0

When I try to connect to SSL enabled proftpd as installed on Freenas 8.3.0, I see my client feedback output saying that AUTH TLS is working, the connection goes encrypted (as confirmed by Wireshark) and everything goes as far as:

[2] MLSD
[2] 150 Opening ASCII mode data connection for MLSD

After a while of nothing happening I get:

[2] 425 Unable to build data connection: Operation not permitted

The exact same configuration, less the SSL related directives (unchecking 'Enable SSL' in the FreeNAS GUI), works perfectly.

deed02392
  • 278
  • 1
  • 5
  • 16

1 Answers1

2

This is an issue with a bit of both pieces of software. Your TLS log for proftpd will probably be saying something like this:

mod_tls/2.4.1[9592]: client did not reuse SSL session, rejecting data connection (see TLSOption NoSessionReuseRequired)

So the directive that is needed to resolve the issue is TLSOptions NoSessionReuseRequired. BUT, you can't simply add this to directives to append to the conf file in the FreeNAS GUI, because interally it already uses a TLSOptions directive and subsequent usage of this directive is ignored (ie your addition).

A future version of proftpd will resolve this by permitting multiple declarations of TLSOptions. Or, the FreeNAS GUI needs to either include NoSessionReuseRequired under its Enabled SSL umbrella of directives or add a checkbox if such a thing isn't always desired (requiring session re-use saves resources so if all your clients support it, it's preferred).

In the meantime, navigate to /usr/local/etc/ and edit proftpd.conf. Find the line:

TLSOptions NoCertRequest

and make it look like:

TLSOptions NoCertRequest NoSessionReuseRequired

I created a bug report on the matter. Check it out here: https://bugs.freenas.org/issues/1910

deed02392
  • 278
  • 1
  • 5
  • 16