Article delegate-en/4079 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Antwort: Re: [DeleGate-En] FileZilla TLS security patch does not work with F TPS and Delegate
19 Aug 2008 10:37:20 GMT p5uhqbdyi-g7ilkrrpmhjr.ml@ml.delegate.org



Hi Yutaka,
The patch you provided in fact solves the problem. It works fine again.
Thank you very much.

Cheers,
 Markus 

feedback@delegate.org (Yutaka Sato) wrote on 19.08.2008 10:34:37:

> Hi,
> 
> In message <OF8F417BBA.3A21C746-ONC12574AA.0027F3C4-C12574AA.
> 0029B46A@telekurs.com> on 08/19/08(16:35:30)
> you p5uhqbdyi-g7ilkrrpmhjr.ml@ml.delegate.org wrote:
>  |We are using DeleGate as a ftp to ftps proxy. The setting used to work
>  |*very well* (and therefore a big thank you for the author
>  |of DeleGate). The problem is with Explicit and Implicit SSL/TLS. With 
an
>  |older version (3.0.11, which is before FileZilla security patch) 
FileZilla
>  |and DeleGate work like a charm.With new versions of FileZilla there is 
a
>  |problem however, which seems to be related to below issue (the snippet 
is
>  |from the FileZilla project's website http://filezilla-project.org)
>  |
>  |
>  |2008-07-24 - Security Advisory
>  |FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors 
are
>  |handled on SSL/TLS secured data transfers.
>  |If the data connection of a transfer gets closed, FileZilla did not 
check
>  |if the server performed an orderly TLS shutdown.
>  |Impact
>  |An attacker could send spoofed FIN packets to the client. Even though
>  |GnuTLS detects this with GNUTLS_E_UNEXPECTED_PACKET_LENGTH, FileZilla 
did
>  |not record a transfer failure in all cases.
>  |Unfortunately not all servers perform an orderly SSL/TLS shutdown. 
Since
>  |this cannot be distinguished from an attack, FileZilla will not be 
able to
>  |download listings or files from such servers.
>  |Affected versions
>  |All versions prior to 3.1.0.1 are affected. This vulnerability has 
been
>  |fixed in 3.1.0.1
>  |
>  |The error returned by FileZilla points to the issue addressed in the
>  |Security Advisory. The german text means
>  |"Server did not shutdown TLS-Connection properly."
> ...
>  |I am not sure whether this is an issue with SSLway or with DeleGate. 
Is
>  |there a workaround for the described problem?
>  |I would apprieciate your answer and again, I think you do a great job!
> ...
>  |09:15:43        Trace:  CTlsSocket::OnRead()
>  |09:15:43        Trace:  CTlsSocket::OnSocketEvent(): close event 
received
>  |09:15:43        Trace:  CTransferSocket::OnReceive(), m_transferMode=0
>  |09:15:43        Trace:  GnuTLS error -9: A TLS packet with unexpected
>  |length was received.
>  |09:15:43        Status: Server hat die TLS-Verbindung nicht 
ordnungsgemç±–
>  |geschlossen
>  |09:15:43        Fehler: Could not read from transfer socket: 
ECONNABORTED
> 
> This seems the same problem I heard last night...
> If so, you might be able to solve it with the patch I postedn in:
> <URL:http://www.delegate.org/mail-lists/delegate-en/4076>
> And more detailed log output about SSL handling in DeleGate with
> "TLSCONF=-vd" option will be helpful to see what is going.
> 
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller


This e-mail may contain confidential and privileged information.
If you are not the intended recipient, please notify the sender and delete
this e-mail immediately.

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V