FXP SSL

For issues regarding settings and usage of FTP and WebDAV service, post it here!
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
Laurent_lp
I'm New!
I'm New!
Posts: 5
Joined: Sat Jun 25, 2016 9:51 pm

FXP SSL

Postby Laurent_lp » Sat Jun 25, 2016 10:06 pm

Hello;

Seem FXP-SSL is not compatible with FTP on (DSM version : DSM 6.0.1-7393 Update 1)

admin@:/usr/bin$ /usr/bin/ftpd -v
SmbFTPD Ver 2.0

on the sourceforge https://sourceforge.net/projects/smbftpd/files/SmbFTPD/2.7/


SSL login : ok
FXP without SSL data : ok
But when i try FXP with SSL data, i get error like :

[R] 425 SSL_accept DATA connection error no shared cipher.: Success.
[L] 435 Failed TLS negotiation on data channel (SSL_connect(): (1) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure), disconnected

Can u make an update of server seem last versions fixed some ssl error :
in 2.5 bufixe list
- Added SSLCipherSuite config option to changing acceptable ciphers.

Regards.
czfox
I'm New!
I'm New!
Posts: 8
Joined: Sun Jun 19, 2016 9:41 am

[REJECTED-ECDSA_NOT_SUPPORTED] FTPS response "SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"

Postby czfox » Wed Jun 29, 2016 6:31 am

Hello,

I'm trying to set up a secure FTP, so for this I've imported self-signed certificate with stronger cipher suites only - those with EC(DHE/DSA). I tried several clients having OpenSSL 1.0.2h. My synology in /usr/bin/openssl shows version 1.0.2h-fips. So, I would say they are equal.

1) I tried to connect using Let's Encrypt certificate first (which has RSA private key) and is created by Synology dialog. Either with AUTH TLS or AUTH SSL, both work ok, and I can authenticate and connect to the FTPS server.

2) With self-signed certificate (having EC private key) I always get the following errors. My friend tried this certificate with another Linux FTP server and is working fine. To me it sounds like there is something wrong in configuration in Synology's FTP or is missing something (libraries, certificates?):

AUTH SSL

Code: Select all

[1]     AUTH SSL
[1] 234 AUTH SSL command successful.
[1] error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[1] Network subsystem is unusable(10091)


AUTH TLS

Code: Select all

[1]     AUTH TLS
[1] 234 AUTH SSL command successful.
[1] error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[1] Network subsystem is unusable(10091)



Do you have any idea what else to change to make it to work ? :)


For example - this is from help page of ProFTPD:

Code: Select all

 Question: I am having trouble connecting to my SSL/TLS-enabled proftpd; my FTPS client shows this error:

  error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

What is wrong?
Answer: It depends; the first thing is to check your TLSLog to see what errors, if any, are logged by the mod_tls module. For example, you might see:

  Dec 14 10:47:58 mod_tls/2.4.1[13393]: unable to accept TLS connection: protocol error:
    (1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

The most common causes of these problems are: a) overly restrictive TLSCipherSuite configuration, or b) missing server certificate (i.e. TLSRSACertificateFile, TLSDSACertificateFile, or TLSPKCS12File). The file configured for the server certificate might also be badly formatted, which would result in the same error.



Thank you


UPDATE 1
I searched synology what FTP server is running there. Just call /usr/bin/ftpd -v. I get with DSM 6.0u1 the version SmbFTPD Ver 2.0 which is from Sat. May. 24, 2008 !!!!!

If you check the changelog at https://www.twbsd.org/enu/smbftpd/index ... wnload.htm
It's easy to see that it cannot support the new EC cipher suites, because they were added in v2.6 last year !!

UPDATE 2
I sent security issue ticket to Synology support.

UPDATE 3
Synology is checking the issue with EC certificate... Note: Synology use old version of SmbFTPD but applies its own updates. Just to clarify my initial shock.

RESULT
After long communication with support, Synology supports RSA certificates only. Import of ECDSA certificates in Control Panel is a bug, because it's not supported. It has been passed as a feature request, so we will see in the future. :(

.
iCE
Trainee
Trainee
Posts: 10
Joined: Tue Feb 14, 2012 9:44 pm

Re: FXP SSL

Postby iCE » Fri Sep 16, 2016 8:55 pm

Did you find a solution for this, i`m also getting the sslv3 error when trying to fxp from a secure server.

