06-13-2012 04:57 AM
I have a problem with FTPS connexion using Stingray Traffic Manager and Filezilla FTP client.
The problem is only visible when Traffic Manager option "ftp!ssl_data" is set to "Yes" in the Virtual Server's SSL decryption settings.
When this option si enabled, the FTPS data connection is unexepectly closed by the Traffic Manager and I can see the following error on the client :
Response: 227 Entered Passive Mode (178,248,184,249,39,129)
Trace: Trying to resume existing TLS session.
Trace: TLS Handshake successful
Trace: TLS Session resumed
Trace: Cipher: ARCFOUR-128, MAC: SHA1
Response: 125 Data connection already open; Transfer starting.
Response: 226 Transfer complete.
Trace: CTlsSocket::OnSocketEvent(): close event received
Trace: CTransferSocket::OnReceive(), m_transferMode=0
Trace: CTlsSocket::Failure(-9, 0)
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Error: Could not read from transfer socket: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listing
As seen here : <a target="_blank" href="http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688">http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688</a> this might be because Stingray Traffic Manager does not close the SSL session with a 'close_notify' alert as described in the RFC 4217 (<a target="_blank" href="http://tools.ietf.org/html/rfc4217#page-21">http://tools.ietf.org/html/rfc4217#page-21</a>). Doing this, FTP Client cannot distinguish Stingray Traffic Manager from an attacker sending spoofed FIN TCP packets to the server.
Do someone know how to fix this without just disabling the "ftp!ssl_data" option ? If this is a bug, will it be fixed in further release ?
For the test, I have used Stingray Traffic Manager v8.1 and Filezilla FTP client v3.5.3 (latest release).
06-16-2012 10:08 AM
I think you should check if the "ssl_send_close_alerts" option is enabled or not.
To do so, open your virtual server configuration then SSL Decription, scroll down and verify ssl_send_close_alerts check box is set to yes.
That should fix your problem.