FTP upload with TLS 1.3 results in 0 byte file on the server, eventually times out

[blach]

I did this

I'm using the following command line to upload the file "test.html" with a size of 18815 bytes to a server using FTP with SSL encryption:

curl --ssl-reqd ftp://<redacted>.kasserver.com/test/ -u <redacted> --upload-file test.html

This command results in a 0 byte file on the server instead of the expected file with 18815 bytes.

The transfer progress looks like this:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18815    0     0  100 18815      0    311  0:01:00  0:01:00 --:--:--     0
curl: (28) FTP response timeout

It claims that 18815 bytes are transferred immediately, but then nothing happens and the upload times out after 1 minute.

When I add --tls-max 1.2, the upload works immediately and the file on the server has the correct size and contents.

This is the FTP server of the popular German hoster https://all-inkl.com/

I expected the following

I expected the file to upload successfully.

curl/libcurl version

curl 8.7.1 (aarch64-apple-darwin23.4.0) libcurl/8.7.1 (SecureTransport) OpenSSL/3.3.0 zlib/1.2.12 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libssh2/1.11.0 nghttp2/1.61.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

macOS Sonoma 14.4.1

[blach]

This is the verbose output of the failing FTP upload command that eventually times out and results in a 0 byte file on the server:

* Connected to <redacted>.kasserver.com (85.13.<redacted>) port 21
< 220 FTP on <redacted>.kasserver.com ready
> AUTH SSL
< 234 AUTH SSL successful
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [10 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4590 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp256r1 / RSASSA-PSS
* Server certificate:
*  subject: CN=*.kasserver.com
*  start date: Dec 18 00:00:00 2023 GMT
*  expire date: Jan 17 23:59:59 2025 GMT
*  subjectAltName: host "<redacted>.kasserver.com" matched cert's "*.kasserver.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
} [5 bytes data]
> USER <redacted>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< 331 Password required for <redacted>
} [5 bytes data]
> PASS <redacted>
{ [5 bytes data]
< 230 User <redacted> logged in
} [5 bytes data]
> PBSZ 0
{ [5 bytes data]
< 200 PBSZ 0 successful
} [5 bytes data]
> PROT P
{ [5 bytes data]
< 200 Protection set to Private
} [5 bytes data]
> PWD
{ [5 bytes data]
< 257 "/" is the current directory
* Entry path is '/'
} [5 bytes data]
> CWD test
* ftp_perform ends with SECONDARY: 0
{ [5 bytes data]
< 250 CWD command successful
} [5 bytes data]
> EPSV
* Connect data stream passively
{ [5 bytes data]
< 229 Entering Extended Passive Mode (|||50218|)
* Connecting to 85.13.<redacted> (85.13.<redacted>) port 50218
*   Trying 85.13.<redacted>:50218...
* Connected 2nd connection to 85.13.<redacted> port 50218
* SSL reusing session ID
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
> TYPE I
{ [5 bytes data]
< 200 Type set to I
} [5 bytes data]
> STOR test.html
{ [5 bytes data]
< 150 Opening BINARY mode data connection for test.html
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [161 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [10 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp256r1 / UNDEF
* Server certificate:
*  subject: CN=*.kasserver.com
*  start date: Dec 18 00:00:00 2023 GMT
*  expire date: Jan 17 23:59:59 2025 GMT
*  subjectAltName: host "<redacted>.kasserver.com" matched cert's "*.kasserver.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
* upload completely sent off: 18815 bytes
* Remembering we are in dir "test/"
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
* FTP response timeout
* control connection looks dead
* Closing connection
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]

[blach]

The problem might be related to #6149

This issue was actually discovered when using libcurl to upload a file >18KB using FTP with explicit auth SSL to that server.

With libcurl and curl_easy_perform I get the error "Transferred a partial file".

[blach]

I just set up a brand new vsftpd server on a Debian 12 machine that is publicly accessible.

I created a new RSA 4096 key and enabled SSL for the FTP server.

Now uploading a file larger than a certain size results in a 0 byte file on the server and the curl command times out.

Can I privately share the commands to reproduce this issue with you?

The problem is that the command only works once, then vsftp seems to keep accessing the file, so when the command is issued a second time, it shows a different behavior. That's why I wouldn't want to post this publicly.

[blach]

The redacted commands to reproduce this after setting up the vsftpd server with SSL are:

To create a local file with a size of 18 kB:

head --bytes 18432 /dev/zero > test-curl.txt

Upload the file:

curl --ssl-reqd --insecure ftp://<ip-address>/ -u <redacted> --upload-file test-curl.txt --verbose

The upload starts, times out, and results in a 0 byte "test-curl.txt" file on the server.

Uploading the same file to the same server with FileZilla using TLS 1.3 works without problems.

[blach]

I also asked the support team at all-inkl.com what FTP server software they are using. They answered that they are using ProFTPD from the original Ubuntu repository.

So it looks like this is an issue with both vsftpd and ProFTPD servers when using TLS 1.3.

[blach]

Can you reproduce this issue? Is there anything I can do to help?

[bagder]

@icing there's no upload among the new ftp tests yet is there?

[icing]

No.