Article delegate-en/4078 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4077@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FileZilla TLS security patch does not work with FTPS and Delegate
19 Aug 2008 08:34:40 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4077@delegate-en.ML_> on 08/19/08(16:35:30)
you p5uhqbdyi-po5c3i35fbvr.ml@ml.delegate.org wrote:
 |We are using DeleGate as a ftp to ftps proxy. The setting used to work
 |*very well* (and therefore a big thank you for the author
 |of DeleGate). The problem is with Explicit and Implicit SSL/TLS. With an
 |older version (3.0.11, which is before FileZilla security patch) FileZilla
 |and DeleGate work like a charm.With new versions of FileZilla there is a
 |problem however, which seems to be related to below issue (the snippet is
 |from the FileZilla project's website http://filezilla-project.org)
 |
 |
 |2008-07-24 - Security Advisory
 |FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are
 |handled on SSL/TLS secured data transfers.
 |If the data connection of a transfer gets closed, FileZilla did not check
 |if the server performed an orderly TLS shutdown.
 |Impact
 |An attacker could send spoofed FIN packets to the client. Even though
 |GnuTLS detects this with GNUTLS_E_UNEXPECTED_PACKET_LENGTH, FileZilla did
 |not record a transfer failure in all cases.
 |Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since
 |this cannot be distinguished from an attack, FileZilla will not be able to
 |download listings or files from such servers.
 |Affected versions
 |All versions prior to 3.1.0.1 are affected. This vulnerability has been
 |fixed in 3.1.0.1
 |
 |The error returned by FileZilla points to the issue addressed in the
 |Security Advisory. The german text means
 |"Server did not shutdown TLS-Connection properly."
...
 |I am not sure whether this is an issue with SSLway or with DeleGate. Is
 |there a workaround for the described problem?
 |I would apprieciate your answer and again, I think you do a great job!
...
 |09:15:43        Trace:  CTlsSocket::OnRead()
 |09:15:43        Trace:  CTlsSocket::OnSocketEvent(): close event received
 |09:15:43        Trace:  CTransferSocket::OnReceive(), m_transferMode=0
 |09:15:43        Trace:  GnuTLS error -9: A TLS packet with unexpected
 |length was received.
 |09:15:43        Status: Server hat die TLS-Verbindung nicht ordnungsgemç±–
 |geschlossen
 |09:15:43        Fehler: Could not read from transfer socket: ECONNABORTED

This seems the same problem I heard last night...
If so, you might be able to solve it with the patch I postedn in:
<URL:http://www.delegate.org/mail-lists/delegate-en/4076>
And more detailed log output about SSL handling in DeleGate with
"TLSCONF=-vd" option will be helpful to see what is going.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V