Discussion:
[Proftpd-user] TLS/TLS-C negotiation failed on control channel - head scratcher II
George Zervakos
2004-09-27 11:42:46 UTC
Permalink
Hello again list,

I have been fighting with this problem for about a month now and would
appreciate any help since I am running out of things to try. I want to
set up FTPS with proftpd and mod_tls. I compiled proftpd 1.2.10 with
mod_tls:

proftpd -vv
- ProFTPD Version: 1.2.10 (stable)
- Scoreboard Version: 01040002
- Built: Tue Sep 14 13:01:45 EDT 2004
- Module: mod_core.c
- Module: mod_xfer.c
- Module: mod_auth_unix.c
- Module: mod_auth_file.c
- Module: mod_auth.c
- Module: mod_ls.c
- Module: mod_log.c
- Module: mod_site.c
- Module: mod_auth_pam.c
- Module: mod_tls.c



The problem is that FTPS clients cannot establish a TLS connection to
the proftpd server. The proftpd server is not behind any firewalls. My
client is behind a firewall and NAT. I get the following errors in my
log:


Sep 27 09:17:07 mod_tls/2.0.7[13245]: TLS/TLS-C requested, starting TLS
handshake
Sep 27 09:17:10 mod_tls/2.0.7[13245]: unable to accept TLS connection:
Connection reset by peer
Sep 27 09:17:10 mod_tls/2.0.7[13245]: TLS/TLS-C negotiation failed on
control channel

It looks to me like it's the client not liking something here. Here is
what I have tried so far:

1) I can log in to proftpd when I do everything locally on the proftpd
server. I used lftp to make the connection and I can see that I am able
to log in and browse directories. This leads me to believe the server
is functioning ok.

2) I compliled proftpd with mod_tls on another machine and was
successful in connecting to this new installation when using lftp from a
client on the same subnet. I was able to log in, browse trees and even
transfer files with encryption.

3) Thinking the problem could have something to do with my client being
behind a firewall and NAT, I connected my client directly to the
internet in front of the firewall thus taking out the firewall from the
equation. Unfortunately, this did not improve anything. I am still
getting the same error messages about failed TLS negotiations.


Is there anything else I could try? Like I said, it seems to me the
server is functioning OK. I have tried lftp, SmartFTP, and CuteFTP pro.
They all exhibit the same behavior.

Thanks for any help,
George
TJ Saunders
2004-09-27 15:13:20 UTC
Permalink
Post by George Zervakos
The problem is that FTPS clients cannot establish a TLS connection to
the proftpd server. The proftpd server is not behind any firewalls. My
client is behind a firewall and NAT. I get the following errors in my
Sep 27 09:17:07 mod_tls/2.0.7[13245]: TLS/TLS-C requested, starting TLS
handshake
Connection reset by peer
Sep 27 09:17:10 mod_tls/2.0.7[13245]: TLS/TLS-C negotiation failed on
control channel
What mod_tls configuration are you using?
Post by George Zervakos
3) Thinking the problem could have something to do with my client being
behind a firewall and NAT, I connected my client directly to the
internet in front of the firewall thus taking out the firewall from the
equation. Unfortunately, this did not improve anything. I am still
getting the same error messages about failed TLS negotiations.
Did you remove the NAT from the network path as well?

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Each man is the smith of his own fortune.

-Appius Claudius Caecus

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
George Zervakos
2004-09-27 15:48:56 UTC
Permalink
Here's my mod_tls configuration:

# mod_tls
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1
#TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this
server?
# Require SSL/TLS on the control channel, so that passwords are not
sent
# in the clear.
#TLSRequired on
#TLSRequired off
#TLSRequired ctrl
#TLSRequired data


TLSOptions NoCertRequest
# Server's certificate
#TLSRSACertificateFile /etc/ftpd/server.cert.pem
#TLSRSACertificateKeyFile /etc/ftpd/server.key.pem
TLSRSACertificateFile /usr/local/ssl/misc/ftpscert.pem
TLSRSACertificateKeyFile /usr/local/ssl/misc/ftpskey.pem

# CA the server trusts
#TLSCACertificateFile /etc/ftpd/root.cert.pem
TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>


And yes, there was no NAT either when I had the client connected
directly to the Internet. I temporarily assigned the client a public IP
from our pool of public addresses so there was no NAT necessary.

