From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jan 31 14:40:03 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B826A16A41B for ; Thu, 31 Jan 2008 14:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8B9E413C4E1 for ; Thu, 31 Jan 2008 14:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0VEe3Sl082740 for ; Thu, 31 Jan 2008 14:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0VEe3UP082734; Thu, 31 Jan 2008 14:40:03 GMT (envelope-from gnats) Resent-Date: Thu, 31 Jan 2008 14:40:03 GMT Resent-Message-Id: <200801311440.m0VEe3UP082734@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Filip Palian Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48CE116A419 for ; Thu, 31 Jan 2008 14:39:57 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 20FA313C45D for ; Thu, 31 Jan 2008 14:39:57 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m0VEc71J074956 for ; Thu, 31 Jan 2008 14:38:07 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m0VEc72p074955; Thu, 31 Jan 2008 14:38:07 GMT (envelope-from nobody) Message-Id: <200801311438.m0VEc72p074955@www.freebsd.org> Date: Thu, 31 Jan 2008 14:38:07 GMT From: Filip Palian To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/120187: Pure-FTPd doesn't support TLS authentication by default. X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 14:40:03 -0000 >Number: 120187 >Category: ports >Synopsis: Pure-FTPd doesn't support TLS authentication by default. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 31 14:40:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Filip Palian >Release: 6.2-RELEASE-p7 >Organization: Expro Sp. z o.o. >Environment: FreeBSD 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #2: Sun Sep 16 00:33:25 UTC 2007 root@:/usr/obj/usr/src/sys/ amd64 >Description: Pure-FTPd version 1.0.21_1 was compiled from ports, with the following options passed to configure script: --with-everything --with-paranoidmsg --with-virtualchroot --with-tls // Support for the secure authentication. --with-largefile --with-pgsql --with-privsep --without-banner --with-sendfile The pure-ftpd binary was run with the following configuration: /usr/local/sbin/pure-ftpd -A -c50 -B -C8 -d -D -E -fftp -H -I15 -lpgsql:/usr/local/etc/pureftpd-pgsql.conf -L2000:8 -m4 -p49000:50000 -P -s -U133:022 -u80 -i -g/var/run/pure-ftpd.pid -k99 -Z -Y1 I've noticed, that Pure-FTPd executed with both "-P" and "-Y" flags, doesn't work properly. It means, clients were not able to authenticate themselves using AUTH TLS. Pure-FTPd during feature negotation (FEAT) didn't include FEAT_TLS, so clients were using plain text authentication. Feature negotation log without a fix: ---> FEAT <--- 211-Extensions supported: <--- EPRT <--- IDLE <--- MDTM <--- SIZE <--- REST STREAM <--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; <--- MLSD <--- TVFS <--- ESTP <--- PASV <--- EPSV <--- SPSV <--- 211 End. ---> QUIT // Using secure authentication was forced. Feature negotation log with a fix: ---> FEAT <--- 211-Extensions supported: <--- EPRT <--- IDLE <--- MDTM <--- SIZE <--- REST STREAM <--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; <--- MLSD <--- TVFS <--- ESTP <--- PASV <--- EPSV <--- SPSV <--- ESTA <--- AUTH TLS <--- PBSZ <--- 211 End. ---> AUTH TLS <--- 234 AUTH TLS OK. >How-To-Repeat: 1) Compile Pure-FTPd with TLS support (--with-TLS) 2) Run pure-ftpd binary with "-P" and "-Y" flags. 3) Try to connect with Pure-FTPd daemon with AUTH TLS (debug mode). >Fix: Applay a patch included with this Problem Report. Patch attached with submission follows: --- src/ftpd.c 2006-02-21 14:14:49.000000000 +0100 +++ src/ftpd.c.new 2007-12-20 14:53:56.000000000 +0100 @@ -3439,14 +3439,14 @@ void dofeat(void) # define FEAT_UTF8 "" #endif - char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV FEAT_ESTA FEAT_TLS FEAT_UTF8; + char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV FEAT_ESTA FEAT_UTF8; if (disallow_passive != 0) { feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP] = 0; } #ifndef MINIMAL else if (STORAGE_FAMILY(force_passive_ip) != 0) { - feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV] = 0; + feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV] = 0; } #endif addreply_noformat(0, feat); >Release-Note: >Audit-Trail: >Unformatted: