Bug#929958: after successful tls negotiation & login, gets SSL3_GET_RECORD error

2019-12-11 Thread Ricardo Fraile 
I can reproduce the issue, this is the client ouput: 

 Connecting to ftp.x (1.1.1.1) port 21
<--- 220 
---> FEAT
<--- 211-Features:
<--- AUTH SSL
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> USER test_user
x matched
<--- 331 Please specify the password.
---> PASS 
<--- 230 Login successful.
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> PASV
 SSL_read: wrong version number
 Closing data socket
 Closing control socket
ls: Fatal error: SSL_read: wrong version number 

# vsftpd -v
vsftpd: version 3.0.3

Bug#929958: after successful tls negotiation & login, gets SSL3_GET_RECORD error

2019-06-04 Thread Kent Tong 
Package: vsftpd
Version: 3.0.3-8+b1
Severity: normal
Tags: upstream

I am trying to connect to vsftpd with curl, but it fails with the above
mentioned SSL3_GET_RECORD error as shown below:

curl --ssl-reqd --cacert /etc/tls/cacert.pem ftp://public.worldskills.org/ -u 
webmaster:Skill39\! --resolve 'public.worldskills.org:21:127.0.0.1'  -v
* Added public.worldskills.org:21:127.0.0.1 to DNS cache
* Hostname public.worldskills.org was found in DNS cache
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to public.worldskills.org (127.0.0.1) port 21 (#0)
< 220 (vsFTPd 3.0.3)
> AUTH SSL
< 234 Proceed with negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/tls/cacert.pem
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; 
CN=*.worldskills.org
*  start date: Jun  4 06:47:39 2019 GMT
*  expire date: Jun  3 06:47:39 2020 GMT
*  common name: *.worldskills.org (matched)
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=CA
*  SSL certificate verify ok.
> USER webmaster
< 331 Please specify the password.
> PASS Skill39!
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number, 
errno 0
* Closing connection 0
curl: (56) SSL read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number, errno 0



-- Package-specific info:

-- System Information:
Debian Release: 9.9
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-9-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vsftpd depends on:
ii  adduser3.115
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers1.56~bpo9+1
ii  libc6  2.24-11+deb9u4
ii  libcap21:2.25-1
ii  libpam-modules 1.1.8-3.6
ii  libpam0g   1.1.8-3.6
ii  libssl1.1  1.1.0j-1~deb9u1
ii  libwrap0   7.6.q-26
ii  netbase5.4

Versions of packages vsftpd recommends:
ii  logrotate  3.11.0-0.1
ii  ssl-cert   1.0.39

vsftpd suggests no packages.

-- Configuration Files:
/etc/vsftpd.conf changed:
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=www-data
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/tls/ws-cert.pem
rsa_private_key_file=/etc/tls/ws-key.pem
ssl_enable=yes
debug_ssl=yes
require_ssl_reuse=no


-- debconf information:
  vsftpd/username: ftp
  vsftpd/directory: /srv/ftp
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has