vsftpd: 426 Failure reading network stream
This document (000020678) is provided subject to the disclaimer at the end of this document.
426 Failure reading network stream.
Some attempts work, some do not. It happens with a variety of clients.
"DATA connection terminated without SSL shutdown"
This means that the client tried to terminate a TCP connection which was using SSL, but did not send an SSL_SHUTDOWN first. This is improper SSL behavior from the client side and is very common..When this happens, if vsftpd is being strict about ssl behavior (controlled by configuration parameter "strict_ssl_read_eof'"), it will return the 426 error to the client.
strict_ssl_read_eof If enabled, SSL data uploads are required to terminate via SSL, not an EOF on the socket. This option is required to be sure that an attacker did not terminate an upload prematurely with a faked TCP FIN. Unfortunately, it is not enabled by default because so few clients get it right. (New in v2.0.7). Default: NOHowever, in the code it's enabled by default:
tunables.c:225: tunable_strict_ssl_read_eof = 1;
The man page needs to be updated to show the correct default. This has already been updated upstream by the Linux community, but that update has not yet reached the vsftpd package in SLES 12 SP5.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020678
- Creation Date: 23-Jun-2022
- Modified Date:23-Jun-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com