Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
vsftpd - SSL_read or login incorrect [SOLVED, finally ]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
salmonix
Guru
Guru


Joined: 16 Jul 2006
Posts: 410

PostPosted: Sat May 12, 2012 6:33 am    Post subject: vsftpd - SSL_read or login incorrect [SOLVED, finally ] Reply with quote

Hi there,
I have a vsftpd server. All went fine, but after an upgrade I receive complains about connection. The traffic is low so the problem occured sometimes after some upgrade. I can't recall. We are behind a firewall but that is opened for us properly.

The vsftpd.conf:
Quote:
listen=YES
nopriv_user=ftpsecure
connect_from_port_20=YES
max_per_ip=4
ftpd_banner=Welcome to FACE-R service
idle_session_timeout=600

pam_service_name=vsftpd

pasv_enable=YES
pasv_address=10.10.13.3
pasv_min_port=26985
pasv_max_port=26988
hide_ids=yes
local_enable=YES
dirmessage_enable=YES
write_enable=YES
check_shell=NO

xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
log_ftp_protocol=YES

chroot_list_enable=YES

ssl_enable=yes
require_ssl_reuse=no
allow_anon_ssl=no
force_local_data_ssl=no
force_local_logins_ssl=yes
ssl_tlsv1=yes
ssl_sslv2=no
ssl_sslv3=no
rsa_cert_file=/etc/CA/MYca.pem
rsa_private_key_file=/etc/CA/private/MYpriv.pem
debug_ssl=YES
vsftpd.conf lines 1-39/39 (END)


The /etc/pam.d/vsftpd file is
Quote:
auth required pam_listfile.so item=user sense=allow file=/etc/vsftpd/vsftp_users onerr=succeed
auth include system-auth
account include system-auth
session include system-auth


The users are listed in /etc/vsftpd/vsftp_users file.

If I attempt connection with a regular user that has shell 'nologin' and not chrooted, I receive the following error from vsftpd:
Quote:
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "220 Welcome to MY service"
Sat May 12 08:16:02 2012 [pid 5240] FTP command: Client "****", "FEAT"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "211-Features:"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " AUTH TLS??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " EPRT??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " EPSV??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " MDTM??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " PASV??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " PBSZ??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " PROT??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " REST STREAM??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " SIZE??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " TVFS??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", " UTF8??"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "211 End"
Sat May 12 08:16:02 2012 [pid 5240] FTP command: Client "****", "AUTH TLS"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "234 Proceed with negotiation."
Sat May 12 08:16:02 2012 [pid 5240] DEBUG: Client "****", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert"
Sat May 12 08:16:02 2012 [pid 5240] FTP command: Client "****", "OPTS UTF8 ON"
Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "200 Always in UTF8 mode."
Sat May 12 08:16:02 2012 [pid 5240] FTP command: Client "****", "USER test"
Sat May 12 08:16:02 2012 [pid 5240] [test] FTP response: Client "****", "331 Please specify the password."
Sat May 12 08:16:02 2012 [pid 5240] [test] FTP command: Client "****2", "PASS <password>"
Sat May 12 08:16:04 2012 [pid 5239] [test] FAIL LOGIN: Client "****2"
Sat May 12 08:16:05 2012 [pid 5240] [test] FTP response: Client "****", "530 Login incorrect."
Sat May 12 08:16:05 2012 [pid 5240] DEBUG: Client "****", "Connection terminated without SSL shutdown - buggy client?"


lftp say this:
Quote:
---- Connecting to SERVERIP
<--- 220 Welcome to MY service
---> FEAT
<--- 211-Features:
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- UTF8
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON
Certificate depth: ( CERTIFICATE DETAILS )
WARNING: Certificate verification: self signed certificate
WARNING: Certificate verification: certificate subject name ‘xxx’ does not match target host name 'IP’ # < has not been a problem for 2 years
<--- 200 Always in UTF8 mode.
---> USER test
<--- 331 Please specify the password.
---> PASS XXXX
<--- 530 Login incorrect.
---- Closing control socket
ls: Login failed: 530 Login incorrect.


