pure-ftpd dead but subsys locked

[microz]

Hello,

I'm setup pure-ftpd with custombuild 2 in CloudLinux Server release 5.11 (Vladislav Volkov)

./build set ftpd pureftpd
./build pureftpd

But some reason pure-ftpd is dead.

# service pure-ftpd restart
Shutting down pure-ftpd:                            [FAILED]
Starting pure-ftpd:                                      [  OK  ]
# service pure-ftpd status
pure-ftpd dead but subsys locked

according to the system messages

[ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3'

Error is originate by !SSLv3, if I remove !SSLv3 pure-ftpd can start correctly, but by POODLE.... I maintain disabled SSLv3.

Some suggestion?

------

I have other problem with pure-ftpd, for some reason when I try connect to ftp with filezilla, always obtain time-out.

In config file /etc/init.d/pure-ftpd, passive ports are 35000:35999

OPTIONS="-B -A -C 15 -E -H -k 99 -L 10000:8 -O stats:${LOG} -l puredb:${DB} -p 35000:35999 -u 100 -U 133:022 -w -Z"

I enable passive port in CSF firewall, TCP_IN 35000:35999 (csf -r) and neither can connect.

I'll be forgetting something?

-----

BONUS (with proftpd with three files in one folder I can join to ftp, but with > three files in folder I obtain time out)

 

[DirectAdmin Support]

Thanks for the report.
I had to dig right into the pure-ftpd source code to sort out what I think is the solution.

From tls.c, this code is what we want:

    if (ssl_disabled != 0) {
        options |= SSL_OP_NO_SSLv3;
    }

and then from ftpd.c, this sets it:

        case 'J': {
            if (strncmp(optarg, "-S:", sizeof "-S:" - (size_t) 1U) == 0) {
                optarg += sizeof "-S:" - (size_t) 1U;
                ssl_disabled = 1;
            }

so the way I'm reading that, is that if the cipher set starts with -S: then it will disable the SSLv3 protocol, and then skip the -S: and continue with the ciphers as usual.

So... what I believe to be the SSLv3 protocol free version, has a cipher that looks like this:

-J [B]-S:[/B]HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

where the -S: is part of the -J cipher value, and is not actually the -S command line option.

I couldn't find documentation on this anywhere, but the code doesn't lie.. assuming I'm reading it correctly.

In any case, the options lines in the pure-ftpd boot script should look like this, assuming it's correct:

OPTIONS="-B -A -C 4 -E -H -k 95 -L 10000:8 -O stats:${LOG} -l puredb:${DB} -p 35000:35999 -u 100 -U 133:022 -w -Z"
OPTIONS="${OPTIONS} -Y 1 -J [B]-S:[/B]HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"

then we keep the +SSLv3 cipher.

John

 

[dkzr]

Came here because the "original" pure-ftpd -J option (HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3) caused the ftp server startup to fail on my Debian 6.

This new -J option string has no issues on my server.

http://download.pureftpd.org/pub/pure-ftpd/doc/README actually has the -J -S:... option (search for "-J <ciphers>")