# GLFTPD 2.* TLS - Failed TLS negotiation [SOLVED]

## HeXiLeD

I am having a SERIOUS issue with glftpd and the use of TLS

Everythings seems  to be working but when  i set it up to use TLS in the main conf; the client hangs and fails to complete the connection.

Details:

GLFTPD was installed manualy and not using emerge.

dev-tcltk/tls - 1.4.1 - installed

net-libs/gnutls - 1.2.10 - installed

/etc/xinetd.d/glftpd

```
service glftpd

{

 disable = no

 flags           = REUSE NAMEINARGS

 socket_type     = stream

 protocol        = tcp

 wait            = no

 user            = root

 server          = /usr/sbin/tcpd

 server_args     = /path/to/glftpd/bin/glftpd glftpd -l -L -o -i -e -d -n3 -s /path/to/glftpd/bin/glstrings.bin -r /path/to/glftpd.conf -z cert=/path/to/glftpd-cert/ftpd-dsa.pem

}

```

/etc/xinetd.conf

```
# /etc/xinetd.conf: sample configuration file for xinetd

defaults

        instances      = 60

        log_type       = SYSLOG authpriv info

        log_on_success = HOST PID

        log_on_failure = HOST

        cps            = 25 30

}

includedir /etc/xinetd.d

```

Some relevant glftpd.conf settings:

```
# If you have dsa cert file

DSA_CERT_FILE /path/to/glftpd-cert/ftpd-dsa.pem

CIPHERS_FOR_CTRL HIGH

# ciphers for dirlists

# CIPHERS_FOR_DIR MEDIUM:HIGH:LOW

CIPHERS_FOR_DIR HIGH

# ciphers for other data transfers

# CIPHERS_FOR_DATA MEDIUM:HIGH:LOW

# The higher the cypher is the slower the upload is

CIPHERS_FOR_DATA HIGH

# TLS enforcements.

userrejectsecure        !*

userrejectinsecure       *

denydiruncrypted         * 

denydatauncrypted       *

# TLS_FTPS [0/1] (0 is default)

#    if 1 glftpd will run in ftps mode, whole connection from the beginning

#    will be in ssl mode... (except for connections from bouncers, those must

#    supply IDNT command first) (note that data connection is set the ssl mode

#    too, use PROT command to switch back if you want) (check ftp-tls draft for more info)

#    (for normal ftp server you dont want this)

TLS_FTPS 0

#(note it works with '0' but the issue is when i set it to '1')

valid_ip ( the internal box ip is specifed here)

active_addr ( i have tested this setting either using the internal box ip and the external fqdn)

pasv_addr ( i have tested this setting either using the internal box ip and the external fqdn) 1

pasv_ports (also specifed/open and used the range has 15 ports open)

active_ports (also specifed/open and used the range has 15 ports open)

rootpath        /path/to/glftpd/

datapath        /ftp-data

# The config file used when we recieve a SIGHUP signal

reload_config   /path/to/glftpd/glftpd.conf

```

To create the ssl/tls CERT i used the tool provided with glftpd:

create_server_key.sh

```
 # ./create_server_key.sh

create_server_key.sh v1.0 by Slask&HoE

Usage: ./create_server_key.sh [rsa] info

info - can be any word, and it should inform the client

       about the server he is logging in (for example servername)

rsa - if you dont specify this then DSA key will be created

certificate is for 900 days and is self-signed
```

Under /etc/hosts i have my fqdn specified.

ie :<box internal ip> < my.dns.domain>/<fqdn>

In this setting in fact i have more than  1 fqdn and a few other names. They all point to  the same ip.

note: The fqdn ones are pointing for my wan ip which  is forward to the lan ip in the router

FTP clients that  i am using  and that support SSL/TLS

Windows : Fillezilla

NIX : LFTP

I have read /glftpd/docs/README.TLS

 *Quote:*   

> ------------------------------------------------------------------------
> 
> first of all, what is ftp TLS :
> 
> ------------------------------------------------------------------------
> ...

 

LFTP as been compiled like this: net-ftp/lftp-3.4.6  +gnutls +nls -socks5 +ssl

Errors and issues:

Main problem is simple:

If i try to connect  to glftpd while it  uses TLS_FTPS 1 in its conf, my client (lftp) hangs when it tries to 'list' or use 'site cmd'.

in glftpd/ftp-data/logs/error.log

i get : Failed TLS negotiation on control channel, disconnected.

at frist   the error as simple; i thought...