Now, commenting pam service out in vsftpd ( or removing the pam.d/vsftpd file ) the end of the error message changes - lpft:
Quote:
<--- 200 Always in UTF8 mode.
---> USER test
<--- 331 Please specify the password.
---> PASS XXXX
**** SSL_read: wrong version number
---- Closing control socket
ls: Fatal error: SSL_read: wrong version number

- vsftpd.log:
Quote:
Sat May 12 08:27:28 2012 [pid 5323] [test] FTP response: Client "87.97.59.12", "331 Please specify the password."
Sat May 12 08:27:28 2012 [pid 5323] [test] FTP command: Client "87.97.59.12", "PASS <password>"
Sat May 12 08:27:28 2012 [pid 5322] [test] OK LOGIN: Client "87.97.59.12"

So, it seems that connection is ok for vsftpd. Lftp has
Quote:
set ssl:verify-certificate off
due to the self-signed cerificate we use.
Unfortunately, no other clients can connect.
_________________
Quis custodiet ipsos, custodes?


Last edited by salmonix on Wed May 30, 2012 7:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
salmonix
Guru
Guru


Joined: 16 Jul 2006
Posts: 410

PostPosted: Sat May 26, 2012 8:37 pm    Post subject: Reply with quote

Well, I have not gotten closer to anything. From an ArchLinux ( x86_64 ) lftp I have this error:

Quote:
ls: Fatal error: gnutls_record_recv: An unexpected TLS packet was received.


I have found a blog entry with similar problem perhaps, but I have the same error removing gnutls from the server. ( Nothing depends on it. ) And unfortunately I am not that expert with openssl issues.

Any idea?
_________________
Quis custodiet ipsos, custodes?
Back to top
View user's profile Send private message
salmonix
Guru
Guru


Joined: 16 Jul 2006
Posts: 410

PostPosted: Wed May 30, 2012 7:43 pm    Post subject: Reply with quote

Now, the error message is absolutely misleading. On filezilla I received
Quote:
Error: GnuTLS error -8: A record packet with illegal version was received.
Error: Could not connect to servere


and googling this line I ended up with the idea of testing vsftpd without ssl. This dropped me the real problem: vsftpd could no find chroot_list file. According to the man page it is in /etc/ by default - I have not changed it with chroot_list_file option -, but vsftpd was looking for it in /etc/vsftpd/ directory.
Creating the file the error is gone and ssl goes again.
Conclusion: Do not trust the error message. Go w/o ssl and see what is happening.
_________________
Quis custodiet ipsos, custodes?
Back to top
View user's profile Send private message
lanthruster
n00b
n00b


Joined: 01 Jan 2012
Posts: 29

PostPosted: Sun Jan 05, 2014 8:38 am    Post subject: Reply with quote

Run into the same problem, the misleading client's messages and absence of information in vsftpd.log are still there with vsftpd 3.0.2-r2

Thanks for finding it out.

salmonix wrote:
Now, the error message is absolutely misleading. On filezilla I received
Quote:
Error: GnuTLS error -8: A record packet with illegal version was received.
Error: Could not connect to servere


and googling this line I ended up with the idea of testing vsftpd without ssl. This dropped me the real problem: vsftpd could no find chroot_list file. According to the man page it is in /etc/ by default - I have not changed it with chroot_list_file option -, but vsftpd was looking for it in /etc/vsftpd/ directory.
Creating the file the error is gone and ssl goes again.
Conclusion: Do not trust the error message. Go w/o ssl and see what is happening.
Back to top
View user's profile Send private message
archenroot
Apprentice
Apprentice


Joined: 13 Dec 2011
Posts: 205
Location: Lake Macha, Czech republic

PostPosted: Sun Oct 25, 2015 11:57 pm    Post subject: Another issue with chroot jail Reply with quote

I faced:
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server

with solution to:
https://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/

In general, any issue reported as GnuTLS error in the client should be examined first by trying to disable SSL as it seems like it is hiding all standard faults.
Strange is that with different underlaying root causes there is different specific GnuTLS error reported, I am happy it is working, but would like to see the packet content for these issues....
_________________
Emperor wants to control outer space Yoda wants to explore inner space that's the fundamental difference between good and bad sides of the Force
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum