Pure-FTPd Insecure FTP Data Connection - TLS Session Resumption Notification

V

Vibe

Verified User
Joined
Aug 3, 2005
Messages
124
Hi everyone,

I have recently run into an issue with Pure-FTPd and the most recent version of FileZilla v3.53.0. I was hoping others may have found a resolution and/or could point me in the right direction.

With the current version of FileZilla (FTP client) a TLS connection to Pure-FTPd produces a pop-up message that states:

Insecure FTP data connection
This server does not support TLS session resumption on the data connection.

TLS session resumption on the data connection is an important security feature to protect against data connection stealing attacks.

If you continue, transferred files may be intercepted or their contents replaced by an attacker.
Click to expand...

From the logging window in FileZilla it appears that a TLS connection is made:

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing of "/"...
Status: Directory listing of "/" successful
Click to expand...

Pure-FTPd is using the default configuration from DirectAdmin/CustomBuild with TLS connections enabled. However, this notice is displayed on multiple DirectAdmin servers. In the FileZilla Changelog there are references to this new notification - which does not appear in previous versions.

Does anyone know if Pure-FTPd supports TLS Session Resumption? I have searched extensively online and was unable to find any details.

Are other DA users experiencing the same issue?

Thank you for any assistance and/or suggestions you may have - much appreciated!
 
  • Like
Reactions: wdc
On my side, I changed the FTP server to test and I don't have this error with ProFTP, I continue to do research on my end, if anyone knows the solution for this error with PureFTP, thank you very much want to give us information or a lead to follow ...
 
Hi Axanti - thank you for your reply.

Yes, I am still experiencing this issue. From what I am seeing, the recent version of FileZilla (v3.53.0) performs a check to verify whether the FTP server supports TLS Session Resumption. Prior versions of FileZilla do not produce the notification.

In reading the ProFTPD website it appears this is a natively supported feature - whereas it may not be supported by Pure-FTPd (only TLS connections).

I am thinking that this may be a good time to switch over to ProFTP as this is happening on all servers with the defaut DA/Custombuild configuration. Is ProFTP more popular with DirectAdmin users?

Thanks again!
 
Vibe: I can't find more information on the internet, are we the only 2 having this problem?
 
Have either of you loged a Ticket with DA.

I use Proftpd. It supports Sftp. FTP should be avoided.
 
bdacus01: We do not use unsecured FTP, we use SFTP (FTP over TLS), it is as secure as FTPS (FTP over ssh). We noticed a warning appearing since the Filezilla update.
So why SFTP instead of FTPS and indeed in Filezilla, the protocol used by default during the 'Quick connect' is SFTP (FTP over TLS), so this message appears for customers who do not really know how to use the site manager and even less which protocol to use ...
In any case, we also noticed that this warning message does not appear when using the ProFTP server instead of PureFTP.
And no for my part I did not open a ticket on DA because I think the problem does not come from there but from the PureFTP FTP server.
Sorry for this long explanation and also sorry for my English which is quite bad!
 
Axanti said:
SFTP (FTP over TLS),
Click to expand...
This is not SFTP it is FTPS. Either SSL or TLS is used,

FTPS is ftp-secure and is still not secure. You have to worry about 2 ports and encrypt both connection and data channel (which commonly is not done.

FTPS - Wikipedia

en.wikipedia.org en.wikipedia.org

Secure command channel​

The secure command channel mode can be entered through the issue of either the AUTH TLS or AUTH SSL commands. After such time, all command control between the FTPS client and server are assumed to be encrypted. It is generally advised to enter such a state prior to user authentication and authorization in order to avoid the eavesdropping of user name and password data by third parties.

Secure data channel​

The secure data channel can be entered through the issue of the PROT command. It is not enabled by default when the AUTH TLS command is issued. After such time, all data channel communication between the FTPS client and server is assumed to be encrypted.

The FTPS client may exit the secure data channel mode at any time by issuing a CDC (clear data channel) command.

FTPS is a bandaid to the old tired FTP protocol.

www.howtogeek.com

What is the Difference Between FTPS and SFTP?

When you are in the process of setting up remote file transfer capabilities for your employees, you want things to be as simple and secure as possible.
www.howtogeek.com www.howtogeek.com
www.goanywhere.com

SFTP vs. FTPS: The Key Differences

Which option for securing sensitive files in transit is the best for your organization? Read this article for an in-depth look at FTP vs. SFTP vs. FTPS, and their key differences.
www.goanywhere.com www.goanywhere.com

In short if it is not SFTP it not as safe.

SFTP is with ssh.
www.ssh.com

SSH File Transfer Protocol (SFTP): Secure File Transfer Protocol

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. It runs on the SSH protocol and supports the full security and authentication functionality of SSH.
www.ssh.com www.ssh.com

Axanti said:
my English which is quite bad!
Click to expand...
No worries on this. In Canada are you French?

Hope that helps.
 
In fact I was born in France, but I currently live in Quebec.
For SFTP FTPS, there was a lot of talk about this ... The Difference Between FTPS vs SFTP
But this does not solve the cause of this new alert in FileZilla, now I am not a bachelor in network security, so the only solution currently is to change the FTP server and it is not a problem, but I like understand, my problem, I am sorely lacking in time ...
 
Thank you for the suggestions bdacus01 - greatly appreciated!

Axanti - I was thinking the same thing, we are the only ones experiencing this issue. However, from what I am reading online I am starting the think that Pure-FTPd simply does not support TLS Session Resumption - whereas ProFTP does. If I am not mistaken, ProFTP uses the TLSSessionTickets directive to accomplish this.

bdacus01 - It has been a while since I have reviewed FTPS/SFTP options for DA. We do not provide SSH access to customers and have always used FTPS as a result (not as secure as SFTP). I just discovered the KB article regarding installing mod_sftp into ProFTPD using the unified_FTP_password_file - this looks very interesting. Would this allow us to utilize SFTP without granting SSH access to our users?

Thank you both again!
 
Thanks all of you so much. I am also experiencing this issue. I got useful information from your discussion.
 
Me not. Can anyone summarize how to solve this issue from the user and root point of view?
I am user and have no SSH access to use SFTP. So a) how i can secure the connection from interception (as FIleZilla claims) as a user. b) How root can fix this without giving all users SSH access automatically?
 
I would like to bump this as a customer has this issue too. So what we did in the meanwhile was telling her that we couldn't provide it for the domain, but it does work for the IP address. She uses the IP address of the VPS now and it's fine as it is, but this is obviously not the permanent resolution we're looking for.

Edit: Because I didn't know about this thread before, nor about any implications, and it had to be resolved quickly, I've now disabled SNI like Gurek said.
 
Last edited:
Having the same issue using domain name as host, works fine using IP.
 
I'm just wondering.... could this not be an ancient Filezilla bug which has put it's head up again?
I don't use Filezilla myself.

ssgill said:
Having the same issue using domain name as host, works fine using IP.
Click to expand...
Which gives me even more the feeling that it's a Filezilla issue, because normally ssl is not generated for ip. I know that ZeroSSL can create for ip, but only for http traffic. So to me this is very odd.
On the other hand, it could also be that pure-ftpd still not supports PROT P which makes it a pure-ftpd issue.

If it's working fine using ip, does it also work fine using the hostname of the server (like server.somedomain.com)?
 
Last edited:
You must log in or register to reply here.
Back
Top