Issue Strage problem with proftpd and TLS

[Cristiano Winckler]

Hi Guys!

I’m experiencing a very strange problem trying to use Proftp over TLS.

- CentOS Linux release 7.0.1406 (Core)
- PLesk 12.5.30
- psa-proftpd-1.3.5b-cos7.build1205160427.18.x86_64

This is a new installation and the server DOES NOT have a firewall running.

Problem is: FTP transfer works fine if I connect to the server using plain text password (unsecure), but when I try to connect to the server using TLS, the list of directories is never shown and the connection is timed out.

Now, some of you might think this is because the passive ports are not configured, but that´s not the case. Passive ports are configured properly and, as mentioned earlier, firewall is disabled.

PassivePorts 49152 65534

When I look at the “ftp_tls.log”, this is all that’s there:

2016-07-02 09:25:07,739 mod_tls/2.6[17101]: TLS/TLS-C requested, starting TLS handshake
2016-07-02 09:25:33,389 mod_tls/2.6[17129]: TLS/TLS-C requested, starting TLS handshake
2016-07-02 09:55:16,031 mod_tls/2.6[21043]: TLS/TLS-C requested, starting TLS handshake
2016-07-02 09:55:41,687 mod_tls/2.6[21095]: TLS/TLS-C requested, starting TLS handshake
2016-07-02 09:57:50,712 mod_tls/2.6[21258]: TLS/TLS-C requested, starting TLS handshake

So, basically, the connection stops at the handshake for some reason and it´s not completed.

I’ve searched online for some sort of solution or someone that had the same problem, but it seems no one experienced this before.

Anyone have an opinion on what could be causing this?

This is the content of my proftpd.conf

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on

<Global>
DefaultRoot ~ psacln
AllowOverwrite on
<IfModule mod_tls.c>
# common settings for all virtual hosts
TLSEngine on
TLSRequired off

TLSLog /var/log/plesk/ftp_tls.log

TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off

# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none

# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

DefaultTransferMode binary
UseFtpUsers on

TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /var/log/plesk/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off
UseIPv6 Off

AuthGroupFile /etc/group

Include /etc/proftpd.d/*.conf

 

[Cristiano Winckler]

Hi guys! I'm bumping this thread. Anyone have any ideas?

 

[Linulex]

Do you have a valid certificate (not a self signed) and are you connecting to the server with that name?

ie: if you have a valid cert for plesk (that is what is used in ftp also) for domain dom123.com but you connect to ftp via ip adrress. It would still give a cert error.

some ideas:
- What client do you use? Maybe your client is configured to refuse/close/not accept the connection if a bad certificate is encountered.

- you say passive ports are configured: they are not in your configuration. passive ports need to be in the <Global> section. I have these just before </Global>

AllowRetrieveRestart on
AllowStoreRestart on
PassivePorts 10000 10250

- you say passive ports are configured, but do you connect via passive ports. In the client i use i have to explicitly enable passive connections.
- what is the content of the extra config files in /etc/proftpd.d/ ?

also handy, not related to this. Is to tell ftp to use the local time. This has to be outside global

TimesGMT off
SetEnv TZ :/etc/localtime


hope some of this is a pointer in the right direction.

regards
Jan

 

[Cristiano Winckler]

Hi Jan

Thank you for your reply. Here are the answers to your questions:

Do you have a valid certificate (not a self signed) and are you connecting to the server with that name?

Yes, the certificate is valid and I'm trying to access the server using the domain, not the IP.

- What client do you use? Maybe your client is configured to refuse/close/not accept the connection if a bad certificate is encountered.

I’m using Filezilla and it prompts to accept certificate if a bad certificate appears.

- you say passive ports are configured: they are not in your configuration. passive ports need to be in the <Global> section. I have these just before </Global>

Passive ports where configured in a separated file in “/etc/proftpd.d”. I removed the file and configured the passive ports directly in “/etc/proftpd.conf”, but still doesn’t work:

<Global>
DefaultRoot ~ psacln
AllowOverwrite on

AllowRetrieveRestart on
AllowStoreRestart on
PassivePorts 49152 65534

- you say passive ports are configured, but do you connect via passive ports. In the client i use i have to explicitly enable passive connections.

Tried that too, and nothing:

- what is the content of the extra config files in /etc/proftpd.d/ ?

2 files there now (I had 3, but removed the passive ports file):

- 50-plesk.conf

<Global>
<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
</IfModule>
</Global>

- ssl.conf

<IfModule mod_tls.c>
TLSCipherSuite HIGH:!aNULL:!MD5
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
</IfModule>



Additionally, this is the log message from filezilla when trying to connect to the server:

Status: Resolving address of ns9.grupow.com.br
Status: Connecting to 186.250.92.252:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of ns9.grupow.com.br
Status: Connecting to 186.250.92.252:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.5b Server (ProFTPD) [172.28.92.250]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Disconnected from server
Status: Resolving address of ns9.grupow.com.br
Status: Connecting to 186.250.92.252:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of ns9.grupow.com.br
Status: Connecting to 186.250.92.252:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.5b Server (ProFTPD) [172.28.92.250]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server

 

[JTRipper]

Check if your psa-proftpd rpm is from atomic repo, and if then, try to replace it with the one from plesk repo.
I had a very similar issue and replacing the rpm did solve my issue.

 

[Cristiano Winckler]

Check if your psa-proftpd rpm is from atomic repo, and if then, try to replace it with the one from plesk repo.
I had a very similar issue and replacing the rpm did solve my issue.

Thank you for your suggestion, but I already have the Plesk version installed.

Name : psa-proftpd
Version : 1.3.5b
Release : cos7.build1205160427.18
Architecture: x86_64
Install Date: Sex 17 Jun 2016 06:48:15 BRT
Group : System Environment/Daemons
Size : 7536842
License : GPL
Signature : DSA/SHA1, Qua 27 Abr 2016 09:36:35 BRT, Key ID bd11a6aa914bdf7e
Source RPM : psa-proftpd-1.3.5b-cos7.build1205160427.18.src.rpm
Build Date : Qua 27 Abr 2016 09:35:25 BRT
Build Host : bcos7x64.plesk.ru
Relocations : (not relocatable)
Packager : Parallels <[email protected]>
Vendor : Plesk

 

[UFHH01]

Hi Cristiano Winckler,

<Global>
DefaultRoot ~ psacln
AllowOverwrite on
<IfModule mod_tls.c>
# common settings for all virtual hosts
TLSEngine on
TLSRequired off

TLSLog /var/log/plesk/ftp_tls.log

TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off

# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate none

# As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
# that reuse the SSL session of the control connection, as a security measure.
# Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

The standart configuration would be:

<Global>
DefaultRoot    ~        psacln
AllowOverwrite        on
<IfModule mod_tls.c>
    # common settings for all virtual hosts
    TLSEngine on
    TLSRequired on
   
    TLSProtocol SSLv23

    TLSLog /var/log/plesk/ftp_tls.log

    TLSRSACertificateFile        /usr/local/psa/admin/conf/httpsd.pem
    TLSRSACertificateKeyFile    /usr/local/psa/admin/conf/httpsd.pem
   
    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off

    # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
    # that reuse the SSL session of the control connection, as a security measure.
    # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
    TLSOptions NoSessionReuseRequired
</IfModule>
</Global>