connecting with: lftp -u <user> -p <port> <fqdn/ip/dnsdomain> -d

I decided to change TLS_FTPS 1  to '0' and tried to connect with debug option. The output was 'clear'

```
---- Connecting to <fqdn> (<internal ip) <port>

<--- 220 <hostname> (glFTPd 2.01 Linux+TLS) ready.

---> FEAT

<--- 211- Extensions supported:

<---  AUTH TLS

<---  AUTH SSL

<---  PBSZ

<---  PROT

<---  CPSV

<---  SSCN

<---  MDTM

<---  SIZE

<---  REST STREAM

<---  SYST

<--- 211 END

---> AUTH TLS

<--- 234 AUTH TLS successful

---> USER <testing>

Certificate: CN=<certificate-name>

 Issued by: CN=<certificate-name>

WARNING: Certificate verification: Not trusted

WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>'

<--- 331 Password required for <testing>.

---> PASS XXXX

<--- 230 User <testing> logged in.

---> PWD

<--- 257 "/" is current directory.

---> PBSZ 0

<--- 200 PBSZ 0 successful

---> PROT P

<--- 200 Protection set to Private

---> PASV

<--- 227 Entering Passive Mode (<internal-ip>,255,247)

---- Connecting data socket to (<internal-ip) port 

---- Data connection established

---> LIST

<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.

Certificate: CN=<certificate-name>

 Issued by: CN=<certificate-name>

WARNING: Certificate verification: Not trusted

WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>'

---- Got EOF on data connection

---- Closing data socket

```

At this point i thought... and i belive i was right, that  i had to make a 'proper' certificate matching the fqdn; so i did .

output was: 

```

---- Connecting to <fqdn> (internal-ip) port 

<--- 220-

<--- 220 hostname (glFTPd 2.01 Linux+TLS) ready.

---> FEAT

<--- 211- Extensions supported:

<---  AUTH TLS

<---  AUTH SSL

<---  PBSZ

<---  PROT

<---  CPSV

<---  SSCN

<---  MDTM

<---  SIZE

<---  REST STREAM

<---  SYST

<--- 211 END

---> AUTH TLS

<--- 234 AUTH TLS successful

---> USER <testing>

Certificate: CN=<proper-fqdn>

 Issued by: CN=<proper-fqdn>

WARNING: Certificate verification: Not trusted

<--- 331 Password required for <testing>.

---> PASS XXXX

<--- 230 User <testing>logged in.

---> PWD

<--- 257 "/" is current directory.

---> PBSZ 0

<--- 200 PBSZ 0 successful

---> PROT P

<--- 200 Protection set to Private

---> PASV

<--- 227 Entering Passive Mode (<internal-ip>,255,251)

---- Connecting data socket to (<internal-ip> port 

---- Data connection established

---> LIST

<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.

Certificate: CN=<proper-fqdn>

 Issued by: CN=<proper-fqdn>

WARNING: Certificate verification: Not trusted

---- Got EOF on data connection

---- Closing data socket
```

It looked like it was 'solved'. and now i decided to go back  to glftpd.conf and change  TLS_FTPS 0 to '1'

What happens now is that the client still hangs on connection. The client output stops at :

```
<--- 220-

`ls' at 0 [FEAT negotiation...] 
```

glftpd/ftp-data/logs/error.log shows :

```
Mon Jun  5 17:15:10 2006 [6200    ]command: PBSZ 0

Mon Jun  5 17:15:10 2006 [6200    ] command: PROT P

Mon Jun  5 17:15:10 2006 [6200    ] command: PASV

Mon Jun  5 17:15:10 2006 [6200    ] command: LIST

Mon Jun  5 17:18:10 2006 [6200    ] command: QUIT

```

and the old error when o do ctrl+c in the client, or when it times outand 

```
Mon Jun  5 17:22:26 2006 [6497    ] Failed TLS negotiation on control channel, disconnected.
```

So now i am lost. I have read most if not all other forums here related to glftpd+tls.

I read the draft-murray-auth-ftp-ssl-xx.txt, which was a bit confusing

Checked  this glftp forum and  this one  that had more info about this.

Google wasnt much friendly and most info i got had something related to firewalls and/or other ftpservers using TLS, 

As for #glftpd support channel... well... arent they famous for .... not supporting that much ?   :Sad: 

and now i am lost. i belive that this might have to do with some misconfiguration here; but i need some help trying  to figure out where.

----------

## HeXiLeD

today i spent all my free time trying to figure out more about this issue.

some conclusions and tests.

# i reinstalled manually glftpd in the box where it was ( gentoo amd64 bit stage1 install)

# i did a fresh install in another box ( gentoo 32bit stage3 install)

# also did a fresh install in another box with fedora 32 bit install

Ftp clients used:

Linux : gftp, kasablanca, ftp, lftp, ncftp, fireftp

Windows: filezilla, fireftp, flashftp

In all those fresh glfftpd installs  i decided not to change anything in the default conf other than TLS_FTPS and other encriptation settings.

It all worked until  i changed TLS_FTPS 0 to 1

and they all failed to access the server when TLS_FTPS option was turned to 1.

 *Quote:*   

>  Failed TLS negotiation on control channel, disconnected

 

I also noticed that for some reason and even with ftp:ssl-auth TLS set in lftp; that i wasnt able to upload or download from the server even with the server using TLS_FTPS 0.

The output error message was:

Access failed: 522 You have to turn on secure data connection

so i did .... ftp:ssl-auth TLS, and nothing... 

From the 64 bit gentoo to the 32 bit gentoo and fedora there was only a couple changes.

