Bug 459607 - SSL connections are not correctly shutdown
SSL connections are not correctly shutdown
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vsftpd (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jiri Skala
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-20 10:23 EDT by Mark
Modified: 2016-07-26 09:27 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:39:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backport of changes from upstream version (29.47 KB, patch)
2008-08-25 19:14 EDT, Justin Payne
no flags Details | Diff
smaller patch to fix ssl shutdown (5.77 KB, patch)
2008-09-15 09:43 EDT, Justin Payne
no flags Details | Diff
Shutdown SSL connection properly (552 bytes, patch)
2008-09-21 19:11 EDT, Martin Nagy
no flags Details | Diff
Improved patch (584 bytes, patch)
2009-03-03 06:39 EST, Tomas Smetana
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 3311 None None None Never

  None (edit)
Description Mark 2008-08-20 10:23:35 EDT
Description of problem: vsftpd 2.0.7 provides necessary fix for ECONABORTED issue with filezilla and other clients.  Please update vsftpd package to 2.0.7.  Here is a line from the changelog: - Shutdown the SSL data connections properly. This prevents clients such as recent FileZilla from complaining. Reported by various people.

Current build of vsftpd with ssl connections is unusable with filezilla.



Additional info: Here is a description of the issue from the vsftpd developer:
http://scarybeastsecurity.blogspot.com/
Comment 1 Justin Payne 2008-08-25 19:14:22 EDT
Created attachment 314952 [details]
backport of changes from upstream version
Comment 4 Martin Poole 2008-09-05 10:39:45 EDT
correct link for upstream info

 http://scarybeastsecurity.blogspot.com/2008/07/on-ftp-ssl-and-broken-interfaces.html
Comment 5 RHEL Product and Program Management 2008-09-05 10:43:29 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 11 Justin Payne 2008-09-15 09:43:40 EDT
Created attachment 316749 [details]
smaller patch to fix ssl shutdown
Comment 14 Martin Nagy 2008-09-21 19:11:47 EDT
Created attachment 317331 [details]
Shutdown SSL connection properly

This should work ok. It omits all the new ssl config options that were added in 2.0.7 and just makes sure the shutdown is done properly.
Comment 19 Kai Schaetzl 2008-12-21 13:04:58 EST
As I understand both vendors, vsftpd and filezilla, see this as a *security* issue. As long as vsftpd doesn't correctly shutdown the TLS connections there is a security issue with all the clients that do not mind that. So, in my opinion this fix should be included in the next possible minor release or even as a security update.
Comment 20 Ray Van Dolson 2009-01-02 11:21:15 EST
I'll open an SR with RH support to get this officially patched in case no one else has yet.
Comment 21 Ray Van Dolson 2009-01-02 11:26:23 EST
Opened SR 1883694 for this incident in case anyone else wants to reference it.
Comment 22 Ray Van Dolson 2009-01-02 12:57:47 EST
Built some unofficial RPM's here:

  http://rayvd.fedorapeople.org/vsftpd/
Comment 23 Kai Schaetzl 2009-01-03 07:45:17 EST
I can confirm that an FTPES connect with Filezilla to the vsftpd from these rpms works.
Comment 28 Tomas Smetana 2009-03-03 06:39:47 EST
Created attachment 333868 [details]
Improved patch

Hello,
  I think it's necessary to NULLify the SLL struct pointer after freeing since the ssl_data_close() function might get called twice in case of uploads.  This fixes the crash from the comment #26 in my tests.
Comment 46 Chris Ward 2009-07-03 14:06:37 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 50 errata-xmlrpc 2009-09-02 05:39:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1282.html

Note You need to log in before you can comment on or make changes to this bug.