Skip to content

FTP TLS session resumption not supported. #1617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Napsterbater opened this issue Mar 21, 2021 · 11 comments · May be fixed by #2829
Open

FTP TLS session resumption not supported. #1617

Napsterbater opened this issue Mar 21, 2021 · 11 comments · May be fixed by #2829

Comments

@Napsterbater
Copy link

Using keepass2android with FTPS (FTP over or with TLS) servers that require TLS session resumption do not work.

This is mainly a security feature and partially a minor performance boost in connection setup.

Any chance this could be added?
@PhilippC
Copy link
Owner

can you specify "do not work"? Do you see a specific error message. KP2A is using FluentFTP, I would neet to search for how to resolve this there.

@Napsterbater
Copy link
Author

Seems this is a limitation in FluentFTP and their reliance on .NET

Basily with this limitation, FTPS is insecure. And i'm going to guess using a different FTP backend is not an available option.

robinrodricks/FluentFTP#347
dotnet/runtime#27916

@4-FLOSS-Free-Libre-Open-Source-Software
Copy link

Isn't a new session each time, more secure than reuse? I understand the performance benefits from TLS handshaking.

@astukov
Copy link

astukov commented Nov 2, 2021

Isn't a new session each time, more secure than reuse? I understand the performance benefits from TLS handshaking.

As far as FTP goes, it doesn't. See, FTP Data channel is not authenticated, so any attacker could connect to this Data port and get access to information. As only the communication via port 21 is authenticated, it is a good idea to use that token for the Data channel as well.

@PinkDuck
Copy link

PinkDuck commented Nov 12, 2022
edited
Loading

I continue to encounter this problem also with open-source FileZilla Server, latest v1.5.1 (min TLS 1.2)

Below are 3 verbose log capture. 1st from Keepass2Android on local Wi-Fi, 2nd out/back through Internet, 3rd FileZilla Client, which connects fine either way.

The former on DB selection displays "Warning: Server certificate validation failed: RemoteCertificateChainErrors. Install appropriate root certificate on your device or see settings." - despite Applicable Hostnames on Self-Signed cert including local server IP "pinkduck.myddns.me 192.168.1.71".

