Demorou algum tempo enquanto tentava encontrar soluções através da rede. Nada ajudou. A história: Eu tenho o Ubuntu 10.10 (instância do Amazon EC2). ProFTPD Versão 1.3.2e (mais recente via apt-get). Não mudei nada no servidor e nos clientes ftp, mas de repente meus clientes (filezilla 3.5.3, TotalCmd) deixaram de se conectar via FTPS ao servidor.
Log do Filezilla:
Status: Connecting to 7x.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.2e Server (XXX) [7x.xxx.xxx.xxx]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: GnuTLS error -9: A TLS packet with unexpected length was received.
Status: Server did not properly shut down TLS connection
Error: Could not connect to server
Aqui é do ProFTPD tls.log:
May 04 14:28:32 mod_tls/2.2.2[1057]: TLS/TLS-C requested, starting TLS handshake
May 04 14:28:34 mod_tls/2.2.2[1057]: unable to accept TLS connection: received EOF that violates protocol
May 04 14:28:34 mod_tls/2.2.2[1057]: TLS/TLS-C negotiation failed on control channel
Proftpd tls config:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv3 TLSv1
TLSRSACertificateFile /usr/local/apache2/conf/crt/server/srv.crt
TLSRSACertificateKeyFile /usr/local/apache2/conf/crt/server/srv.nopass.key
TLSCACertificateFile /usr/local/apache2/conf/crt/ca/ca.crt
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRequired on
</IfModule>
Clientes verificados em ftps: //ftp.secureftp-test.com: 990 (servidor de teste para FTPS), a conexão está ok. Então eu tentei adicionar TLSRenegotiation nenhum e outras opções que encontrei na net - para nenhum resultado. Tentei reiniciar - sem resultado.
Tentei: openssl s_client -connect 127.0.0.1:21 -starttls ftp :
CONNECTED(00000003)
depth=1 /C=...
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
...
Server certificate
-----BEGIN CERTIFICATE-----
MII...
...hC
-----END CERTIFICATE-----
subject=/C...
---
No client certificate CA names sent
---
SSL handshake has read 3615 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5E9090B0AC306334847BEC665D069DD90CED941C23E7911CCFA120DDF2B8E016
Session-ID-ctx:
Master-Key: 5708...DCB
Key-Arg : None
TLS session ticket:
0000 - ff 21 19 28 26 0b 21 28-57 29 5a 97 95 58 b5 90 .!.(&.!(W)Z..X..
...
00a0 - 04 7b e0 4b 1c e7 53 d1-3d 8c 5c 19 30 09 c8 b9 .{.K..S.=.\.0...
Compression: 1 (zlib compression)
Start Time: 1336143573
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 ProFTPD 1.3.2e Server (xxx) [7x.xxx.xxx.xxx]
QUIT
DONE
O que pode ser feito mais? Eu quero meus ftps de volta. Qual é o comportamento típico em situações semelhantes se não houver uma solução exata?