[gnutls-devel] GnuTLS | vsftpd: GnuTLS error -15 in gnutls_record_recv. An unexpected TLS packet was received (#1532)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Mar 5 17:00:01 CET 2024 


Fabrice Kakcha Ntichi created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1532



Hello guys,

I am creating this issue because I am trying to launch the vsftpd server with a non-root user. To do that, I set the config run_as_launching_user to YES (run_as_launching_user=YES).

But, when I enter the user / password for the user, I got the error (GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received.):
10:02:17  Status:         Connection established, waiting for welcome message...
10:02:17  Status:         Initializing TLS...
10:02:17  Status:         Verifying certificate...
10:02:17  Status:         TLS connection established.
10:02:17  Command:  USER alpine
10:02:17  Response:   331 Please specify the password.
10:02:17  Command:  PASS *************
10:02:17  Error:           GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received.
10:02:17  Error:           Could not read from socket: ECONNABORTED - Connection aborted
10:02:17  Error:           Could not connect to server

-------------------------------------------------
I am using the OS Alpine version 3.19.1

My vsftp config file is:

----------------------------
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# Allow anonymous user to connect to server in RO mode
# FIXME: à décommenter
anonymous_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
anon_world_readable_only=YES
anon_root=/ftp/alpine
# FIXME: à remettre à allow_anon_ssl=NO
allow_anon_ssl=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# FIXME: connect_from_port_20=YES
connect_from_port_20=NO
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/dev/stdout
xferlog_file=/opt/app/var/log/xferlog
# vsftpd_log_file=/proc/1/fd/1
vsftpd_log_file=/opt/app/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# Windows explorer uses ascii mode
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome Alpine ftp server
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=NO
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
listen_ipv6=NO

# FIXME:
## Enable passive mode
pasv_enable=YES
pasv_addr_resolve=NO

## Disable seccomp filter sanboxing
seccomp_sandbox=NO
# Run in background
# normalement YES, mais quand :
#vsftpd_1     | pidfd_open syscall is not supported, falling back to polling
#vsftpd_1     | failed to watch for direct child exit (pidfd_open error): Function not implemented
#vsftpd_1     | process has died, quitting
#digital-lab_vsftpd_1 exited with code 0
# NON fait que çà fonctionne...
background=NO

# (source : https://www.installerunserveur.com/configuration-vsftpd)
# Options for SSL
# encrypted connections.

# FIXME: à décommenter lorsqu'on aura mis en place le SSL
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
# Certains clients FTP nécessitent cette ligne
# require_ssl_reuse=NO

ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

# FIXME: a décommenter
# ssl_ciphers=HIGH

#strict_ssl_read_eof=NO

#rsa_cert_file=/run/secrets/certfile
# FIXME: à supprimer
rsa_cert_file=/ftp/alpine/tls.crt
rsa_private_key_file=/ftp/alpine/tls.key
# if you want vsftpd to run as the user which launched vsftpd. Error `vsftpd: must be started as root (see run_as_launching_user option)`
run_as_launching_user=YES

pasv_min_port=40000
pasv_max_port=40001
# The port vsftpd will listen on. Privileged ports: https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
listen_port=2784
# FIXME: A supprimer
ftp_username=alpine
# directory which vsftpd will try to change into after a local(i.e. non-anonymous) login
local_root=/ftp/alpine
ftp_data_port=40010

debug_ssl=YES
# Show session status infos
setproctitle_enable=YES
# Virtual users will have the same priv as local users
# virtual_use_local_privs=YES
# pam_service_name=vsftpd_virtual
log_ftp_protocol=YES
seccomp_sandbox=NO
-------------

I don’t know why I am getting the GnuTLS error, how can I fix that please ?
Any help will be much appreciated.

Thanks in advance.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1532
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240305/dbbb94cd/attachment-0001.html>

More information about the Gnutls-devel mailing list