Keepass2Android log (Android 10 to FileZilla Server 1.5.1, both on local Wi-Fi network)
19/10/2022 14:15:27:991 -- AppSettingsActivity.OnPause 34
19/10/2022 14:15:28:13 -- PasswordActivity.OnStart 33
19/10/2022 14:15:28:15 -- PasswordActivity.OnResume 33
19/10/2022 14:15:28:16 -- DB null 33
19/10/2022 14:15:28:17 -- starting: True, Finishing: False, _performingLoad: False
19/10/2022 14:15:28:18 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:15:28:476 -- AppSettingsActivity.OnStop 34
19/10/2022 14:15:28:479 -- AppSettingsActivity.OnDestroyTrue 34
19/10/2022 14:15:29:158 -- PasswordActivity.OnPause 33
19/10/2022 14:15:29:177 -- SelectCurrentDbActivity 31: OnActivityResult FirstUser/1
19/10/2022 14:15:29:177 -- TryGetFromActivityResult: no data
19/10/2022 14:15:29:192 -- SelectCurrentDbActivity.OnStart 31
19/10/2022 14:15:29:195 -- SelectCurrentDbActivity.OnResume 31
19/10/2022 14:15:29:195 -- DB null 31
19/10/2022 14:15:29:198 -- SelectCurrentDbActivity.OnResume 31
19/10/2022 14:15:29:198 -- DB null 31
19/10/2022 14:15:29:236 -- SelectCurrentDbActivity.OnPause 31
19/10/2022 14:15:29:271 -- FileSelect.OnCreate
19/10/2022 14:15:29:310 -- FileSelect.OnStart
19/10/2022 14:15:29:311 -- FileSelect.OnResume
19/10/2022 14:15:29:334 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:15:29:338 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:15:29:390 -- SelectCurrentDbActivity.OnStop 31
19/10/2022 14:15:29:768 -- PasswordActivity.OnStop 33
19/10/2022 14:15:29:769 -- PasswordActivity.OnDestroyTrue 33
19/10/2022 14:15:31:577 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:15:31:606 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:15:31:609 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:15:31:612 -- FileSelect.OnPause
19/10/2022 14:15:31:632 -- PasswordActivity.OnCreate 35
19/10/2022 14:15:31:632 -- PasswordActivity:apptask= 35
19/10/2022 14:15:31:687 -- GetIocFromLaunchIntent()
19/10/2022 14:15:31:688 -- no keyprovider specified
19/10/2022 14:15:31:690 -- Reset keyfile
19/10/2022 14:15:31:691 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:15:31:697 -- PasswordActivity.OnStart 35
19/10/2022 14:15:31:698 -- PasswordActivity.OnResume 35
19/10/2022 14:15:31:699 -- DB null 35
19/10/2022 14:15:31:699 -- starting: True, Finishing: False, _performingLoad: False
19/10/2022 14:15:31:700 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:15:31:702 -- Pre-loading database file starting
19/10/2022 14:15:31:703 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:15:31:704 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:15:31:705 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:15:31:706 -- CFS: OpenWhenNoLocalChanges
19/10/2022 14:15:31:706 -- CFS: hashing cached version
19/10/2022 14:15:31:707 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:15:31:757 -- PasswordModeSpinner item selected: 0
19/10/2022 14:15:31:891 -- found 80 in 81
19/10/2022 14:15:31:893 -- cannot autofill
19/10/2022 14:15:32:174 -- FileSelect.OnStop
19/10/2022 14:15:32:267 -- FileSelect.OnDestroyTrue
19/10/2022 14:15:33:375 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:15:34:10 -- CFS: Files in Sync
19/10/2022 14:15:34:15 -- Pre-loading database file completed
19/10/2022 14:15:42:380 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:15:42:382 -- LockingActivity: OnActivityResult
19/10/2022 14:15:42:382 -- PasswordActivity.OnActivityResult 874348/1000
19/10/2022 14:15:42:410 -- status message: Initializing...
19/10/2022 14:15:42:411 -- status submessage:
19/10/2022 14:15:42:445 -- status message: Loading database…
19/10/2022 14:15:42:451 -- System.IO.IOException: The file header is corrupted. Less data than expected could be read from the file.
at KeePassLib.Serialization.BinaryReaderEx.ReadBytes (System.Int32 nCount) [0x0005f] in <1ca3161c0c784589b346af6c48422105>:0
at KeePassLib.Serialization.KdbxFile.LoadHeader (KeePassLib.Serialization.BinaryReaderEx br) [0x0002e] in <1ca3161c0c784589b346af6c48422105>:0
at KeePassLib.Serialization.KdbxFile.Load (System.IO.Stream sSource, KeePassLib.Serialization.KdbxFormat fmt, KeePassLib.Interfaces.IStatusLogger slLogger) [0x00084] in <1ca3161c0c784589b346af6c48422105>:0
at keepass2android.KdbxDatabaseFormat.PopulateDatabaseFromStream (KeePassLib.PwDatabase db, System.IO.Stream s, KeePassLib.Interfaces.IStatusLogger slLogger) [0x00013] in <0218d9a0a246400eb61cf9b0c47299ea>:0
at KeePassLib.PwDatabase.Open (System.IO.Stream s, System.String fileNameWithoutPathAndExt, KeePassLib.Serialization.IOConnectionInfo ioSource, KeePassLib.Keys.CompositeKey pwKey, KeePassLib.Interfaces.IStatusLogger slLogger, KeePassLib.IDatabaseFormat format) [0x000a6] in <1ca3161c0c784589b346af6c48422105>:0
