vADC Forum

Reply
N/A
Posts: 1
Registered: ‎11-29-2012

Traffic Manager does not properly close FTPS data connection ?

Hello,

 

I have a problem with FTPS connexion using Stingray Traffic Manager and Filezilla FTP client.

 

The problem is only visible when Traffic Manager option "ftp!ssl_data" is set to "Yes" in the Virtual Server's SSL decryption settings.

 

When this option si enabled, the FTPS data connection is unexepectly closed by the Traffic Manager and I can see the following error on the client :

 

Command:    PASV
Response:    227 Entered Passive Mode (178,248,184,249,39,129)
Command:    LIST
Trace:    Trying to resume existing TLS session.
Trace:    TLS Handshake successful
Trace:    TLS Session resumed
Trace:    Cipher: ARCFOUR-128, MAC: SHA1
Response:    125 Data connection already open; Transfer starting.
Response:    226 Transfer complete.
Trace:    CTlsSocket::OnRead()
Trace:    CTlsSocket::OnRead()
Trace:    CTlsSocket::OnSocketEvent(): close event received
Trace:    CTransferSocket::OnReceive(), m_transferMode=0
Trace:    CTlsSocket::Failure(-9, 0)
Error:    GnuTLS error -9: A TLS packet with unexpected length was received.
Status:    Server did not properly shut down TLS connection
Error:    Could not read from transfer socket: ECONNABORTED - Connection aborted
Error:    Failed to retrieve directory listing

 

As seen here : <a target="_blank" href="http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688">http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688</a> this might be because Stingray Traffic Manager does not close the SSL session with a 'close_notify' alert as described in the RFC 4217 (<a target="_blank" href="http://tools.ietf.org/html/rfc4217#page-21">http://tools.ietf.org/html/rfc4217#page-21</a>). Doing this, FTP Client cannot distinguish Stingray Traffic Manager from an attacker sending spoofed FIN TCP packets to the server.

 

Do someone know how to fix this without just disabling the "ftp!ssl_data" option ? If this is a bug, will it be fixed in further release ?

 

For the test, I have used Stingray Traffic Manager v8.1 and Filezilla FTP client v3.5.3 (latest release).

 

Regards,

 

Florian

Occasional Contributor
Posts: 9
Registered: ‎11-29-2012

Re: Traffic Manager does not properly close FTPS data connection ?

Hi Florian,

 

I think you should check if the "ssl_send_close_alerts" option is enabled or not.

To do so, open your virtual server configuration then SSL Decription, scroll down and verify ssl_send_close_alerts check box is set to yes.

 

That should fix your problem.

 

Cheers ;)

 

Yannick

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook