsftpd people about the control connection. Maybe you could
do
something about the data connection?
--
.''`. Stephen Powell
: :' :
`. `'`
`-
_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp
