ftp功能完全正常。ftp 显式SSL连不上。
本地用lftp测试可以连上。远程连不上。
服务器关闭防火墙测试也是一样。
vsftpd 配置的是显式SSL。
vsftpd SSL相关配置:
#ssl tls
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/path/to/vsftpd/etc/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/path/to/vsftpd/etc/vsftpd.pem
#ssl_ciphers=DES-CBC3-SHA
debug_ssl=YES
证书用的是自签名的( /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem )。
这个错误是用wireshark 抓取ftp客户端与服务器通信时的数据包时发现的。
ip.src_host eq ftp服务器IP && ftp
500 OOPS: error:00000000:lib(0):func(0):reason(0)\r\n
Response code: Syntax error, command unrecognized (500)
OOPS: error:00000000:lib(0):func(0):reason(0)
filezilla日志:
20:33:10 状态: 连接建立,等待欢迎消息...
20:33:10 追踪: CFtpControlSocket::OnReceive()
20:33:10 响应: 220 Welcome to hacklog FTP service(serve-u 6.5).
20:33:10 追踪: CFtpControlSocket::SendNextCommand()
20:33:10 命令: AUTH TLS
20:33:10 追踪: CFtpControlSocket::OnReceive()
20:33:10 响应: 234 Proceed with negotiation.
20:33:10 状态: 初始化 TLS 中...
20:33:10 追踪: CTlsSocket::Handshake()
20:33:10 追踪: CTlsSocket::ContinueHandshake()
20:33:10 追踪: CTlsSocket::OnSend()
20:33:10 追踪: CTlsSocket::OnRead()
20:33:10 追踪: CTlsSocket::ContinueHandshake()
20:33:59 错误: 连接超时
20:33:59 追踪: CControlSocket::DoClose(2050)
20:33:59 追踪: CFtpControlSocket::ResetOperation(2114)
20:33:59 追踪: CControlSocket::ResetOperation(2114)
20:33:59 错误: 无法连接到服务器
20:33:59 追踪: CFileZillaEnginePrivate::ResetOperation(2114)
flashfxp
[R] AUTH TLS
[R] 234 Proceed with negotiation.
然后卡住了
[R] Failed SSL/TLS negotiation, disconnected
[R] Connection failed (Connection timed out)
首先我怀疑是openssl lib的问题,于是把openssl 1.0.1 编译安装到 /usr/local
然后重新编译vsftpd,强制它优先搜索 /usr/local/lib ,ld 链接时链接到 /usr/local/lib/libsslxxxxxxx
[vsftpd-3.0.2]# ldd vsftpd
linux-gate.so.1 => (0x00610000)
libwrap.so.0 => /lib/libwrap.so.0 (0x005c4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00178000)
libpam.so.0 => /lib/libpam.so.0 (0x00f5d000)
libdl.so.2 => /lib/libdl.so.2 (0x0029a000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00bc5000)
libutil.so.1 => /lib/libutil.so.1 (0x00ec5000)
libcap.so.1 => /lib/libcap.so.1 (0x0055d000)
libssl.so.1.0.0 => /usr/local/lib/libssl.so.1.0.0 (0x001ba000)
libcrypto.so.1.0.0 => /usr/local/lib/libcrypto.so.1.0.0 (0x009ad000)
libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0x002ea000)
libaudit.so.0 => /lib/libaudit.so.0 (0x00b8c000)
/lib/ld-linux.so.2 (0x00198000)
再测试vsftpd , ftp 正常。 显式SSL ftp 还是同样不能正常连接上。
同样不行,看来不是openssl 版本的问题。
[root@ihacklog logs]# /usr/bin/openssl ciphers -v | grep 'DES-CBC3-SHA'
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
vsftpd 默认使用的cipher 是 DES-CBC3-SHA 。
跟踪网络调用:
[root@ihacklog logs]# strace -e trace=network ../sbin/vsftpd
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(3, {sa_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 32) = 0
accept(3, {sa_family=AF_INET, sin_port=htons(27069), sin_addr=inet_addr("220.248.166.66")}, [16]) = 4
accept(3, 0xbffc683c, [28]) = ? ERESTARTSYS (To be restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
客户端:
FlashFXP 4.3.0 (build 1946)
[R] 220 Welcome to xxxx.
[R] AUTH TLS
[R] 234 Proceed with negotiation.