With the 64 bit i noticed in /glftpd/etc/ld.so.conf that it only had

```
/emul/linux/x86/lib

/lib

/lib/tls

/lib32

/lib32/tls

/lib64
```

and was missing:

/lib64/tls

which i added later.

Related to this inside /glftpd i also had a few more /dirs :

/lib     /lib32     /lib64

The other 32bit installs had only: /lib

in ld.so.conf  and in /gftpd dir

This didnt change much other than the fact that when i connected  it gave me a different output login info.

where before i got :

```
WARNING: Certificate verification: Not trusted

WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>'
```

now the 32bit OS were giving :

```
Certificate depth: 0; subject: /ST=. /CN=server; issuer: /ST=. /CN=server

<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.

Certificate depth: 0; subject: /ST=. /CN=server; issuer: /ST=. /CN=server

WARNING: Certificate verification: self signed certificate

```

===> This tells me that glftpd in a 64bit might need a tune up if not more <===

Other than this i also go this following output from flashFXP

```

[L] 220 box (glFTPd 2.01 Linux+TLS) ready.

[L] AUTH TLS

[L] 234 AUTH TLS successful

[L] Connected. Negotiating TLSv1 session..

[L] TLSv1 negotiation successful...

[L] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits)

[L] PBSZ 0

[L] 200 PBSZ 0 successful

[L] USER mike

[L] 331 Password required for <user>.

[L] PASS (hidden)

[L] 215 UNIX Type: L8

[L] FEAT

[L] 211- Extensions supported:

[L]  AUTH TLS

[L]  AUTH SSL

[L]  PBSZ

[L]  PROT

[L]  CPSV

[L]  SSCN

[L]  MDTM

[L]  SIZE

[L]  REST STREAM

[L]  SYST

[L] 211 END

[L] PWD

[L] 257 "/" is current directory.

[L] TYPE A

[L] 200 Type set to A.

[L] PROT P

[L] 200 Protection set to Private

[L] PASV

[L] 227 Entering Passive Mode (<lan ip>,255,239)

[L] Opening data connection IP: <wan ip> PORT: <xxxx>

[L] LIST -al

[L] Connected. Negotiating TLSv1 session..

[L] 150 Opening ASCII mode data connection for directory listing using SSL/TLS.

[L] TLSv1 negotiation successful...

[L] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits)
```

It says its "using tlsv1" because the client has the TLS conection option turned on. However i dont really know if its really using it since the server had TLS_FTPS was set to 0.

Can anyone confirm?

Right now i only have a few questions and all i need is a yes or a no to try to figure out a few more things.

A: Is there anyone else using glftpd installed manually in a 64 bit gentoo install that is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?

B: Is there anyone that emerged glftpd in a 64bit gentoo and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no 

issues?

C: anyone with a 32 Bit gentoo and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?

D: Anyone with glftpd version 2.0.1 instaled and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?[/code]

*note: this is glftpd 2.0.1

----------

## bol

I had the same issue on a server, (i686).

And i just couldn't get FTPS working.

But then i read this explanation: http://help.globalscape.com/help/secureserver2/Explicit_versus_implicit_SS.htm

Even if you have FTP_TLS set to "0", you still have a encrypted connection, it's just that the handshake is completed later in the process.

Implicit FTPS isn't a real standard, and isn't supported by many ftp-clients, but with some reconfiguration of Kasablanca, it works fine.

I have read that it should work with FlashFXP to, but i haven't comfirmed this.

Implicit FTPS is not activated by default.

So i belive it's on the client-side the problem is.

I haven't found any other clients that support Implicit FTPS.

Good luck!

----------

## m4chine

I have installed glftpd-2.01 from portage and have it configured using implicit FTPS (TLS_FTPS=1) on amd64 with no problems. I myself am using KFTPGrabber to make the connection which does support Implicit SSL.

Let me know if you are still having issues and I can post any relevant config's.

Cheers!

----------

## HeXiLeD

I tried it with filezilla and gftp using FTPS mode and  the login still hangs after it gets the motd

I cannot login using TLS_FTPS 1

----------

## HeXiLeD

10 years later ...   :Laughing: 

TLS_FTPS 1 works with FileZilla 3.12.0.2+ and tested with:

glFTPd 2.07.1 (Dec 27 2016) 64BiT Linux+TLS(OpenSSL 1.1.0c  10 Nov 2016)+SSP

ncftp: no ssl 

lftpd: does not seem to work

 $ cat .lftp/rc

```
set ftp:use-feat no

set ssl:verify-certificate no

set ftp:ssl-allow true

set ftp:ssl-force true

set ftp:ssl-protect-data true

set ftp:ssl-protect-list yes

set ftp:ssl-protect-data yes

set ftp:ssl-protect-fxp yes

set ftp:ssl-auth TLS

set ftp:passive-mode no

set ssl:priority NORMAL:+VERS-TLS1.1:+VERS-TLS1.2
```

Seems the problems are noe on the client side. I will consider this topic SOLVED

----------

