Open jhallerdk opened 3 years ago
To follow up, everything works fine for the client to connect to proftpd, with TLS 1.0, but in the trace just before it stops i get the following:
2021-01-19 15:06:51,572 [18069] <proxy.tls:9>: requesting stapled OCSP response
2021-01-19 15:06:51,572 [18069] <proxy.tls:17>: WANT_READ encountered while connecting on fd 16, waiting to read data
This is now with the latest code from the gitrepo of proftpd and mod_proxy
These messages:
2021-01-14 16:28:34,186 mod_proxy/0.7[18986]: starting TLS negotiation on data connection
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to connect using TLS: system call error: [104] Connection reset by peer
2021-01-14 16:28:34,217 mod_proxy/0.7[18986]: unable to open data connection to upload.ftpserver.com: TLS negotiation failed
suggest that the backend FTPS server is failing the data transfer TLS handshake for some reason. Are there any logs from that backend server that might provide some clues/details?
Can you provide the configuration you're currently using for the mod_proxy
part? In addition, what will help to debug the mod_proxy
-> backend server interactions will be some detailed trace logging, using a configuration like so for the proxy:
TraceLog /path/to/proftpd/proxy.log
<IfModule mod_tls.c>
TLSLog /path/to/proftpd/proxy.log
TLSOptions EnableDiags
...
</IfModule>
</IfModule mod_proxy.c>
ProxyLog /path/to/proftpd/proxy.log
ProxyTLSOptions EnableDiags
Trace \
proxy:30 \
proxy.conn:30 \
proxy.ftp.conn:30 \
proxy.ftp.ctrl:30 \
proxy.ftp.data:30 \
proxy.ftp.msg:30 \
proxy.ftp.sess:30 \
proxy.ftp.xfer:30 \
proxy.inet:30 \
proxy.netio:30 \
proxy.reverse:30 \
proxy.session:30 \
proxy.tls:30 \
proxy.uri:30 \
tls:30
...
</IfModule>
Here, we configure a TraceLog
with many trace channels enabled, and we point the module-specific TLS and proxy logs at the same log file, to capture all the relevant log messages in a single file. It will be a large log file, but hopefully you can provide that log file, so we can see what might be happening.
I'm trying to to use mod_proxy to get support for TLS1.0 for a FTP service that only supports TLS1.2.
So the way it should go is:
Client -----[TLS1.0]----->proftpd/mod_proxy -------[TLS1.2]------>FTPS server.
I've gotten the conect to proftpd to work (custom compiled with mod_proxy and mod_tls), but it like it fails the TLS connections to the backend FTPS server.
The error i get is:
Any hits of how to set it up appreciated, or even how i get to test this. I've verified that with Filezilla the backend server is responsive.