Cyberduck Mountain Duck CLI

#8766 closed defect (worksforme)

Implement correct SSL shutdown on closing connection

Reported by: jankok Owned by: dkocher
Priority: normal Milestone: 4.7.1
Component: ftp-tls Version: 4.7
Severity: normal Keywords: rfc2246 ftp-ssl
Cc: Architecture: Intel
Platform: Mac OS X 10.10

Description (last modified by dkocher)

When Cyberduck FTP-SSL closes the FTP connection it doesn't first perform the SSL shutdown that is expected by the FTP-SSL implementation.

Before closing the TCP connection, a correct TLS shutdown should be initiated.

Specification for closing TLS connections in RFC2246

Correct Behaviour for shutdown is important to ensure TLS' resistance against truncation attacks.

Change History (4)

comment:1 Changed on Apr 26, 2015 at 6:52:57 PM by dkocher

  • Component changed from core to ftp-tls
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed on Apr 27, 2015 at 8:34:52 AM by dkocher

  • Description modified (diff)

comment:3 Changed on Apr 27, 2015 at 8:36:47 AM by dkocher

This is described in section [7.2.1. Closure alerts].

   The client and the server must share knowledge that the connection is
   ending in order to avoid a truncation attack. Either party may
   initiate the exchange of closing messages.

       This message notifies the recipient that the sender will not send
       any more messages on this connection. The session becomes
       unresumable if any connection is terminated without proper
       close_notify messages with level equal to warning.

   Either party may initiate a close by sending a close_notify alert.
   Any data received after a closure alert is ignored.

comment:4 Changed on Apr 27, 2015 at 8:38:20 AM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

I have run with some TLS logging output enabled and we do send a main, SEND TLSv1.2 ALERT: warning, description = close_notify when closing the session. How did you conclude that we do not send a close_notify at all? Can you share some server logging output?

Note: See TracTickets for help on using tickets.