Package: vsftpd
Version: 3.0.3-8+b1
Severity: normal
Tags: upstream
I am trying to connect to vsftpd with curl, but it fails with the above
mentioned SSL3_GET_RECORD error as shown below:
curl --ssl-reqd --cacert /etc/tls/cacert.pem ftp://public.worldskills.org/ -u
webmaster:Skill39\! --resolve 'public.worldskills.org:21:127.0.0.1' -v
* Added public.worldskills.org:21:127.0.0.1 to DNS cache
* Hostname public.worldskills.org was found in DNS cache
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to public.worldskills.org (127.0.0.1) port 21 (#0)
< 220 (vsFTPd 3.0.3)
> AUTH SSL
< 234 Proceed with negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/tls/cacert.pem
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd;
CN=*.worldskills.org
* start date: Jun 4 06:47:39 2019 GMT
* expire date: Jun 3 06:47:39 2020 GMT
* common name: *.worldskills.org (matched)
* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=CA
* SSL certificate verify ok.
> USER webmaster
< 331 Please specify the password.
> PASS Skill39!
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number,
errno 0
* Closing connection 0
curl: (56) SSL read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number, errno 0
-- Package-specific info:
-- System Information:
Debian Release: 9.9
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-9-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages vsftpd depends on:
ii adduser3.115
ii debconf [debconf-2.0] 1.5.61
ii init-system-helpers1.56~bpo9+1
ii libc6 2.24-11+deb9u4
ii libcap21:2.25-1
ii libpam-modules 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libssl1.1 1.1.0j-1~deb9u1
ii libwrap0 7.6.q-26
ii netbase5.4
Versions of packages vsftpd recommends:
ii logrotate 3.11.0-0.1
ii ssl-cert 1.0.39
vsftpd suggests no packages.
-- Configuration Files:
/etc/vsftpd.conf changed:
listen=NO
listen_ipv6=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chown_uploads=YES
chown_username=www-data
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/tls/ws-cert.pem
rsa_private_key_file=/etc/tls/ws-key.pem
ssl_enable=yes
debug_ssl=yes
require_ssl_reuse=no
-- debconf information:
vsftpd/username: ftp
vsftpd/directory: /srv/ftp
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has