Red Hat Bugzilla – Bug 459607
SSL connections are not correctly shutdown
Last modified: 2016-07-26 09:27:02 EDT
Description of problem: vsftpd 2.0.7 provides necessary fix for ECONABORTED issue with filezilla and other clients. Please update vsftpd package to 2.0.7. Here is a line from the changelog: - Shutdown the SSL data connections properly. This prevents clients such as recent FileZilla from complaining. Reported by various people.
Current build of vsftpd with ssl connections is unusable with filezilla.
Additional info: Here is a description of the issue from the vsftpd developer:
Created attachment 314952 [details]
backport of changes from upstream version
correct link for upstream info
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Created attachment 316749 [details]
smaller patch to fix ssl shutdown
Created attachment 317331 [details]
Shutdown SSL connection properly
This should work ok. It omits all the new ssl config options that were added in 2.0.7 and just makes sure the shutdown is done properly.
As I understand both vendors, vsftpd and filezilla, see this as a *security* issue. As long as vsftpd doesn't correctly shutdown the TLS connections there is a security issue with all the clients that do not mind that. So, in my opinion this fix should be included in the next possible minor release or even as a security update.
I'll open an SR with RH support to get this officially patched in case no one else has yet.
Opened SR 1883694 for this incident in case anyone else wants to reference it.
Built some unofficial RPM's here:
I can confirm that an FTPES connect with Filezilla to the vsftpd from these rpms works.
Created attachment 333868 [details]
I think it's necessary to NULLify the SLL struct pointer after freeing since the ssl_data_close() function might get called twice in case of uploads. This fixes the crash from the comment #26 in my tests.
~~ Attention - RHEL 5.4 Beta Released! ~~
RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!
If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.
Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.
Questions can be posted to this bug or your customer or partner representative.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.