Author Topic: TLS negotiation / Unable to build data connection  (Read 333 times)

Offline JoHansen

  • New user
  • *
  • Posts: 3
    • View Profile
TLS negotiation / Unable to build data connection
« on: November 07, 2016, 08:44:58 am »
Hi there,

as seen in the subject, I have a problem regarding the renegotiation of a TLS connection. The problem occurs after around 15 - 30 Minutes. The connection times out respectively the client is unable to build a data connection. The tls.log prints out the following error: "starting TLS negotiation on data connection / TLS negotiation timed out (300 seconds)" But the two error messages get logged multiple times in the same second.

I already googled a lot and tried different things like setting the PassivePorts in the client and server firewall. Turned on and off "AllowClientRenegotiations". Tried different TLSRenegotiate Options like :" none / ctrl 7200 timeout 300  / required off".

I also attached a part of the log file, so you can see the timing from the error messages. I really hope you can help me, this problem is really frustrating.

Thanks in regards

My proftpd.conf(without comments):

Code: [Select]
Include /etc/proftpd/modules.conf
Include /etc/proftpd/tls.conf
UseIPv6                         off


DefaultRoot ~
Include /etc/proftpd/sql.conf
RequireValidShell off

IdentLookups                    off

ServerName                      "XXXX"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               1200
TimeoutStalled                  1200
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"

DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

User                            proftpd
Group                           nogroup

My tls.conf (without comments)
Code: [Select]
<IfModule mod_tls.c>
TLSEngine                               on 
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv3 TLSv1
PassivePorts                            20000 20100
TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations   
TLSRSACertificateFile                   /usr/local/ssl/crt/XXX.de.crt
TLSRSACertificateKeyFile             /usr/local/ssl/private/XXX.de.key
TLSCACertificateFile                    /etc/ssl/certs/XXX.pem
TLSVerifyClient                         off
TLSRequired                             off
TLSRenegotiate ctrl 7200 timeout 300
TLSRenegotiate required off
TLSSessionCache internal: 3600
</IfModule>


Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: TLS negotiation / Unable to build data connection
« Reply #1 on: November 07, 2016, 04:29:28 pm »
The only other directive which comes to mind is TLSTimeoutHandshake:

  http://www.proftpd.org/docs/contrib/mod_tls.html#TLSTimeoutHandshake

which has a default of 300 seconds.  This is used to limit the amount of time a TLS client can request a handshake (as when opening a new data connection), before mod_tls deems that connection idle.  Note that this timeout applies to both the control connection and to data connections.

Thus you might try increasing the timeout value explicitly in your mod_tls configuration, to see if changes the pattern of behavior:

  # Use a longer handshake timeout (10 min) for experimentation
  TLSTimeoutHanshake 600

Offline JoHansen

  • New user
  • *
  • Posts: 3
    • View Profile
Re: TLS negotiation / Unable to build data connection
« Reply #2 on: November 08, 2016, 07:59:28 am »
Thanks for you reply. I will give it a try. I recently noticed something during the restart of proftpd. Could this be a reason for the failing renegotiation?

Code: [Select]
mod_tls/2.4.3: compiled using OpenSSL version 'OpenSSL 1.0.1e 11 Feb 2013' headers, but linked to OpenSSL version 'OpenSSL 1.0.1t  3 May 2016' library

Offline JoHansen

  • New user
  • *
  • Posts: 3
    • View Profile
Re: TLS negotiation / Unable to build data connection
« Reply #3 on: November 08, 2016, 08:05:24 am »
Okay, i installed the required / compiled version of libssl1.0.0 / openssl. Didn't changed anything.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: TLS negotiation / Unable to build data connection
« Reply #4 on: November 08, 2016, 02:42:20 pm »
Right, I think that the OpenSSL version warning -- in this particular case -- would not cause the behavior you're seeing...

 

sighted planning