George





-----Original Message-----
From: proftp-user-***@lists.sourceforge.net
[mailto:proftp-user-***@lists.sourceforge.net] On Behalf Of TJ
Saunders
Sent: Sunday, September 26, 2004 10:31 PM
To: proftp-***@lists.sourceforge.net
Subject: Re: [Proftpd-user] TLS/TLS-C negotiation failed on control
channel - head scratcher II
Post by George Zervakos
The problem is that FTPS clients cannot establish a TLS connection to
the proftpd server. The proftpd server is not behind any firewalls.
My client is behind a firewall and NAT. I get the following errors in
my
Sep 27 09:17:07 mod_tls/2.0.7[13245]: TLS/TLS-C requested, starting
TLS handshake Sep 27 09:17:10 mod_tls/2.0.7[13245]: unable to accept
Connection reset by peer
Sep 27 09:17:10 mod_tls/2.0.7[13245]: TLS/TLS-C negotiation failed on
control channel
What mod_tls configuration are you using?
Post by George Zervakos
3) Thinking the problem could have something to do with my client
being behind a firewall and NAT, I connected my client directly to the
internet in front of the firewall thus taking out the firewall from
the equation. Unfortunately, this did not improve anything. I am
still getting the same error messages about failed TLS negotiations.
Did you remove the NAT from the network path as well?

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Each man is the smith of his own fortune.

-Appius Claudius Caecus

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
TJ Saunders
2004-09-27 16:18:46 UTC
Permalink
Post by George Zervakos
And yes, there was no NAT either when I had the client connected
directly to the Internet. I temporarily assigned the client a public IP
from our pool of public addresses so there was no NAT necessary.
Hrm...interesting. Do the clients themselves provide any information on
why they think the handshake failed?

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I stood among them, but not of them; in a shroud of thoughts which were
not their thoughts.

-Lord Byron

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
George Zervakos
2004-09-28 14:46:35 UTC
Permalink
I had the opporunity to test the connection again with no firewall and
no NAT with another laptop using SmartFTP and it worked this time. I
don't know what was with the other laptop I was using earlier. Here's
some log information:
Ed Wilts
2004-09-28 20:28:49 UTC
Permalink
Post by George Zervakos
I had the opporunity to test the connection again with no firewall and
no NAT with another laptop using SmartFTP and it worked this time. I
don't know what was with the other laptop I was using earlier. Here's
This article might be worthwhile reading:
http://www.ietf.org/internet-drafts/draft-fordh-ftp-ssl-firewall-05.txt

Once you've convinced yourself that you're sunk, you can go the author's
status for more ftp/tls
details:http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

.../Ed
--
Ed Wilts, Mounds View, MN, USA
mailto:***@ewilts.org
[mailto:] On Behalf Of TJ Saunders
1970-01-01 00:00:00 UTC
Permalink
Resolving host name X.X.X.X...
Connecting to (X.X.X.X) -> IP: X.X.X.X PORT: 21
Connected to (X.X.X.X) -> Time =3D 231ms
Socket connected waiting for login sequence.
220 X.X.X.X FTP server ready
AUTH TLS
234 AUTH TLS successful
PBSZ 0
200 PBSZ 0 successful
USER=20
331 Password required for .
PASS (hidden)
230 User logged in.
SYST
215 UNIX Type: L8
FEAT
211-Features:
MDTM
REST STREAM
SIZE
AUTH TLS
PBSZ
PROT
211 End
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
PROT P
200 Protection set to Private
PASV
227 Entering Passive Mode (X.X.X.X,221).
LIST -aL
Opening data connection IP: X.X.X.X,221 PORT: 33757.
150 Opening ASCII mode data connection for file list
715 bytes received successfully. (715 B/s) (00:00:01).
226 Transfer complete.
NOOP
200 NOOP command successful
PASV
227 Entering Passive Mode (X.X.X.X,131,222).
RETR new.sh
Opening data connection IP: X.X.X.X,131,222 PORT: 33758.
150 Opening ASCII mode data connection for new.sh (503 bytes)
558 bytes received successfully. (558 B/s) (00:00:01).
226 Transfer complete.
PASV
227 Entering Passive Mode (X.X.X.X,131,223).
RETR jh.sh
Opening data connection IP: X.X.X.X,131,223 PORT: 33759.
150 Opening ASCII mode data connection for jh.sh (503 bytes)
557 bytes received successfully. (557 B/s) (00:00:01).
226 Transfer complete.

There must have been something I was missing on the other laptop I had
used earlier to test the connection. Thanks for your help.

George



-----Original Message-----
From: proftp-user-***@lists.sourceforge.net
[mailto:proftp-user-***@lists.sourceforge.net] On Behalf Of TJ
Saunders
Sent: Sunday, September 26, 2004 11:36 PM
To: proftp-***@lists.sourceforge.net
Subject: RE: [Proftpd-user] TLS/TLS-C negotiation failed on control
channel - head scratcher II
And yes, there was no NAT either when I had the client connected=20
directly to the Internet. I temporarily assigned the client a public=20
IP from our pool of public addresses so there was no NAT necessary.
Hrm...interesting. Do the clients themselves provide any information on
why they think the handshake failed?

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

I stood among them, but not of them; in a shroud of thoughts which
were
not their thoughts.

-Lord Byron

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Loading...