vsftp - GnuTLS 错误 -15:收到了意外的 TLS 数据包

vsftp - GnuTLS 错误 -15:收到了意外的 TLS 数据包

我在 Azure 上的 Ubuntu 18.04 上运行 vsftp。Filezilla 客户端是 3.52.2 (Windows) 和 3.28.0 (Ubuntu 18.04)。客户端上看到的错误对于两者是相同的。

Status: Resolving address of myserver.com
Status: Connecting to xxxxx...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Error:  GnuTLS error -15: An unexpected TLS packet was received.
Error:  Disconnected from server: ECONNABORTED - Connection aborted
Error:  Failed to retrieve directory listing

这是 /etc/vsftpd.conf:

# with and without allow_writeable_chroot gives the same problem
allow_writeable_chroot=YES
anon_world_readable_only=NO
chroot_local_user=YES
passwd_chroot_enable=YES
userlist_deny=NO
userlist_enable=NO
userlist_file=/etc/vsftpd.userlist
ssl_enable=YES
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
ls_recurse_enable=NO
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
connect_from_port_20=YES
chown_uploads=NO
xferlog_file=/var/log/vsftpd.log
ascii_upload_enable=NO
ascii_download_enable=NO
local_root=/var/www/ftp
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
pasv_enable=YES
pasv_min_port=60001
pasv_max_port=60002
port_enable=YES
pasv_addr_resolve=NO
pasv_address=myserver.com
file_open_mode=0666
local_umask=0022
# I would like not to need this, but cURL does not work without it
require_ssl_reuse=NO

用户在 /etc/passwd 中创建了账户,并且他们是以下目录的所有者:

user1:x:1002:1002::/var/www/ftp/user1:/bin/bash
user2:x:1003:1003::/var/www/ftp/user2:/bin/bash

/var/log/vsftpd.log 包含以下内容:

Mon Feb  1 12:42:15 2021 [pid 8303] CONNECT: Client "109.252.44.21"
Mon Feb  1 12:42:15 2021 [pid 8303] FTP response: Client "109.252.44.21", "220 Welcome to services back end"
Mon Feb  1 12:42:15 2021 [pid 8303] FTP command: Client "109.252.44.21", "AUTH TLS"
Mon Feb  1 12:42:15 2021 [pid 8303] FTP response: Client "109.252.44.21", "234 Proceed with negotiation."
Mon Feb  1 12:42:17 2021 [pid 8303] FTP command: Client "109.252.44.21", "USER user1"
Mon Feb  1 12:42:17 2021 [pid 8303] [user1] FTP response: Client "109.252.44.21", "331 Please specify the password."
Mon Feb  1 12:42:17 2021 [pid 8303] [user1] FTP command: Client "109.252.44.21", "PASS <password>"
Mon Feb  1 12:42:17 2021 [pid 8302] [user1] OK LOGIN: Client "109.252.44.21"
Mon Feb  1 12:42:17 2021 [pid 8304] [user1] FTP response: Client "109.252.44.21", "230 Login successful."
Mon Feb  1 12:42:17 2021 [pid 8304] [user1] FTP command: Client "109.252.44.21", "PBSZ 0"
Mon Feb  1 12:42:17 2021 [pid 8304] [user1] FTP response: Client "109.252.44.21", "200 PBSZ set to 0."
Mon Feb  1 12:42:18 2021 [pid 8304] [user1] FTP command: Client "109.252.44.21", "PROT P"
Mon Feb  1 12:42:18 2021 [pid 8304] [user1] FTP response: Client "109.252.44.21", "200 PROT now Private."
Mon Feb  1 12:42:18 2021 [pid 8304] [user1] FTP command: Client "109.252.44.21", "PWD"
Mon Feb  1 12:42:18 2021 [pid 8304] [user1] FTP response: Client "109.252.44.21", "257 "/" is the current directory"
Mon Feb  1 12:42:19 2021 [pid 8304] [user1] FTP command: Client "109.252.44.21", "TYPE I"
Mon Feb  1 12:42:19 2021 [pid 8304] [user1] FTP response: Client "109.252.44.21", "200 Switching to Binary mode."
Mon Feb  1 12:42:19 2021 [pid 8304] [user1] FTP command: Client "109.252.44.21", "PASV"

如果可用,Filezilla 客户端设置为使用 TLS 上的显式 FTP,强制使用被动模式。

服务器上的传入端口 21 和 60000-60002 以及传出端口均已打开。

当我使用 cURL 测试时:

curl -u user1:password -v --ssl -k ftp://myserver.com

我毫无问题地收到了目录列表:

* Rebuilt URL to: ftp://myserver.com/
*   Trying xxxxxx...
* TCP_NODELAY set
* Connected to myserver.com (xxxxx) port 21 (#0)
< 220 Welcome to services back end
> AUTH SSL
< 234 Proceed with negotiation.
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  xxxxxxxxxxxx
*  start date: Mar 19 00:00:00 2020 GMT
*  expire date: Mar 24 12:00:00 2021 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> USER user1
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 331 Please specify the password.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> PASS password
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 230 Login successful.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> PBSZ 0
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 200 PBSZ set to 0.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> PROT P
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 200 PROT now Private.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> PWD
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 257 "/" is the current directory
* Entry path is '/'
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 229 Entering Extended Passive Mode (|||60001|)
*   Trying xxxxx...
* TCP_NODELAY set
* Connecting to xxxxx (xxxxx) port 60001
* Connected to myserver.com (xxxxx) port 21 (#0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> TYPE A
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 200 Switching to ASCII mode.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> LIST
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 150 Here comes the directory listing.
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* old SSL session ID is stale, removing
* Server certificate:
*  xxxxxxxxxxxxx
*  start date: Mar 19 00:00:00 2020 GMT
*  expire date: Mar 24 12:00:00 2021 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
drwxrwxr-x    2 1003     33           4096 Jan 30 10:59 user1
drwxrwxr-x    2 1002     33           4096 Jan 30 10:59 user2
* TLSv1.3 (IN), TLS Unknown, Unknown (21):
* TLSv1.3 (IN), TLS alert, Client hello (1):
* Remembering we are in dir ""
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
* TLSv1.3 (OUT), TLS alert, Client hello (1):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< 226 Directory send OK.
* Connection #0 to host myserver.com left intact

我在使用 Filezilla 和 WinSCP 时遇到了类似的问题。

有什么想法吗?我看过很多关于 GnuTLS -15 的帖子,但没有一个解决方案能给我带来任何改变,而且我的前额因为几天来一直撞着键盘而变得酸痛……

答案1

没人能想出什么办法。所以我是这样解决的:

  1. 关闭了 vsftpd。这是因为很多博客文章都提到了 vsftpd 与 Filezilla、WinSCP、Cyber​​duck 和其他程序存在问题。
  2. 根据以下配置 sftphttps://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

结果不太好 - 用户没有自己目录的写入权限,所以我不得不在每个用户下创建一个子目录“files”用于文件加载。但至少在我尝试过的每个客户端下它都能正常工作。

答案2

我遇到了和你一样的问题。这可能是tls1.0问题所在。
尝试禁用 ssl_tlsv1:

在 vsftp.conf 中:

ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO

相关内容