Pure-FTPd Breaks with OpenSSL v1.1.1

Status changed to 'Confirmed' because the bug affects multiple users.

Latest version of Filezilla has issues connecting to pure-ftpd-mysql server. I hope this package will be updated any time soon to fix the issue.

I also have this issue.

I hope this package will be updated any time soon to fix the issue.

I'm still experiencing this issue. I hope it will be fixed soon.

Just encountered this.

Ubuntu 18.04 server.
Version in repo: pure-ftpd-mysql-1.0.46-1build1

TLS completely broken in this version.

Can confirm that manually installing packages from Ubuntu 19.04 repo fixes issues for me.

```
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-mysql_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd-mysql_1.0.47-3_amd64.deb
```

TLS now working in Pure-FTPd

```
apt-cache policy pure-ftpd-common
pure-ftpd-common:
  Installed: 1.0.47-3
  Candidate: 1.0.47-3
  Version table:
 *** 1.0.47-3 100
        100 /var/lib/dpkg/status
     1.0.46-1build1 500
        500 http://mirrors.digitalocean.com/ubuntu bionic/universe amd64 Packages
```

It's strange, I didn't have the pure-ftpd-mysql.
So I tried the @Datapro Services solution without the Mysql package and I always got the same error message.
I exactly followed the instructions of @Datapro Services and it works.
Maybe the workaround will just consist in adding the pure-ftpd-mysql packet as a version of the repository?

Thanl you @Datapro Services (it-iizj)

It's worked. :)

Also for me @Datapro Services solution worked for me

Thank you!

@Jean-Philippe (jean-philippe-f):

The solution from @Datapro Services (it-iizj) also works for the standard package without mysql. You just need to get pure-ftpd instead of pure-ftpd-mysql.

```
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd-common_1.0.47-3_all.deb
wget http://mirrors.kernel.org/ubuntu/pool/universe/p/pure-ftpd/pure-ftpd_1.0.47-3_amd64.deb
dpkg -i pure-ftpd-common_1.0.47-3_all.deb pure-ftpd_1.0.47-3_amd64.deb
```
Thanks @Datapro Services (it-iizj) !

@Florin (flopppy):
Note that older versions of FileZilla client can connect to pure-ftpd 1.0.46 without any TLS issue.

This is because FileZilla introduced support for TLS 1.3 in their client version 3.40.0 by linking against GnuTLS 3.6.6. TLS 1.3 is not handled properly in pure-ftpd 1.0.46.

https://filezilla-project.org/versions.php

So using versions of FileZilla prior to 3.40.0 (e.g. 3.28, 3.25.2) may be a workaround for the clients, although not a very nice one....

If one limits via openssl.cnf to use maximum TLS v1.2 does that make pure-ftpd work with all clients?

Ie. Apply https://launchpadlibrarian.net/428208982/cap-to-tls1.2.patch to /etc/ssl/openssl.cnf

For context:

https://src.fedoraproject.org/rpms/pure-ftpd/commits/f29

simple compat to tlsv1.3 causes regressions and data-loss.
disabling tlsv1.3 makes things work.
upstream fixed this properly in .48 which we don't have yet.
and fedora did backport of all the things to .47 to have both tlsv1.3 & no data-loss.

I thik .48 should be packaged for eoan or possibly ff-series, whilst tlsv1.3 is disabled everywhere. Unless fedora patches apply cleanly onto .46

I'd recommend to ship https://src.fedoraproject.org/rpms/pure-ftpd/blob/e1d0271dd51956e4c115363285482088b8610698/f/0001-Temporarily-disable-TLSv1.3-support.patch everywhere for now.

@Dimitri John Ledkov (xnox)

Thank you for jumping into this.

To test for comment #14, I updated openssl.cnf on Ubuntu 18.04 to use maximum TLS v1.2 (using the configs from the patch provided there) and it seems pureftpd is working now with latest filezilla client.

Should we expect a new version of pure-ftpd for 18.04 any time soon?
Angry clients using filezilla are stressing me every day. :)
If not possible, will need to use a workaround of the ones mentioned in comments #8 or #14 to update production servers.

I've tried to backported the same patches as fc29 did, if anyone wants to give a try to this version
https://launchpad.net/~ubuntu-desktop/+archive/ubuntu/ppa/+build/17998128

Status changed to 'Confirmed' because the bug affects multiple users.

I'm still experiencing this issue. I hope it will be fixed soon.

I think we want to backport https://launchpad.net/ubuntu/+source/pure-ftpd/1.0.47-3 but i don't know that's enough.

Reminder about the ppa mentioned in the previous comment which is a candidate fix if someone cares about the problem on bionic and would like to see it resolved by a stable update

I've tested the version in comment #19 and it seems ok!

I have just verified on Ubuntu 18.04.5 LTS, after hunting down the "[ERROR] TLS renegociation" issue.

#19 ppa version fixed this issue... after a longer client-side debug session, that turned out to be a server-side thingie.

In case you use a 32bit system, the packages in #19 will not work (they are 64bit).
Here you can read how to create your own 32bit deb packages for Ubuntu 18.04 based on the source packages of Ubuntu 20.04:
https://da-mkay.github.io/blog/linux/ubuntu/2021/04/16/compile-pureftpd-v1.0.49-on-ubuntu-18.04.html

Well, better late than never, I'm going to SRU this.

debdiff attached, and package uploaded.

for the SRU reviewers: note that this is 1.0 source, so even if I added the patches separately in d/patches, they are in fact directly applied to the tree; I didn't want to convert it to 3.0, or add a build-dep on quilt.

> Where problems could occur

I think another area where things could go wrong is in regressing clients that use older protocol versions that are currently working. Could you add something to the Test Plan to do a smoke test in this area please? I'm not sure how to do this comprehensively, but at least this would confirm that we aren't breaking the entire world of older protocol clients or similar.

Hello Michael, or anyone else affected,

Accepted pure-ftpd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pure-ftpd/1.0.46-1ubuntu18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

So, I just tested with 1.0.46-1ubuntu18.04.1 and I confirm I can happily connect.

This bug was fixed in the package pure-ftpd - 1.0.46-1ubuntu18.04.1

---------------
pure-ftpd (1.0.46-1ubuntu18.04.1) bionic; urgency=medium

  * Backport patches to work with openssl1.1 and TLS1.3 (LP: #1832998)
    + 0001-TLS1.3-compatibility.patch
    + 0002-Use-TLS_server_method-if-available.patch

 -- Mattia Rizzolo <email address hidden> Thu, 28 Oct 2021 19:23:02 +0200

The verification of the Stable Release Update for pure-ftpd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.