I am running Ubuntu Server 20.04 and proftpd 1.36 and have an issue setting up TLS.
I have followed the guide in the config file, but I get a very odd error. That there is no supported cipher. And then the process breaks with a handshake error. The SSL clienthello message includes a lot of ciphers that is recognised, and that is on the machine.
TLS log:
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions attempted: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions established: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions renegotiated: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions resumed: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL sessions in cache: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache hits: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache misses: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache timeouts: 0
2020-06-29 18:16:30,457 mod_tls/2.7[87378]: [stat]: SSL session cache size exceeded: 0
2020-06-29 18:16:35,242 mod_tls/2.7[87910]: TLSOption EnableDiags enabled, setting diagnostics callback
2020-06-29 18:16:35,245 mod_tls/2.7[87910]: error initializing OpenSSL context for this session
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: TLS/TLS-C requested, starting TLS handshake
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] (unknown): before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [msg] received protocol record message (5 bytes)
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [info] accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7[87910]: [msg] received TLSv1.3 'ClientHello' Handshake message (368 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg]
ClientHello:
client_version = TLS 1.2
random:
gmt_unix_time = Thu Oct 20 14:46:18 1904 (not guaranteed to be accurate)
random_bytes (28 bytes)
5820ebe66e5afa9ec7d9cfc5d69fd7b97698ba054091bd338c918587
session_id (0 bytes)
cipher_suites (58 bytes)
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
[unknown/unsupported]
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[unknown/unsupported]
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[unknown/unsupported]
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[unknown/unsupported]
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[unknown/unsupported]
TLS_RSA_WITH_AES_256_CBC_SHA
[unknown/unsupported]
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
[unknown/unsupported]
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
[unknown/unsupported]
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
[unknown/unsupported]
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[unknown/unsupported]
compression_methods (1 byte)
None
extensions (265 bytes)
extension_type = status_request (5 bytes)
extension_type = elliptic_curves (22 bytes)
extension_type = ec_point_formats (2 bytes)
extension_type = signature_algorithms (34 bytes)
extension_type = encrypt_then_mac (0 bytes)
extension_type = extended_master_secret (0 bytes)
extension_type = session_ticket (0 bytes)
extension_type = key_share (139 bytes)
extension_type = supported_versions (9 bytes)
extension_type = renegotiate (1 byte)
extension_type = psk_kex_modes (3 bytes)
extension_type = [unknown/unsupported] (2 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg] sent protocol record message (5 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [msg] sent TLSv1.2 fatal 'handshake_failure' Alert message (2 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [info] writing: SSL/TLS alert fatal: handshake failure
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [info] accepting: error
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: unable to accept TLS connection: protocol error:
(1) error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: unable to accept TLS connection: client does not support any cipher from 'TLSCipherSuite DEFAULT:!ADH:!EXPORT:!DES' (see `openssl ciphers DE>
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: TLS/TLS-C negotiation failed on control channel
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions attempted: 1
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions established: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions renegotiated: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions resumed: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL sessions in cache: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache hits: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache misses: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache timeouts: 0
2020-06-29 18:16:35,256 mod_tls/2.7[87910]: [stat]: SSL session cache size exceeded: 0
Output of openssl
openssl ciphers -v 'DEFAULT:!ADH:!EXPORT:!DES'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384
RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1
DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256
RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1
DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
As you can see there is plenty of matching ciphers. So why do I get this error??
———– Bonus info———-
I have tried changing the Cipher to a single cipher, to every cipher, still same error.
I have tried changing the protocol, still same error.
Google has not helped me find a solution, all errors seems to be with actual missing certificates, or not related.
proftpd tls config for completions sake:
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired auth
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
</IfModule>
Best Answer
Ok, so quite by accident I fell over other people having issues with openssl, and found that in newer versions the recommended keysize is set to 2048bits and not the 1024 as suggested in the proftpd guide. I tried generating new keys using 2048 bits, and now the handshake seems to work! The dataconnection however fails, but that's probably a different issue.
Edit: data connection was just the Reuse problem.