ssl issues with pure-ftpd v1.0.47 stilliard/pure-ftpd:hardened

[oprudkyi]

Hi, it's unrelated to docker image itself, but after update to latest stilliard/pure-ftpd:hardened there are started ssl errors, I have php errors when trying to download file (ls works, though)

Exception ftp_fget(): SSL read failed

there no errors on system with old image (stilliard/pure-ftpd@sha256:7a146e51027e92226f9fbfb2bd1933c3c4b4c7d45dedfc142f0455066a60feb0), as well with stilliard/pure-ftpd:stretch-latest, i.e. with v1.0.43

I suspect there is some incompatibility with some clients and TLSv1.3 as it implemented in v1.0.47. could you please leave stilliard/pure-ftpd:stretch-latest as is (or make tagged version, i.e. stilliard/pure-ftpd:stretch-1.0.43

config (tls + pregenerated pems)

      containers:
      - name: pure-ftpd
        image: "stilliard/pure-ftpd:hardened"
        env:
        - name: PUBLICHOST
          value: localhost
        - name: FTP_USER_NAME
          value: ftpuser
        - name: FTP_USER_PASS
          value: ftppass
        - name: FTP_USER_HOME
          value: /home/ftpuser
        - name: ADDED_FLAGS
          value: "--tls=2 -d -d"
        - name: FTP_PASSIVE_PORTS
          value: "30005:30014"
        volumeMounts:
          - name: pure-ftpd-config
            mountPath: /etc/pure-ftpd/passwd/
          - name: pure-ftpd-config
            mountPath: /etc/ssl/private/
          - name: pure-ftpd-pv
            mountPath: /home/ftpuser/
            subPath: test-pure-ftpd/

in logs v1.0.47 stops on Connecting

(ftpuser@10.4.0.3) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
...
(ftpuser@10.4.0.3) [DEBUG] Command [retr] [/path/to/file]
(ftpuser@10.4.0.3) [DEBUG] 150 Connecting to port 41019

v1.0.43 works

(ftpuser@10.4.0.13) [DEBUG] Command [retr] [/path/to/file]
(ftpuser@10.4.0.13) [DEBUG] 150 Connecting to port 59187
(ftpuser@10.4.0.13) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-CHACHA20-POLY1305, 256 secret bits cipher
(ftpuser@10.4.0.13) [NOTICE] /path/to/file downloaded  (18 bytes, 158.21KB/sec)
(ftpuser@10.4.0.13) [DEBUG] 226-File successfully transferred
(ftpuser@10.4.0.13) [DEBUG] 226 0.000 seconds (measured here), 158.21 Kbytes per second
(ftpuser@10.4.0.13) [DEBUG] Command [quit] []
(ftpuser@10.4.0.13) [INFO] Logout.
(ftpuser@10.4.0.13) [DEBUG] 221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
(ftpuser@10.4.0.13) [DEBUG] 221 Logout.

[stilliard]

Hi @oprudkyi Thank for the detail here.

In your tests, you were previously using the :hardened tag, would you mind running a quick test against the :latest tag to see if that works for you? That also uses the newer pure-ftpd version but without some of the changes added to our hardened branch.

Thank you.

[oprudkyi]

Hi @stilliard the :latest has the same issues as :hardened I suspect this is probably related to https://bugs.launchpad.net/ubuntu/+source/pure-ftpd/+bug/1832998 but not sure