(SSL_connect(): (1) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure)

Maybe a replacement ftpd or disable sslv3 will resolve this?
iCE
Trainee
Trainee
Posts: 10
Joined: Tue Feb 14, 2012 9:44 pm

Re: FXP SSL

Postby iCE » Wed Sep 21, 2016 8:32 pm

Gave up trying to get synology ftpd to talk to latest TLS certs and installed PROftpd, Much better and infinitly more configurable.
Laurent_lp
I'm New!
I'm New!
Posts: 5
Joined: Sat Jun 25, 2016 9:51 pm

Re: FXP SSL

Postby Laurent_lp » Sat Oct 08, 2016 10:56 am

No news about this issue ?
We are not enough using secure fxp for synology take care ?!
Laurent_lp
I'm New!
I'm New!
Posts: 5
Joined: Sat Jun 25, 2016 9:51 pm

Re: FXP SSL

Postby Laurent_lp » Wed Apr 12, 2017 7:44 am

Can you make an update pls or doing anything !

Change Log

* Mon. Apr. 20, 2015 Alex Wang
[2.7]
Bug fixes:
- Correctly handle ABOR command when doing recursive list.
- Correctly show relative path when using nlist.

Features:

==============================================================================
* Sat. Apr. 11, 2015 Alex Wang
[2.6]
Bug fixes:
- Removed libmd. It conflicts with openssl and cause "bad record mac" problem
when using AES256-SHA or RC4-SHA cipher.
- Fixed Perl warning when running configure with newer Perl version. The
warning was "used with no filenames on the command line, reading from STDIN."
- Fixed broken ABOR command when using command line ftp client.

Features:
- Removed SITE MD5 support. It would waste too much server resource.
- Added SSLCipherSuite config option to changing acceptable ciphers.
- Supported DH and ECDH cipher suites.
- Implemented CCC command to allow clear control channel protection.
- Implemented MLST and MLSD commands to compliant with RFC3659.
- Implemented more detailed server status for STAT command.
- For the password encryption of Virtual User, we use SHA512 by default.
- Please NOTE, if you use MySQL or PostgreSQL as Virtual User backend,
the Crypt type "md5" and "password"(mysql) has been removed. It is suggested
to use "crypt" type. Please see the new smbftpd_pgsql.conf Crypt setting
for detail.

==============================================================================
* Sun. Mar. 22, 2015 Alex Wang
[2.5]
Bug fixes:
- Fixed compiling errors/warning on FreeBSD10 and Ubuntu
- Remove SSLv2 and SSLv3 support

Features:
- Support intermediate certificate. (SSLCACertificateFile)
- Change default self-signed SSL cert to 2048bits

==============================================================================
* Mon. May. 14, 2012 Alex Wang
[2.4]
Bug fixes:
- Fix wtmp compiling error on FreeBSD 9.0
- Disable wtmp when chroot

Features:

==============================================================================
* Fri. Aug. 26, 2011 Alex Wang
[2.3]
Bug fixes:
- Log correct IP address for IPv6

Features:

==============================================================================
* Fri. Jan. 8, 2009 Alex Wang
[2.2]
Bug fixes:
- Fixed FreeBSD security advisory FreeBSD-SA-08:12.ftpd
- Fixed a typo on smbftpd-user help
- Fixed the bug of wrong file time when file time is 2008/12/30

Features:

==============================================================================
* Fri. Aug. 22, 2008 Alex Wang
[2.1]
Bug fixes:
- Set default transfer mode to binary not ASCII.
- Change the rule of unique file name from "local.jpg.XX" to "local.XX.jpg"
- Support Russian reversed 'R' (0xff) charactor in file name.
- The Windows IE still send "opt utf on" when UTF-8 is not enabled. We should
block the command so the IE will use correct encoding.
mictc
I'm New!
I'm New!
Posts: 1
Joined: Wed May 03, 2017 2:09 pm

Re: FXP SSL

Postby mictc » Wed May 03, 2017 2:18 pm

Also waiting for this to be fixed! Very annoying!
sebru
I'm New!
I'm New!
Posts: 2
Joined: Thu May 25, 2017 9:10 pm

Re: FXP SSL

Postby sebru » Thu May 25, 2017 9:18 pm

hello,

registered here just to tell you: there are more people waiting for this!
i created a ticket about this months ago. answer was, the issue is on task-list but no eta

really sad this takes so long. synology is fast at other security issue, but ftp-server still not supporting these certificates :(
Madz
I'm New!
I'm New!
Posts: 2
Joined: Thu Apr 14, 2016 1:31 pm

Re: FXP SSL

Postby Madz » Tue Jun 20, 2017 1:45 pm

Also missing it, anyone that know an alternative ftp server that can run on Synology ?
Laurent_lp
I'm New!
I'm New!
Posts: 5
Joined: Sat Jun 25, 2016 9:51 pm

Re: FXP SSL

Postby Laurent_lp » Wed Jul 19, 2017 6:59 pm

any news about a fix for FXP SSL ?
sebru
I'm New!
I'm New!
Posts: 2
Joined: Thu May 25, 2017 9:10 pm

Re: FXP SSL

Postby sebru » Wed Sep 13, 2017 10:42 pm

*bump

Return to “FTP & WebDAV Server”

Who is online

Users browsing this forum: No registered users and 1 guest