at keepass2android.Database.PopulateDatabaseFromStream (KeePassLib.PwDatabase pwDatabase, System.IO.Stream s, KeePassLib.Serialization.IOConnectionInfo iocInfo, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger status, KeePassLib.IDatabaseFormat databaseFormat) [0x00013] in <0218d9a0a246400eb61cf9b0c47299ea>:0
at keepass2android.Database.LoadData (keepass2android.IKp2aApp app, KeePassLib.Serialization.IOConnectionInfo iocInfo, System.IO.MemoryStream databaseData, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger status, KeePassLib.IDatabaseFormat databaseFormat) [0x00033] in <0218d9a0a246400eb61cf9b0c47299ea>:0
at keepass2android.Kp2aApp.LoadDatabase (KeePassLib.Serialization.IOConnectionInfo ioConnectionInfo, System.IO.MemoryStream memoryStream, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger statusLogger, KeePassLib.IDatabaseFormat databaseFormat, System.Boolean makeCurrent) [0x000b9] in <7165a5adb3574afbabf24b0ad4c46188>:0
at keepass2android.LoadDb.TryLoad (System.IO.MemoryStream databaseStream) [0x00021] in <0218d9a0a246400eb61cf9b0c47299ea>:0
at keepass2android.LoadDb.Run () [0x000c2] in <0218d9a0a246400eb61cf9b0c47299ea>:0
19/10/2022 14:15:42:467 -- OnFinish message: An error occured: The file header is corrupted. Less data than expected could be read from the file.
19/10/2022 14:15:49:793 -- PasswordActivity.OnPause 35
19/10/2022 14:15:50:313 -- PasswordActivity.OnStop 35
19/10/2022 14:16:05:753 -- cannot autofill
19/10/2022 14:17:12:871 -- KeePass.OnCreate 36
19/10/2022 14:17:12:872 -- KeePass:apptask= 36
19/10/2022 14:17:12:873 -- Loaded task keepass2android.NullTask
19/10/2022 14:17:12:873 -- Task in activity KeePass 36 changed to NullTask
19/10/2022 14:17:12:874 -- KeePass.OnCreate
19/10/2022 14:17:12:883 -- KeePass.OnStart 36
19/10/2022 14:17:12:883 -- KeePass.OnStart
19/10/2022 14:17:12:927 -- SelectCurrentDbActivity.OnCreate 37
19/10/2022 14:17:12:928 -- SelectCurrentDbActivity:apptask= 37
19/10/2022 14:17:12:940 -- Loaded task keepass2android.NullTask
19/10/2022 14:17:12:940 -- Task in activity SelectCurrentDbActivity 37 changed to NullTask
19/10/2022 14:17:12:944 -- SelectCurrentDbActivity.OnStart 37
19/10/2022 14:17:12:946 -- SelectCurrentDbActivity.OnResume 37
19/10/2022 14:17:12:946 -- DB null 37
19/10/2022 14:17:12:963 -- SelectCurrentDbActivity.OnPause 37
19/10/2022 14:17:12:985 -- FileSelect.OnCreate
19/10/2022 14:17:13:18 -- FileSelect.OnStart
19/10/2022 14:17:13:35 -- SelectCurrentDbActivity.OnStop 37
19/10/2022 14:17:13:37 -- KeePass.OnStop 36
19/10/2022 14:17:13:37 -- KeePass.OnDestroyTrue
19/10/2022 14:17:13:38 -- KeePass.OnDestroyTrue 36
19/10/2022 14:17:13:79 -- PasswordActivity.OnCreate 38
19/10/2022 14:17:13:79 -- PasswordActivity:apptask= 38
19/10/2022 14:17:13:134 -- GetIocFromLaunchIntent()
19/10/2022 14:17:13:135 -- no keyprovider specified
19/10/2022 14:17:13:137 -- Reset keyfile
19/10/2022 14:17:13:138 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:17:13:234 -- PasswordActivity.OnStart 38
19/10/2022 14:17:13:236 -- PasswordActivity.OnResume 38
19/10/2022 14:17:13:236 -- DB null 38
19/10/2022 14:17:13:237 -- starting: True, Finishing: False, _performingLoad: False
19/10/2022 14:17:13:238 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:17:13:242 -- Pre-loading database file starting
19/10/2022 14:17:13:243 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:17:13:244 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:17:13:244 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:17:13:245 -- CFS: OpenWhenNoLocalChanges
19/10/2022 14:17:13:245 -- CFS: hashing cached version
19/10/2022 14:17:13:246 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:17:13:501 -- PasswordModeSpinner item selected: 0
19/10/2022 14:17:13:605 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:17:13:635 -- found 80 in 81
19/10/2022 14:17:13:637 -- cannot autofill
19/10/2022 14:17:13:836 -- CFS: Files in Sync
19/10/2022 14:17:13:837 -- Pre-loading database file completed
19/10/2022 14:17:13:858 -- FileSelect.OnStop
19/10/2022 14:17:13:947 -- FileSelect.OnDestroyTrue
19/10/2022 14:17:20:528 -- PasswordActivity.OnPause 38
19/10/2022 14:17:20:549 -- AppSettingsActivity.OnCreate 39
19/10/2022 14:17:20:549 -- AppSettingsActivity:apptask= 39
19/10/2022 14:17:20:635 -- AppSettingsActivity.OnStart 39
19/10/2022 14:17:20:636 -- AppSettingsActivity.OnResume 39
19/10/2022 14:17:20:638 -- DB null 39
19/10/2022 14:17:20:995 -- PasswordActivity.OnStop 38
19/10/2022 14:17:24:703 -- AppSettingsActivity.OnPause 39
19/10/2022 14:18:09:982 -- AppSettingsActivity.OnResume 39
19/10/2022 14:18:09:983 -- DB null 39
19/10/2022 14:18:12:961 -- AppSettingsActivity.OnPause 39
19/10/2022 14:18:13:406 -- AppSettingsActivity.OnStop 39

