Pure-FTPD does not support TLS Session resumption

Discussion started by tijn, Oct 20, 2023.

    Are you aware that this site has more than 100k authors .... and everyone here in the forum might post his ideas and findings, this neither means that if someone posted something about proftpd that it works nor that it is recommended to do it and I'm sure that neither I nor any ISPConfig developer recommended to replace pure-ftpd by proftpd in ISPConfig 3. Plus, it might be that you just mix up ISPConfig 2 and 3, ISPConfig 2 and 3 have nothing in common in regard to system architecture or source code.

    I'm also not sure that, as you claim, this new pure-ftpd version will fix that incompatibility between this one FTP client and pure-ftpd. So you can also just contact the FileZilla devs and ask them to make their client work like any other FTP client that has no issues with pure-ftpd. In fact, the most likely fix for our issue is to ty to install an older pure-ftpd version, possibly via apt-pinning, and not a newer one.
  2. I said I found an old post... I said it was old and flawed... Not integrated with ISPConfig code...
    I asked is there any chance of a tutorial? I did not ask to rewrite your code.
    @ahrasis was snarky in his comment to me and I feel that this comment here was not sincere, but also a snarky comment.
    Here's my snarky comment to the both of you.
    Wouldn't this forum be great if the community would keep quiet and don't ask questions?
  3. https://www.howtoforge.com/ispconfig-3-proftpd-for-debian
    I didn't say it WOULD fix the problem. I said the updated server software claims it would fix the problem.
    Clearly @till, you are exhausted with dealing with us plebs. Most CEOs don't get on their own forums, and talk to the public like you do. I realize that this thread is kind of long and you most likely read 100s of posts a day. So it would be hard to move up and down a thread like this one and call out a stupid MF'er like me.

    I'm not wrong. I only ask the community for help with my problem. I didn't ask you do anything, really. I did kind of in jest, ask if there was a chance of a tutorial, but honestly, if you go back and read it, IT WAS MOSTLY IN JEST.
    I see that you are barking at the wrong tree all the time. This issue is not directly ISPConfig related. It's an issue between FileZilla and pure-ftpd, while FileZilla is the only client with such a problem with pure-ftpd. So the logical step for you to solve this would be to contact pure-ftpd dev (and if you can't reach him, try contacting the Debian package maintainer as the issue occurs in Debian 12 and latest Ubuntu only) and also contact the FileZilla devs and report the issue there and explain to them that their FTP client is the only one that has issues with pure-ftpd on Debian 12 and Ubuntu 22.04. This issue must be either solved by pure-ftpd or by FileZilla. It can not be solved by ISPConfig, except that we could either drop FTP support completely and support SFTP only or change ISPConfig to use a different FTP server. But pure-ftpd has a way better security track record than proftpd and that's why we have chosen it.

    And if I were snarky as you claim, and would want to keep you quite here in the forum, I would just have banned your account.
  5. I'm not really barking at the wrong tree. You offer a public forum and I came here to ask for help. I already, long ago acknowledged that this was not an ISPConfig issue. I did join FileZilla forum, I don't believe Pure-FTPd has a forum. I found what claims to be the fix. I asked in this public forum for some guidance. I actually received useful guidance from @Taleman and I thanked him for his advice. @Taleman suggested that I report a bug on Debian's site, which I plan to do. I don' t want @till or ISPConfig to do anything. All I wanted to do is use the public forum that you provided to ask for some help with my problem. https://forum.howtoforge.com is a public forum, for public discussion, and I appreciate that you provide such a place. I sincerely just want an error message to stop popping up, and I don't want to tell people just just use different software on their computer, if possible.

    The things that you are saying about me are not accurate, and mean spirited.

    Although, ISPConfig is not the actual cause of the problem here, I believe this is a good forum to come and ask for assistance, since for me, and many others, ISPConfig is where this software bug is showing up. I have gone to the other forums too, even though this is the only one I've become active in recently. But since ISPConfig is deeply integrated with the software that has been chosen, I am stuck with pure-ftpd. @Taleman gave me good advice, and as far as I am concerned, I am finished with my quest. I will do what @Taleman suggested and if that doesn't work, I'm done.

    No, I don't want you do drop FTP support. I can solve this problem myself. I already told you a few days ago, that I have tried other web hosting software and clearly to me anyway, ISPConfig is the best on the market. I have financially supported your product too, by purchasing add-ons. I really like the software. I only wanted help.

    If what @Taleman suggested to me to create a debian package, and if upgrading Pure-FTPd from 1.0.50 to 1.0.51 actually solves the problem, be sure I will come back here and offer my finding to the community. If it doesn't fix the problem, then I will also most likely come back and admit defeat. Not that you defeated me, but that the problem has defeated me.

    Anyway, Thanks, I'm done with this.
    I did not say anything about you in my posts.

    I suggested various solutions and strategies to resolve the issue, like contacting the developers in charge of the two partially incompatible software projects or the Debian maintainer. I also explained what I wouldn't do, like exchanging the FTP server with a different software.

    So the right procedure would be to contact the Debian package maintainer of the pure-ftpd package:


    You can find his email address on the right side of that page behind the maintainer link, write him a nice email and ask him with reference to that bug if it would be possible to release the new pure-ftpd version as Debian package.
  7. Thanks, I'll do that today. Right now actually.
  8. Update.
    I messaged the maintainer of the Debian package for pure-ftpd. Of course, I didn't receive any feedback, nor did I expect to. One thing I know about Debian, is that they are not the cutting edge for software version upgrades. They are more worried about OS stability overall, and possibly like @till, they're not too concerned about that specific glitch. I guess they will get to it when they get to it. Not saying that @till is wrong, either. The problem is with the 3rd party software versions and even Debian, not ISPConfig, since ISPConfig uses APT to install whatever version that Debian provides.

    It was also suggested that I maybe learn how to create Debian packages. I did learn how to do it, basically anyway. It seems to me that just because you can create a .deb file, that may even install and work, in general. The .deb file that I created is not the same .deb file that Debian will eventually create. Their .deb file will integrate into their OS in a way that I will not be able to produce, at least not at my current skill level.
    I have this problem, too... Am I right thinking that this problem with pure-ftpd not supporting session resumption has been here for long, only now the new Filezilla clients warn us about it?

    I mean, I can sit over to my older machine with Filezilla 3.46 (as opposed to 3.63 per LMDE 6, or 3.67.1, the newest appimage) and work without disruption....
    That would be stupid right?
    But than again, how long have we been stupid (ignorant) about this security issue? years? a decade?

    Isn't there a workaround, like connecting over and over? opting out sending packages to keep the connection live?
    (I'm sure this is a naive question)

    I tried gftp and it doesn't upload files automatically when modified (if they are marked for editing)...
    meaning, it is not a good substitute to Filezilla at all... :(

    any guidance would be appreciated... not only by me, I guess...

    thanks in advance,

    As mentioned above, this is an issue that must be fixed between FileZilla and pure-ftpd, other FTP clients work fine. This is nothing that we can solve here at ISPConfig. If you want to use FileZilla to upload or sync files, create an SSH user in ISPConfig and connect by SCP/SFTP with Filezilla. It works the same, just different protocol and the SSHd is responsible for that and not pure-ftpd on the server side.
    I'm sorry for adding to an ISPConfig thread... but I landed here via google...
    and if I look at the top of the browser window, I see this title:
    "Pure-FTPD does not support TLS Session resumption | Page 2 | Howtoforge - Linux Howtos and Tutorials"

    Otherwise, I'm sorry to learn your position... which indicates that nothing has happened since last November...

    I'm really not an expert, but I think I can see that you're wrong in saying that other ftp clients are okay...
    cause at the Filezilla forums the Filezilla devs say that this really is a security issue, only other software don't bother, but the vulnerability exists, regardless....

    Practically, I can switch back to the older Filzilla version... or tick the checkbox in the new Filzilla version that this vulnerability is okay with me :)

    - - -
    I will try the FTP over SSH -- I have used it before, but it's problematic with file permissions if you have your files owned by ftpuser and group :(

    Anyway, thanks for your input...
    I hope someone will post a solution here.... some day :)
    I'll try to contact the pure-ftpd devs... (at the github page tere's not an "issues" menu, so it's not simple)

    so thanks,
    have a nice evening,

    This is the ISPConfig support forum, so it is not a general Linux forum.

    I have no position on this as I'm neither the author of pure-ftpd nor FileZilla. I mentioned already in the thread that anyone who wants to complain about that shall contact the ones responsible for the situation, and that's not us here at ISPConfig. Besides that, I'm not even using FileZilla, so the issue might have been resolved already in the latest Debian and Ubuntu versions.

    All I said is that other FTP clients work; I never made any security assumptions. Also, I never heard of a single problem with someone getting hacked that way. The developer of FileZilla seems to be the only person who raises these concerns.

    That is simply an issue with your personal server setup. On ISPConfig systems, there is no such issue, as FTP and SSH users share the same UID.
    Filezilla > v3.63 works as well... only warns us about a vulnerability (which can be, the warning, disabled)

    - - -
    I like this!! thanks!

    I ended up installing vsftpd -- I mean, I have installed it, and it "works"... Filezilla doesn't give you that warning msg...

    and sorry for using this thread to gain knowledge about pure-ftpd and Filezilla :)

    Using SFTP is the quick and good solutions waiting for pure-ftpd and filezilla to resolve the issue. It works without problem tested on thousand of transfers and millions of files transfered. Howtoforge staff is really too patient!
    Hi Guys,
    I have this issue too.
    Workaround (from h***s://forum.directadmin.com/threads/pure-ftpd-insecure-ftp-data-connection-tls-session-resumption-notification.63384/) :
    either use IP address of the server (instead of using hostname)
    disable SNI in /etc/pure-ftpd/pure-ftpd.conf (comment out ExtCert /var/run/ftpd-certs.sock )

    Hope it will help some ISPconfig users :)

    Did you try that advice works and is useful?
    Using IP -address means certificate is not used at all, might be a bad thing.
    What does it mean when SNI is disabled? What changes?