[R] Connected. Negotiating SSL/TLS session
[R] Failed SSL/TLS negotiation, disconnected
[R] Connection failed (Connection timed out)
跟踪所有进程(包括fork出来的进程):
# strace -f -e trace=all ../sbin/vsftpd
[pid 27522] write(0, "220 Welcome to hacklog FTP servi"..., 50) = 50
[pid 27522] rt_sigaction(SIGALRM, {0x423420, ~[RTMIN RT_1], 0}, NULL, 8) = 0
[pid 27522] alarm(300) = 300
[pid 27522] mmap2(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f45000
[pid 27522] mprotect(0xb7f47000, 4096, PROT_NONE) = 0
[pid 27522] mprotect(0xb7f45000, 4096, PROT_NONE) = 0
[pid 27522] recv(0, "AUTH TLS\r\n", 4096, MSG_PEEK) = 10
[pid 27522] read(0, "AUTH TLS\r\n", 10) = 10
[pid 27522] gettimeofday({1363684523, 316217}, NULL) = 0
[pid 27522] fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc03834) = 0
[pid 27522] write(3, "Tue Mar 19 17:15:23 2013 [pid 27"..., 86) = 86
[pid 27522] fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc03838) = 0
[pid 27522] gettimeofday({1363684523, 317072}, NULL) = 0
[pid 27522] fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc03804) = 0
[pid 27522] write(3, "Tue Mar 19 17:15:23 2013 [pid 27"..., 108) = 108
[pid 27522] fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc03808) = 0
[pid 27522] write(0, "234 Proceed with negotiation.\r\n", 31) = 31
[pid 27522] time(NULL) = 1363684523
[pid 27522] read(0,
然后到这里,客户端卡住了,服务器端也没有trace输出了。
然后服务器端:
[pid 27522] read(0, "", 11) = 0
[pid 27522] gettimeofday({1363684583, 390088}, NULL) = 0
[pid 27522] fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc037c4) = 0
[pid 27522] write(3, "Tue Mar 19 17:16:23 2013 [pid 27"..., 130) = 130
[pid 27522] fcntl64(3, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfc037c8) = 0
[pid 27522] fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
[pid 27522] fcntl64(0, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 27522] write(0, "500 OOPS: ", 10) = 10
[pid 27522] write(0, "error:00000000:lib(0):func(0):re"..., 39) = 39
[pid 27522] write(0, "\r\n", 2) = 2
[pid 27522] exit_group(2) = ?
Process 27522 detached
[pid 27521] <... read resumed> 0xbfc03973, 1) = ? ERESTARTSYS (To be restarted)
[pid 27521] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid 27521] alarm(1) = 0
[pid 27521] sigreturn() = ? (mask now [])
[pid 27521] alarm(0) = 1
[pid 27521] wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 2}], 0, NULL) = 27522
[pid 27521] exit_group(0) = ?
Process 27521 detached
<... accept resumed> 0xbfc0396c, [28]) = ? ERESTARTSYS (To be restarted)
--- SIGCHLD (Child exited) @ 0 (0) ---
alarm(1) = 0
sigreturn() = ? (mask now [])
alarm(0) = 1
waitpid(-1, NULL, WNOHANG) = 27521
waitpid(-1, NULL, WNOHANG) = -1 ECHILD (No child processes)
accept(3,
客户端则是:
[R] Failed SSL/TLS negotiation, disconnected
[R] Connection failed (Connection timed out)
在服务器上用lftp测试,
lftp 配置:
vim ~/.lftprc
set ssl:verify-certificate no
set ftp:ssl-allow true
set ftp:ssl-force true
set ftp:ssl-protect-data true
set ftp:ssl-protect-list true
debug 4
再测试:
Tue Mar 19 17:32:56 2013 [pid 27802] CONNECT: Client "127.0.0.1"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", "220 Welcome to xxxxxxxxxxx."
Tue Mar 19 17:32:56 2013 [pid 27802] FTP command: Client "127.0.0.1", "FEAT"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", "211-Features:"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " AUTH TLS??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " EPRT??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " EPSV??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " MDTM??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " PASV??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " PBSZ??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " PROT??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " REST STREAM??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " SIZE??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " TVFS??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", " UTF8??"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", "211 End"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP command: Client "127.0.0.1", "AUTH TLS"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", "234 Proceed with negotiation."
Tue Mar 19 17:32:56 2013 [pid 27802] DEBUG: Client "127.0.0.1", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP command: Client "127.0.0.1", "OPTS UTF8 ON"
Tue Mar 19 17:32:56 2013 [pid 27802] FTP response: Client "127.0.0.1", "200 Always in UTF8 mode."
Tue Mar 19 17:32:56 2013 [pid 27802] FTP command: Client "127.0.0.1", "USER ftp用户名"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] FTP response: Client "127.0.0.1", "331 Please specify the password."
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] FTP command: Client "127.0.0.1", "PASS <password>"
Tue Mar 19 17:32:56 2013 [pid 27801] [ftp用户名] OK LOGIN: Client "127.0.0.1"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "230 Login successful."
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PWD"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "257 "/""
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PBSZ 0"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "200 PBSZ set to 0."
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PROT P"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "200 PROT now Private."
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PROT P"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "200 PROT now Private."
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PASV"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,9,1,160,59)."
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "LIST"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "150 Here comes the directory listing."