and

Keepass2Android log (Android 10 to FileZilla Server 1.5.1 via cellular network, FZ server open to *)
19/10/2022 14:44:33:558 -- AppSettingsActivity.OnPause 6
19/10/2022 14:44:33:572 -- PasswordActivity.OnStart 5
19/10/2022 14:44:33:575 -- PasswordActivity.OnResume 5
19/10/2022 14:44:33:575 -- DB null 5
19/10/2022 14:44:33:576 -- starting: True, Finishing: False, _performingLoad: False
19/10/2022 14:44:33:577 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:44:34:19 -- AppSettingsActivity.OnStop 6
19/10/2022 14:44:34:21 -- AppSettingsActivity.OnDestroyTrue 6
19/10/2022 14:44:34:590 -- PasswordActivity.OnPause 5
19/10/2022 14:44:34:604 -- SelectCurrentDbActivity 4: OnActivityResult FirstUser/1
19/10/2022 14:44:34:604 -- TryGetFromActivityResult: no data
19/10/2022 14:44:34:618 -- SelectCurrentDbActivity.OnStart 4
19/10/2022 14:44:34:622 -- SelectCurrentDbActivity.OnResume 4
19/10/2022 14:44:34:623 -- DB null 4
19/10/2022 14:44:34:623 -- SelectCurrentDbActivity.OnResume 4
19/10/2022 14:44:34:624 -- DB null 4
19/10/2022 14:44:34:653 -- SelectCurrentDbActivity.OnPause 4
19/10/2022 14:44:34:689 -- FileSelect.OnCreate
19/10/2022 14:44:34:731 -- FileSelect.OnStart
19/10/2022 14:44:34:732 -- FileSelect.OnResume
19/10/2022 14:44:34:756 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:44:34:760 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:44:34:823 -- SelectCurrentDbActivity.OnStop 4
19/10/2022 14:44:35:218 -- PasswordActivity.OnStop 5
19/10/2022 14:44:35:220 -- PasswordActivity.OnDestroyTrue 5
19/10/2022 14:45:19:902 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:45:19:934 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:45:19:937 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx
19/10/2022 14:45:19:940 -- FileSelect.OnPause
19/10/2022 14:45:19:960 -- PasswordActivity.OnCreate 7
19/10/2022 14:45:19:960 -- PasswordActivity:apptask= 7
19/10/2022 14:45:20:11 -- GetIocFromLaunchIntent()
19/10/2022 14:45:20:11 -- no keyprovider specified
19/10/2022 14:45:20:13 -- Reset keyfile
19/10/2022 14:45:20:14 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:45:20:19 -- PasswordActivity.OnStart 7
19/10/2022 14:45:20:20 -- PasswordActivity.OnResume 7
19/10/2022 14:45:20:20 -- DB null 7
19/10/2022 14:45:20:21 -- starting: True, Finishing: False, _performingLoad: False
19/10/2022 14:45:20:22 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:45:20:24 -- Pre-loading database file starting
19/10/2022 14:45:20:25 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True
19/10/2022 14:45:20:26 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:45:20:26 -- ftp://SETPink+Duck:********:2#pinkduck.myddns.me/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
19/10/2022 14:45:20:27 -- CFS: OpenWhenNoLocalChanges
19/10/2022 14:45:20:27 -- CFS: hashing cached version
19/10/2022 14:45:20:28 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:45:20:75 -- PasswordModeSpinner item selected: 0
19/10/2022 14:45:20:180 -- found 80 in 81
19/10/2022 14:45:20:181 -- cannot autofill
19/10/2022 14:45:20:491 -- FileSelect.OnStop
19/10/2022 14:45:20:551 -- FileSelect.OnDestroyTrue
19/10/2022 14:45:22:152 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx
19/10/2022 14:45:22:915 -- CFS: Files in Sync
19/10/2022 14:45:22:921 -- Pre-loading database file completed
19/10/2022 14:46:42:36 -- PasswordActivity.OnPause 7
19/10/2022 14:46:42:53 -- AppSettingsActivity.OnCreate 8
19/10/2022 14:46:42:54 -- AppSettingsActivity:apptask= 8
19/10/2022 14:46:42:141 -- AppSettingsActivity.OnStart 8
19/10/2022 14:46:42:142 -- AppSettingsActivity.OnResume 8
19/10/2022 14:46:42:143 -- DB null 8
19/10/2022 14:46:42:543 -- PasswordActivity.OnStop 7

