Perform unidirectional SSL/TLS shutdown on data connections
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
proftpd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: proftpd
Recent versions of FileZilla cannot establish an encrypted data connection to ProFTPD <=1.3.2rc1 since they now strictly enforce their interpretation of the RFC standard since they consider non-compliant servers, such as hardy's proftpd, a security risk.
"Closing the data connection for the transfer connection without an orderly SSL/TLS shutdown violates the specifications. Furthermore, not performing the shutdown is indistinguishable from an attacker sending spoofed FIN TCP packets to the server, leading to truncated, yet apparently complete, successful transfers."
http://
http://
visibility: | private → public |
Changed in proftpd (Ubuntu): | |
status: | New → Confirmed |
This is a real issue in Hardy. Would love if someone could port the bugfix to the hardy package.