Cyberduck Mountain Duck CLI

#8766 closed defect (worksforme)

Implement correct SSL shutdown on closing connection

Reported by: jankok Owned by: dkocher
Priority: normal Milestone: 4.7.1
Component: ftp-tls Version: 4.7
Severity: normal Keywords: rfc2246 ftp-ssl
Cc: Architecture: Intel
Platform: Mac OS X 10.10

Description (last modified by dkocher)

When Cyberduck FTP-SSL closes the FTP connection it doesn't first perform the SSL shutdown that is expected by the FTP-SSL implementation.

Before closing the TCP connection, a correct TLS shutdown should be initiated.

Specification for closing TLS connections in RFC2246

Correct Behaviour for shutdown is important to ensure TLS' resistance against truncation attacks.

Change History (4)

comment:1 Changed on Apr 26, 2015 at 6:52:57 PM by dkocher

  • Component changed from core to ftp-tls
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed on Apr 27, 2015 at 8:34:52 AM by dkocher

  • Description modified (diff)

comment:3 Changed on Apr 27, 2015 at 8:36:47 AM by dkocher

This is described in section [7.2.1. Closure alerts].

   The client and the server must share knowledge that the connection is
   ending in order to avoid a truncation attack. Either party may
   initiate the exchange of closing messages.

   close_notify
       This message notifies the recipient that the sender will not send
       any more messages on this connection. The session becomes
       unresumable if any connection is terminated without proper
       close_notify messages with level equal to warning.

   Either party may initiate a close by sending a close_notify alert.
   Any data received after a closure alert is ignored.

comment:4 Changed on Apr 27, 2015 at 8:38:20 AM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

I have run with some TLS logging output enabled and we do send a main, SEND TLSv1.2 ALERT: warning, description = close_notify when closing the session. How did you conclude that we do not send a close_notify at all? Can you share some server logging output?

Note: See TracTickets for help on using tickets.