FileZilla Client’s detailed successful connection log:
14:56:15 Trace: CControlSocket::SendNextCommand()
14:56:15 Trace: CFtpLogonOpData::Send() in state 0
14:56:15 Status: Resolving address of pinkduck.myddns.me
14:56:15 Status: Connecting to 92.13.35.160:21...
14:56:15 Status: Connection established, waiting for welcome message...
14:56:15 Trace: CFtpControlSocket::OnReceive()
14:56:15 Response: 220-FileZilla Server 1.5.1
14:56:15 Response: 220-Please visit https://filezilla-project.org/
14:56:15 Response: 220 Private; for authorised use only.
14:56:15 Trace: CFtpLogonOpData::ParseResponse() in state 1
14:56:15 Trace: CControlSocket::SendNextCommand()
14:56:15 Trace: CFtpLogonOpData::Send() in state 2
14:56:15 Command: AUTH TLS
14:56:15 Trace: CFtpControlSocket::OnReceive()
14:56:15 Response: 234 Using authentication type TLS.
14:56:15 Trace: CFtpLogonOpData::ParseResponse() in state 2
14:56:15 Status: Initializing TLS...
14:56:15 Trace: tls_layer_impl::client_handshake()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: TLS handshakep: About to send CLIENT HELLO
14:56:15 Trace: TLS handshakep: Sent CLIENT HELLO
14:56:15 Trace: tls_layer_impl::on_send()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: tls_layer_impl::on_read()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: tls_layer_impl::on_read()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: TLS handshakep: Received SERVER HELLO
14:56:15 Trace: TLS handshakep: Processed SERVER HELLO
14:56:15 Trace: tls_layer_impl::on_read()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS
14:56:15 Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS
14:56:15 Trace: TLS handshakep: Received CERTIFICATE
14:56:15 Trace: TLS handshakep: Processed CERTIFICATE
14:56:15 Trace: tls_layer_impl::on_read()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: TLS handshakep: Received CERTIFICATE VERIFY
14:56:15 Trace: TLS handshakep: Processed CERTIFICATE VERIFY
14:56:15 Trace: tls_layer_impl::on_read()
14:56:15 Trace: tls_layer_impl::continue_handshake()
14:56:15 Trace: TLS handshakep: Received FINISHED
14:56:15 Trace: TLS handshakep: Processed FINISHED
14:56:15 Trace: TLS handshakep: About to send FINISHED
14:56:15 Trace: TLS handshakep: Sent FINISHED
14:56:15 Trace: TLS Handshake successful
14:56:15 Trace: Protocol: TLS1.3, Key exchange: ECDHE-SECP384R1-ECDSA-SECP256R1-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: x-filezilla-ftp
14:56:15 Trace: tls_layer_impl::verify_certificate()
14:56:15 Trace: System trust store decision: false
14:56:15 Trace: Sending certificate_verification_event
14:56:15 Trace: CFtpControlSocket::SetAsyncRequestReply
14:56:15 Trace: set_verification_result(true)
14:56:15 Status: TLS connection established.
14:56:15 Trace: CControlSocket::SendNextCommand()
14:56:15 Trace: CFtpLogonOpData::Send() in state 6
14:56:15 Command: USER Pink Duck
14:56:15 Trace: CFtpControlSocket::OnReceive()
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 331 Please, specify the password.
14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 6
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpLogonOpData::Send() in state 6
14:56:16 Command: PASS ***********
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 230 Login successful.
14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 6
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpLogonOpData::Send() in state 8
14:56:16 Command: FEAT
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 211-Features:
14:56:16 Response: MDTM
14:56:16 Response: REST STREAM
14:56:16 Response: SIZE
14:56:16 Response: MLST type*;size*;modify*;perm*;
14:56:16 Response: MLSD
14:56:16 Response: AUTH SSL
14:56:16 Response: AUTH TLS
14:56:16 Response: PROT
14:56:16 Response: PBSZ
14:56:16 Response: UTF8
14:56:16 Response: TVFS
14:56:16 Response: EPSV
14:56:16 Response: EPRT
14:56:16 Response: MFMT
14:56:16 Response: 211 End
14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 8
14:56:16 Status: Logged in
14:56:16 Trace: Measured latency of 103 ms
14:56:16 Trace: CFtpControlSocket::ResetOperation(0)
14:56:16 Trace: CControlSocket::ResetOperation(0)
14:56:16 Trace: CFtpLogonOpData::Reset(0) in state 15
14:56:16 Trace: CFileZillaEnginePrivate::ResetOperation(0)
