FTPc 1.55

It turns out that it is not just a pure-ftpd problem, vsftpd also doesn’t work in its default config. It produces virtually identical wireshark output except it replies with one more response to the LIST command.

LIST
   150 Here comes the directory listing.
   522 SSL connection failed: session reuse required

configuring vsftpd with

require_ssl_reuse=NO

made vsftpd work with ftpc. Just need to work out what session reuse is.

And it turns out that setting the ‘brokenclientcompatability’ flag in pure-ftpd makes ftpc work with that too.

RFC 5077, if I understand correctly. As such there must be functionality in the AcornSSL module if it’s ever to work; it cannot be done solely by the module’s clients.

This raises some questions:

If it is supported, should the support be entirely within AcornSSL, or should it require co-operation with the client, e.g. to store the session ticket, and maybe to flag whether to request support? I suspect that it should be the client’s job to store the ticket.

If it’s failing, is this because AcornSSL sends an empty SessionTicket extension, but it should not send the extension at all?

Yes, we send empty SessionTicket extensions, which says we support RFC 5077, then we don’t actually do the support work. This means AcornSSL is broken in this regard.

The simple fix for now is to make the module not send the SessionTicket extension.

Mbedtls calls the process resume session and the client needs to use mbedtls_ssl_set_session() and mbedtls_ssl_get_session() somehow. I think AcornSSL would need changes as we don’t have access to the mbedtls library.

I can imagine an extension to the AcornSSL interface. When the client starts a secure session, or upgrades a plain connection to secure, the client sets a flag if it is prepared to support SessionTickets, and passes an existing ticket in a register (or NULL if there isn’t an existing one), whereupon the ticket is returned in a register by the module.

Ok I fixed the authmode issue.

Would anyone like to try FTPc 1.55b. It includes a modified version of AcornSSL which just needs double clicking on to run it.

Cracking job, Colin, thank you. Works nicely on my web site and still works just as well with AntiSpam and MSC on all my mailboxes.

In fact, since several of my mailboxes sometimes throw up errors when trying to connect, it will be interesting to see if there are any less now.

Will this code make it into the ROOL disc dev tree, will it turn up in nightly builds of HardDisc4, and, if so, when?

It’s being reviewed – I think.

Presumably the people involved are working from home and programming all day, This probably doesn’t make turning to a programming hobby in the same environment very appealing so I suppose it’ll take as long as it takes.

Will this code make it into the ROOL disc dev tree, will it turn up in nightly builds of HardDisc4, and, if so, when?

You can see the progress here

Has the code been added -that works a USB DOS floppy drive?

I can’t remember what happened with that. I may have just left it as it didn’t read riscos discs I’ll have to look into it.