--===============0117119231==
Content-Type: multipart/alternative; boundary="0-733243303-1165466757=:49891"
Content-Transfer-Encoding: 8bit

--0-733243303-1165466757=:49891
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi TJ,

Thank you very much for your email. I see I didn't explain my problem well.

On my project, the requirement is that all file transfer must be protected by TLSv1.0 (or later). SSLv3, SSLv2, and unencrypted, are all expressly not allowed. On both the control channel and the data channel.

I must ensure that every FTP client who attempts to connect to my proftpd server always gets rejected -- unless it's an FTP-over-TLS (RFC2228) client supporting TLSv1.0 (or later).

Yes, it's proftpd-1.3.0.

I'm using OpenSSL version 0.9.8d . But just commenting out in contrib/mod_tls.c all references to OpenSSL0.9.7 and earlier (as the 2573 bug report suggested) doesn't solve my problem. proftpd server is still too "promiscuous", it still allows lftp client users with just SSLv2 or just SSLv3 to connect.

So, what changes do I need to achieve this project restriction? Should I modify mod_tls.c, and if so where? Or should I modify OpenSSL code itself, and if so where?

Also, if possible, I'd like to keep the proftpd.conf directive as
TLSProtocol TLSv1
(not TLSProtocol SSLv23),
to keep the project management and systems administrators from getting worried that their systems security has been downgraded! Would that be at all possible?

Thank you very much.

Fal


TJ Saunders wrote:

You don't specify which version of proftpd you're running, so I'll assume
proftpd-1.3.0.

> I have to use TLSv1. (SSLv3 and SSLv2 are both turned off. Non-TLS
> file transfer is not allowed.)


> But when I try to connect I get this error message:
> TLS/TLS-C requested, starting TLS handshake
> unable to accept TLS connection:
> (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> TLS/TLS-C negotiation failed on control channel
>
> I saw the above mentioned as a bug on the ProFTPd user mailing list, but
> couldn't understand the workaround being proposed.


The workaround, as documented in the NEWS file, specifically says to use:

TLSProtocol SSLv23

in your proftpd.conf. This configured the OpenSSL library to handle both
SSLv3 and TLSv1 connecting clients.

It sounds like you have an SSL/TLS protocol version mismatch between
mod_tls and your FTPS client.

See:

http://bugs.proftpd.org/show_bug.cgi?id=2573

- Bug 2573 - TLSProtocol directive in proftpd.conf is ignored. By fixing
this bug, sites may find that a mod_tls configuration which worked
prior to 1.3.0rc1 now does not work, failing with an error like
"wrong version number" appearing in the TLSLog. To restore the previous
behavior, these sites can use "TLSProtocol SSLv23" in proftpd.conf.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One is held bound only by those things that oneself deems to hold one
bound.

-TJ Saunders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



---------------------------------
Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
--0-733243303-1165466757=:49891
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi TJ,
 
Thank you very much for your email.  I see I didn't explain my problem well.
 
On my project, the requirement is that all file transfer must be protected by TLSv1.0 (or later).  SSLv3, SSLv2, and unencrypted, are all expressly not allowed.  On both the control channel and the data channel.
 
I must ensure that every FTP client who attempts to connect to my proftpd server always gets rejected -- unless it's an FTP-over-TLS (RFC2228) client supporting TLSv1.0 (or later).
 
Yes, it's proftpd-1.3.0.
 
I'm using OpenSSL version 0.9.8d .  But just commenting out in contrib/mod_tls.c all references to OpenSSL0.9.7 and earlier (as the 2573 bug report suggested) doesn't solve my problem.  proftpd server is still too "promiscuous", it still allows lftp client users with just SSLv2 or
just SSLv3 to connect.
 
So, what changes do I need to achieve this project restriction?  Should I modify mod_tls.c, and if so where?  Or should I modify OpenSSL code itself, and if so where?
 
Also, if possible, I'd like to keep the proftpd.conf directive as
TLSProtocol TLSv1
(not TLSProtocol SSLv23),
to keep the project management and systems administrators from getting worried that their systems security has been downgraded!  Would that be at all possible?
 
Thank you very much.
 
Fal

TJ Saunders <tj@castaglia.org> wrote:

You don't specify which version of proftpd you're running, so I'll assume
proftpd-1.3.0.

> I have to use TLSv1. (SSLv3 and
SSLv2 are both turned off. Non-TLS
> file transfer is not allowed.)

> But when I try to connect I get this error message:
> TLS/TLS-C requested, starting TLS handshake
> unable to accept TLS connection:
> (1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> TLS/TLS-C negotiation failed on control channel
>
> I saw the above mentioned as a bug on the ProFTPd user mailing list, but
> couldn't understand the workaround being proposed.

The workaround, as documented in the NEWS file, specifically says to use:

TLSProtocol SSLv23

in your proftpd.conf. This configured the OpenSSL library to handle both
SSLv3 and TLSv1 connecting clients.

It sounds like you have an SSL/TLS protocol version mismatch between
mod_tls and your FTPS client.

See:

http://bugs.proftpd.org/show_bug.cgi?id=2573

- Bug 2573 - TLSProtocol directive in proftpd.conf is ignored. By
fixing
this bug, sites may find that a mod_tls configuration which worked
prior to 1.3.0rc1 now does not work, failing with an error like
"wrong version number" appearing in the TLSLog. To restore the previous
behavior, these sites can use "TLSProtocol SSLv23" in proftpd.conf.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One is held bound only by those things that oneself deems to hold one
bound.

-TJ Saunders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Need a quick answer? Get one in minutes from people who know. Ask your question on
Yahoo! Answers.
--0-733243303-1165466757=:49891--


--===============0117119231==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--===============0117119231==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============0117119231==--