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpListOpData::Send() in state 0
14:56:16 Status: Retrieving directory listing...
14:56:16 Trace: CFtpChangeDirOpData::Send() in state 0
14:56:16 Trace: CFtpChangeDirOpData::Send() in state 1
14:56:16 Command: PWD
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 257 "/" is current directory.
14:56:16 Trace: CFtpChangeDirOpData::ParseResponse() in state 1
14:56:16 Trace: CFtpControlSocket::ResetOperation(0)
14:56:16 Trace: CControlSocket::ResetOperation(0)
14:56:16 Trace: CFtpChangeDirOpData::Reset(0) in state 1
14:56:16 Trace: CFtpListOpData::SubcommandResult(0) in state 1
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpListOpData::Send() in state 2
14:56:16 Trace: CFtpRawTransferOpData::Send() in state 0
14:56:16 Trace: CFtpRawTransferOpData::Send() in state 1
14:56:16 Command: TYPE I
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 200 Type set to I
14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 1
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpRawTransferOpData::Send() in state 2
14:56:16 Command: PASV
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Trace: TLS handshakep: Received NEW SESSION TICKET
14:56:16 Trace: TLS handshakep: Processed NEW SESSION TICKET
14:56:16 Trace: gnutls_record_recv returned spurious EAGAIN
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 227 Entering Passive Mode (192,168,1,71,7,255)
14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 2
14:56:16 Status: Server sent passive reply with unroutable address. Using server address instead.
14:56:16 Trace: Reply: 192.168.1.71, peer: 92.13.35.160
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpRawTransferOpData::Send() in state 4
14:56:16 Trace: Binding data connection source IP to control connection source IP 192.168.100.49
14:56:16 Trace: tls_layer_impl::client_handshake()
14:56:16 Trace: Trying to resume existing TLS session.
14:56:16 Command: MLSD
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 150 About to start data transfer.
14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 4
14:56:16 Trace: CControlSocket::SendNextCommand()
14:56:16 Trace: CFtpRawTransferOpData::Send() in state 5
14:56:16 Trace: tls_layer_impl::on_send()
14:56:16 Trace: tls_layer_impl::continue_handshake()
14:56:16 Trace: TLS handshakep: About to send CLIENT HELLO
14:56:16 Trace: TLS handshakep: Sent CLIENT HELLO
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: tls_layer_impl::continue_handshake()
14:56:16 Trace: TLS handshakep: Received SERVER HELLO
14:56:16 Trace: TLS handshakep: Processed SERVER HELLO
14:56:16 Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS
14:56:16 Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS
14:56:16 Trace: TLS handshakep: Received FINISHED
14:56:16 Trace: TLS handshakep: Processed FINISHED
14:56:16 Trace: TLS handshakep: About to send FINISHED
14:56:16 Trace: TLS handshakep: Sent FINISHED
14:56:16 Trace: TLS Handshake successful
14:56:16 Trace: TLS Session resumed
14:56:16 Trace: Protocol: TLS1.3, Key exchange: unknown, Cipher: AES-256-GCM, MAC: AEAD, ALPN: ftp-data
14:56:16 Trace: tls_layer_impl::verify_certificate()
14:56:16 Trace: set_verification_result(true)
14:56:16 Trace: CTransferSocket::OnConnect
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0
14:56:16 Trace: CTransferSocket::TransferEnd(1)
14:56:16 Trace: tls_layer_impl::shutdown()
14:56:16 Trace: tls_layer_impl::continue_shutdown()
14:56:16 Trace: CFtpControlSocket::TransferEnd()
14:56:16 Trace: tls_layer_impl::on_read()
14:56:16 Trace: CFtpControlSocket::OnReceive()
14:56:16 Response: 226 Operation successful
14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 7
14:56:16 Trace: CFtpControlSocket::ResetOperation(0)
14:56:16 Trace: CControlSocket::ResetOperation(0)
14:56:16 Trace: CFtpRawTransferOpData::Reset(0) in state 7
14:56:16 Trace: CFtpListOpData::SubcommandResult(0) in state 3
14:56:16 Trace: CFtpControlSocket::ResetOperation(0)
14:56:16 Trace: CControlSocket::ResetOperation(0)
14:56:16 Trace: CFtpListOpData::Reset(0) in state 3
14:56:16 Status: Directory listing of "/" successful
14:56:16 Trace: CFileZillaEnginePrivate::ResetOperation(0)

