vsftpd: 426 Failure reading network stream

This document (000020678) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 SP5

Situation

After upgrading vsftpd to version 3.0.5-48.3.1, many FTP clients increasingly report the following error, typically at the end of a file upload from a client.
  
426 Failure reading network stream.

Some attempts work, some do not.  It happens with a variety of clients.

Resolution

Set this parameter in /etc/vsftpd.conf:
strict_ssl_read_eof=NO

Cause

According to the vsftpd.log during these events, this condition also existed at the time of the error:
"DATA connection terminated without SSL shutdown"
This means that the client tried to terminate a TCP connection which was using SSL, but did not send an SSL_SHUTDOWN first.  This is improper SSL behavior from the client side and is very common..
When this happens, if vsftpd is being strict about ssl behavior (controlled by configuration parameter "strict_ssl_read_eof'"), it will return the 426 error to the client.

Additional Information

According to the man page for vsftpd.conf, this should be disabled per default:
strict_ssl_read_eof
     If enabled, SSL data uploads are required to terminate via SSL,
     not an EOF on the socket. This option is required to be sure
     that an attacker did not terminate an upload prematurely with a
     faked TCP FIN. Unfortunately, it is not enabled by default
     because so few clients get it right. (New in v2.0.7).

    Default: NO 
However, in the code it's enabled by default: 
tunables.c:225:  tunable_strict_ssl_read_eof = 1;

The man page needs to be updated to show the correct default.  This has already been updated upstream by the Linux community, but that update has not yet reached the vsftpd package in SLES 12 SP5.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020678
  • Creation Date: 23-Jun-2022
  • Modified Date:23-Jun-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center