PureFTP TLS problem

Hi,
I'm trying to use pureftp on TLS

I've followed this http://wiki.centos-webpanel.com/how-to-install-tls-for-ftp
I use the script provided by CWP on the scripts folder.. everything went fine.. anyway..

Using Filezilla I'm having this problem..

Status:   Connecting to xxx.xxx.xxx.xxx:21...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing
Status:   Disconnected from server
Status:   Connecting to xxx.xxx.xxx.xxx:21...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing

and it goes and goes like that..

Does anyone know how to fix this?

Thanks!!

What is your configuration for the following parameters?:
TLS
TLSCipherSuite
CertFile

Regards,
Netino

Hi Netino,
I've used the CWP script to install TLS on the server..
this is what is written at the end of the pure-ftpd.conf file

TLS 1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
CertFile /etc/pki/tls/private/hostname.pem

Do I need to change or add something?
thanks for helping!

SSL for PureFTP is actually done through Server Settings -> Change Hostname.

I don't think this is an SSL issue you're having. Did you by any change enable passive ports?

Hi Netino,
I've used the CWP script to install TLS on the server..
this is what is written at the end of the pure-ftpd.conf file

TLS 1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
CertFile /etc/pki/tls/private/hostname.pem

Do I need to change or add something?
thanks for helping!

The file /etc/pki/tls/private/hostname.pem must be a special file, composed by Private Key, Certificate and Intermediary Certificates.
Check that (this just can be checked by you)
If it's ok, seems your TLS configuration don't have any problem.

Try to check you /var/log/messages file, rigth after connect, issuing the following command:

Code: [Select]

# grep 'pure-ftpd' /var/log/messages | tail -50

Hi Netino,
I've used the CWP script to install TLS on the server..
this is what is written at the end of the pure-ftpd.conf file

TLS 1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
CertFile /etc/pki/tls/private/hostname.pem

Do I need to change or add something?
thanks for helping!

The file /etc/pki/tls/private/hostname.pem must be a special file, composed by Private Key, Certificate and Intermediary Certificates.
Check that (this just can be checked by you)
If it's ok, seems your TLS configuration don't have any problem.

Try to check you /var/log/messages file, rigth after connect, issuing the following command:

Code: [Select]

# grep 'pure-ftpd' /var/log/messages | tail -50

Hi Netino, thank you very much for your help..

I've checked and everything seems to be fine.. with the hostname.pem file..
also, after trying again.. I did what you suggested..: grep 'pure-ftpd' /var/log/messages | tail -50
this is what I got..
Mar 18 18:10:31 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] testing is now logged in
Mar 18 18:11:48 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xxx.xx.xx.xx
Mar 18 18:11:49 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
Mar 18 18:11:50 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] testing is now logged in
Mar 18 18:12:13 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xx.xx.xx.xx
Mar 18 18:12:14 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] TLS: Enabled TLSv1/SSLv3 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits cipher
Mar 18 18:12:14 ip-xxx-xx-xx-xx pure-ftpd: (?@xx.xx.xx.xx) [INFO] testing is now logged in

still despite that logs.. while using filezilla I got this..

Status:   Connecting to xx.xx.xx.xx:21...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing
Status:   Disconnected from server
Status:   Connecting to xx.xxx.xx.xx:21...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.

I'm using a AWS EC2 server..CWP is installed can connect perfectly with standard FTP.. this is a testing server.. and wanted to try the TLS.. still can't figure out what's going on.. I'm forcing Filezila to connect in Active mode..

Any other ideas?
thanks!!!

i'm tellling you. I don't think this is an SSL issue.

Code: [Select]

grep 'PassivePortRange' /etc/pure-ftpd/pure-ftpd.confPost results here

Also, if you're using FileZilla as the client, what did you set the "Transfer mode" to?


Also, please enable detailed logs in Filezilla and post the result here again with that enabled

Also remember that you have to add the passive ports to csf firewall both in and out for passive FTP to work.

i'm tellling you. I don't think this is an SSL issue.

Code: [Select]

grep 'PassivePortRange' /etc/pure-ftpd/pure-ftpd.confPost results here

Also, if you're using FileZilla as the client, what did you set the "Transfer mode" to?


Also, please enable detailed logs in Filezilla and post the result here again with that enabled

Hi Iraqiboy90 I'm using Passive mode, also tried Active mode.. as this is a TESTING the CWP Firewall is OFF.. I'm only using AWS
Sec Group with 21,22,80,443,2030,2031,3306 ports open.. only..
thanks!

Also remember that you have to add the passive ports to csf firewall both in and out for passive FTP to work.

Hi rcschaff! Thank you for your post..
Like I was telling Iraqiboy90. .as this is a Testing server, I'm not using CWP firewall, it's disabled.. never set that up..
I'm just using AWS sec Group where the incoming traffic can only access ports 21,22,80,443,2030,2031,3306.. and the outgoing traffic is open to every port.. is there something else I should do there?
Thanks for your help!

Please set the ports as described below, and add them to the firewall:

http://wiki.centos-webpanel.com/pure-ftpd-setup-passive-ftp-ports

Hi rcschaff!
Thank you for your reply..
I didn't know about the passive ports.. I've followed the instructions.. yet the problem remains..
I've set the passive ports and also enabled the CSF with the ports..
below as you can see.. the connection got established.. and logged in (so it means that user, pass, port are ok) but then I've got this message "Failed to retrieve directory listing"..

Status:   TLS connection established.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing

Thank you for helping me out..

Does it work properly without using a TLS connection?

Does it work properly without using a TLS connection?

Yes, in plain FTP connection, port 21 and in Active mode works 100%..

Could it be that AWS force you to have a NAT setting? CWP only works in nat settings when you are in AWS..  but I'm not sure..
Thank you for all your suggestions..

If your server is behind a NAT, then you have a lot more configuring to do.  It would be easiest to troubleshoot if you gave the layout of your network.  If you're concerned about publishing the information, please send a PM