@i3v
Copy link

i3v commented Apr 28, 2023

Just some related news:

@PinkDuck
Copy link

FileZilla Server updated to GnuTLS 3.8.0 in v1.6.7 (released 20th Feb 2023), so I'll give that a try shortly to see if it resolves.

@PinkDuck
Copy link

Unfortunately not:

<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Response] 150 Starting data transfer.
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::on_read()
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::continue_handshake()
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received CLIENT HELLO
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed CLIENT HELLO
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER HELLO
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER HELLO
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send CERTIFICATE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent CERTIFICATE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER KEY EXCHANGE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER KEY EXCHANGE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER HELLO DONE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER HELLO DONE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::on_read()
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::continue_handshake()
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received CLIENT KEY EXCHANGE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed CLIENT KEY EXCHANGE
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received FINISHED
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed FINISHED
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send NEW SESSION TICKET
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent NEW SESSION TICKET
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send FINISHED
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent FINISHED
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS Handshake successful
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Protocol: TLS1.2, Key exchange: ECDHE-X25519-ECDSA-SHA512, Cipher: AES-128-GCM, MAC: AEAD, ALPN:
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] session::on_socket_event(): source = data, flag = 2, error = 0, state = 2
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Client wants a secure data connection.
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] securer(1) ENTERING state = 2
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] securer(1) EXITING state = -1
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] ~securer(1) ENTERING state = -1
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] ~securer(1) EXITING state = -1
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Error] TLS session of data connection not resumed.
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Response] 425 Unable to build data connection: TLS session of data connection not resumed.
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] session::close_data_connection(): prev data_connection_status = 2
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Removed done events: 0
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 [Trace] Session 0x274c5637030 with ID 3 destroyed.

@i3v
Copy link

i3v commented Apr 30, 2023

@PinkDuck , my point actually was that (theoretically) it should be easy to patch keepass2android (new FTPClient in particular) to use GnuTlsStream, like suggested in the "FTPS Connection using GnuTLS".

I'm not saying there are no caveats possible, though.

@i3v
Copy link

i3v commented Aug 11, 2024
edited
Loading

@PhilippC , sorry for bumping, but could you please look into this?
AFAIU, this is a pretty real security issue. And this issue is still there in the current Google Play version ("1.10-pre"), despite there was some effort to improve the FTP support, including the FluentFTP version update.
At least FileZilla devs definitely do think that this is a major issue:

  • FileZilla bugtracker 10700, 12991, 12450 — they were pretty strict for both client and server about this 9 years ago already.
  • FileZilla forum thread1, thread2 — the "Require TLS session resumption on data connection" is mandatory since FileZilla server 1.0 . The most recent version that allows to disable these File Transfer security features is probably the ancient 0.9.60. That old version is insecure by itself.
  • They even provided a PoC exploit.
  • BTW, they were also pretty strict about the "Disable IP check" since about version 1.0 for the same reason as well (1,2), even though it seem to be just a "mitigation" for this same vulnerability.

AFAIU, newest FluentFTP versions make it fairly easy to use the "GnuTLS" version that got this fixed (and they do recommend it regularly: 773 ).

@i3v i3v mentioned this issue Aug 11, 2024
Closed
@PhilippC
Copy link
Owner

PhilippC commented Apr 1, 2025
edited
Loading

I tried to use GnuTLS, but failed. I created robinrodricks/FluentFTP#1736.

https://github.com/PhilippC/keepass2android/tree/1617-use-gnu-tls-stream

@PhilippC PhilippC linked a pull request Apr 8, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use Gnu TLS stream PhilippC/keepass2android
6 participants
@PinkDuck @i3v @PhilippC @Napsterbater @astukov @4-FLOSS-Free-Libre-Open-Source-Software