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, reused, no cert"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: NONE"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:32:56 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL ret: 0, SSL error: error:00000000:lib(0):func(0):reason(0), errno: 0"
Tue Mar 19 17:32:56 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "226 Directory send OK."
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "CWD /hacklog"
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "250 Directory successfully changed."
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "PASV"
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,160,58)."
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "LIST"
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "150 Here comes the directory listing."
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, reused, no cert"
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: NONE"
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Tue Mar 19 17:33:00 2013 [pid 27802] [ftp用户名] DEBUG: Client "127.0.0.1", "SSL ret: 0, SSL error: error:00000000:lib(0):func(0):reason(0), errno: 0"
Tue Mar 19 17:33:00 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "226 Directory send OK."
Tue Mar 19 17:33:12 2013 [pid 27803] [ftp用户名] FTP command: Client "127.0.0.1", "QUIT"
Tue Mar 19 17:33:12 2013 [pid 27803] [ftp用户名] FTP response: Client "127.0.0.1", "221 Goodbye."
这次lftp可以成功执行ftp命令了。
不过还是会收到来自服务器的SSL ret: 0, SSL error: error:00000000:lib(0):func(0):reason(0), errno: 0
===================================================================================================
定位到 vsftpd/ssl.c
static SSL*
get_ssl(struct vsf_session* p_sess, int fd)
{
SSL* p_ssl = SSL_new(p_sess->p_ssl_ctx);
if (p_ssl == NULL)
{
if (tunable_debug_ssl)
{
str_alloc_text(&debug_str, "SSL_new failed");
vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
}
return NULL;
}
if (!SSL_set_fd(p_ssl, fd))
{
if (tunable_debug_ssl)
{
str_alloc_text(&debug_str, "SSL_set_fd failed");
vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
}
SSL_free(p_ssl);
return NULL;
}
if (SSL_accept(p_ssl) != 1)
{
const char* p_err = get_ssl_error();
if (tunable_debug_ssl)
{
str_alloc_text(&debug_str, "SSL_accept failed: ");
str_append_text(&debug_str, p_err);
vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
}
/* The RFC is quite clear that we can just close the control channel
* here.
*/
die(p_err);
}
if (tunable_debug_ssl)
{
const char* p_ssl_version = SSL_get_cipher_version(p_ssl);
const SSL_CIPHER* p_ssl_cipher = SSL_get_current_cipher(p_ssl);
const char* p_cipher_name = SSL_CIPHER_get_name(p_ssl_cipher);
X509* p_ssl_cert = SSL_get_peer_certificate(p_ssl);
int reused = SSL_session_reused(p_ssl);
str_alloc_text(&debug_str, "SSL version: ");
str_append_text(&debug_str, p_ssl_version);
str_append_text(&debug_str, ", SSL cipher: ");
str_append_text(&debug_str, p_cipher_name);
if (reused)
{
str_append_text(&debug_str, ", reused");
}
else
{
str_append_text(&debug_str, ", not reused");
}
if (p_ssl_cert != NULL)
{
str_append_text(&debug_str, ", CERT PRESENTED");
X509_free(p_ssl_cert);
}
else
{
str_append_text(&debug_str, ", no cert");
}
vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
}
return p_ssl;
}
static char*
get_ssl_error()
{
SSL_load_error_strings();
return ERR_error_string(ERR_get_error(), NULL);
}
openssl 返回这个错误信息: "SSL_accept failed: error:00000000:lib(0):func(0):reason(0)"
error:00000000:lib(0):func(0):reason(0) 这。。。让人情何以堪
最近编辑记录 荒野无灯 (2013-09-16 02:12:17)
离线
好像遇到这个问题的人还蛮多。不过我没找到有解决方案。
如: sftpd SSL problems http://ubuntuforums.org/showthread.php?t=1567724
呃,m$ 的也来这个错误。。。
Problem with FtpWebRequest and reusing ssl session
http://social.msdn.microsoft.com/Forums … ea0d5637a/
也不是这个问题:
http://www.proftpd.org/docs/howto/TLS.html
最近编辑记录 荒野无灯 (2013-09-15 22:40:02)
离线
补充:
后来filezilla和 flashfxp 登录测试,ssl完全正常!但过一段时间后再测试,又不行了
最近编辑记录 荒野无灯 (2013-09-15 22:35:04)
离线
应该不是随机数发生器的问题。(http://bbs.csdn.net/topics/110001423)
也不是ssl版本问题( http://www.vpser.net/manage/kloxo-netwo … rror.html)
由于是ftp协议,也没法直接用openssl s_client -showcerts -connect HOST:PORT 来查看
离线
SSL_accept 的返回值是多少?
strace 出问题的 FTP 客户端呢(记得加时间戳)如果是从中间 attach 上去的话,lsof 结果也附上。
服务器那边的感觉不够全的样子。
离线