In message <_A4077@delegate-en.ML_> on 08/19/08(16:35:30)
you email@example.com wrote:
|We are using DeleGate as a ftp to ftps proxy. The setting used to work
|*very well* (and therefore a big thank you for the author
|of DeleGate). The problem is with Explicit and Implicit SSL/TLS. With an
|older version (3.0.11, which is before FileZilla security patch) FileZilla
|and DeleGate work like a charm.With new versions of FileZilla there is a
|problem however, which seems to be related to below issue (the snippet is
|from the FileZilla project's website http://filezilla-project.org)
|2008-07-24 - Security Advisory
|FileZilla 184.108.40.206 fixes a vulnerability regarding the way some errors are
|handled on SSL/TLS secured data transfers.
|If the data connection of a transfer gets closed, FileZilla did not check
|if the server performed an orderly TLS shutdown.
|An attacker could send spoofed FIN packets to the client. Even though
|GnuTLS detects this with GNUTLS_E_UNEXPECTED_PACKET_LENGTH, FileZilla did
|not record a transfer failure in all cases.
|Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since
|this cannot be distinguished from an attack, FileZilla will not be able to
|download listings or files from such servers.
|All versions prior to 220.127.116.11 are affected. This vulnerability has been
|fixed in 18.104.22.168
|The error returned by FileZilla points to the issue addressed in the
|Security Advisory. The german text means
|"Server did not shutdown TLS-Connection properly."
|I am not sure whether this is an issue with SSLway or with DeleGate. Is
|there a workaround for the described problem?
|I would apprieciate your answer and again, I think you do a great job!
|09:15:43 Trace: CTlsSocket::OnRead()
|09:15:43 Trace: CTlsSocket::OnSocketEvent(): close event received
|09:15:43 Trace: CTransferSocket::OnReceive(), m_transferMode=0
|09:15:43 Trace: GnuTLS error -9: A TLS packet with unexpected
|length was received.
|09:15:43 Status: Server hat die TLS-Verbindung nicht ordnungsgem$Bd_(B
|09:15:43 Fehler: Could not read from transfer socket: ECONNABORTED
This seems the same problem I heard last night...
If so, you might be able to solve it with the patch I postedn in:
And more detailed log output about SSL handling in DeleGate with
"TLSCONF=-vd" option will be helpful to see what is going.
9 9 Yutaka Sato <firstname.lastname@example.org> http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller