[BlueOnyx:16349] Re: Pootle-Patchday Issues II : ProFTPd fixed (sort of)

Michael Stauber mstauber at blueonyx.it
Fri Oct 31 07:43:04 -05 2014 

Hi Chris,

> So I had a look at /etc/xinetd.d/proftpd and here is line 12:
>          server_args             = -c /etc/proftpd.conf
> 
> And here is line 13:
>          server_args             = -4 -c /etc/proftpd.conf
> 
> Sure enough, sever_args are getting passed twice.

Doh. Where did that come from? <sigh>. But then again, there is more to
this mess.

Even FTPS is a constant hit and miss. You can test it from the command
line with "openssl s_client -connect <IP>:990"

For me that flip flops bwteeen giving the full cert information such as
this:

------------------------------------------------------------
mstauber at beast:~/$ openssl s_client -connect 5108r.smd.net:990
CONNECTED(00000003)
depth=0 C = CO, ST = Quindio, L = Armenia, O = SOLARSPEED.NET, OU =
SMD.NET, CN = 5108r.smd.net, emailAddress = mstauber at solarspeed.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CO, ST = Quindio, L = Armenia, O = SOLARSPEED.NET, OU =
SMD.NET, CN = 5108r.smd.net, emailAddress = mstauber at solarspeed.net
verify return:1
---
Certificate chain
 0
s:/C=CO/ST=Quindio/L=Armenia/O=SOLARSPEED.NET/OU=SMD.NET/CN=5108r.smd.net/emailAddress=mstauber at solarspeed.net

i:/C=CO/ST=Quindio/L=Armenia/O=SOLARSPEED.NET/OU=SMD.NET/CN=5108r.smd.net/emailAddress=mstauber at solarspeed.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDtjCCAp4CCQDvxpgbNeVBlzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
Q08xEDAOBgNVBAgMB1F1aW5kaW8xEDAOBgNVBAcMB0FybWVuaWExFzAVBgNVBAoM
DlNPTEFSU1BFRUQuTkVUMRAwDgYDVQQLDAdTTUQuTkVUMRYwFAYDVQQDDA01MTA4
ci5zbWQubmV0MSYwJAYJKoZIhvcNAQkBFhdtc3RhdWJlckBzb2xhcnNwZWVkLm5l
dDAeFw0xNDAyMTgxNjQ4NDdaFw0xODAyMTcxNjQ4NDdaMIGcMQswCQYDVQQGEwJD
TzEQMA4GA1UECAwHUXVpbmRpbzEQMA4GA1UEBwwHQXJtZW5pYTEXMBUGA1UECgwO
U09MQVJTUEVFRC5ORVQxEDAOBgNVBAsMB1NNRC5ORVQxFjAUBgNVBAMMDTUxMDhy
LnNtZC5uZXQxJjAkBgkqhkiG9w0BCQEWF21zdGF1YmVyQHNvbGFyc3BlZWQubmV0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCYbHj0oU4eflbDkAGBb
WfPuTZk7Tx4pHh6m3upVf34c7rUPDtNp0Es0v53012V0u1zSQsOX9/TcsrfqH4jX
lgEAbZjaVDZ11v8lbn19i2v5erRNxYBBCiX27M7OHU/Ao4Fe75MCrXubuawm5tCA
g9Smz7hbejIM0BGhh6DODXEfKAtAmuF6b5pcEZGUL8CFUTRHspFZqE3jOfk4/e5t
NsBpebrLYVooEEIBefG/OZtWQQn2UT1Jg5v1u6GZDLQ0KI8ywvmFveJ83kdv9k+K
pd6y0jzkRrijtwtte167z6d+chUHrKM7b6zXCiwGT+u8xCaAVXpDSdIF8Tz0wWry
WwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCSqtAytSVbGHZc5dosUvM7kSfp/l78
taw2s656SFMzDmOB5qJjG/u+Rjn9/hJlfLzHhrIIFLeRf0gMOCxtL3yF2Fe8CXU+
I/x+a40GulnmE+VJcma934CPhkzcakXTx/BoAlCAA69tFT9dp3KKb7PHXOab70kd
n+OetMemPgjQ34m4gQuz6/yevzCarni419AA415C1EZR7C8qKjx429tCZ8Toujni
EfQYqi6crMPCZwvwfHaT51caURGm1js7o+OM4kP3OMuFFdKvCbim6/q0PwH6sNvG
OeBgtq0Sm100HpOxoytIdw6tPQtKOR0yUOgG2UoP8gUcyyjSxqPZx/S/
-----END CERTIFICATE-----
subject=/C=CO/ST=Quindio/L=Armenia/O=SOLARSPEED.NET/OU=SMD.NET/CN=5108r.smd.net/emailAddress=mstauber at solarspeed.net
issuer=/C=CO/ST=Quindio/L=Armenia/O=SOLARSPEED.NET/OU=SMD.NET/CN=5108r.smd.net/emailAddress=mstauber at solarspeed.net
---
No client certificate CA names sent
---
SSL handshake has read 1466 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
92AC9FF07A9060243B92CC504F6BF1F15BA80DA7716F87889FC1EED2CF7601B3
    Session-ID-ctx:
    Master-Key:
A9A8A7D378185CE71C6BEF8694D2F43F8BE7D657E7BB834D5138D4485AD5FD330C2BB88A85519C94D90ACEE92299D0CB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1414758809
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 ProFTPD 1.3.5 Server (ProFTPD server) [208.67.251.187]
------------------------------------------------------------

And then sporadically and out of the blue it throws this:
------------------------------------------------------------
mstauber at beast:~/$ openssl s_client -connect 5108r.smd.net:990
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
------------------------------------------------------------

When I reconnect or try a few times more (without restarting xinetd or
anything) its simply works again.

vsftpd anyone? I'm getting sick and tired of ProFTPd.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list