Operating System - HP-UX
1745830 Members
3946 Online
108722 Solutions
New Discussion

ftp stopped working after patches, SSL/TLS initialization failed

 
dictum9
Super Advisor

ftp stopped working after patches, SSL/TLS initialization failed

I installed the March 2016 patch bundle and quality pack on my L class running 11.31 and after the rebooted, ssh, sftp, scp and ftp stopped working to a particular box.

 

 ftp xx.xx.xx.xx
WARNING! SSL/TLS initialization failed
WARNING! Continuing in a Fallback  mode
ftp: connect: Connection timed out

I am getting these in the ssl log file:

 

==== Environmental variables dumped - End ====

SSL context initialised

SSL_CTX_use_certificate_file(/etc/ftpd/security/certs/xxxxxx-rsa-crt.pem) error:00000000:lib(0):func(0):reason(0)
~

# etc/ftpd/security/certs:# l
total 128
-r-xr--r--   1 root       sys            461 Sep 15  2009 trust-hash.sh
drwxr-xr-x   2 root       sys           8192 Sep 17  2009 saves
-rw-r--r--   1 bin        bin            884 Sep 17  2009 xxx_CA2_ROOT.pem
drwxrwxr-x   3 root       sys           8192 Oct 21  2009 .
-rw-r--r--   1 root       sys           3425 Sep 23  2010 cacert.pem
-rw-r--r--   1 bin        bin            887 Sep 23  2010 xxxx-rsa-crt.pem
-rw-r--r--   1 bin        bin            887 Sep 23  2010 xxxx-rsa-key.pem
drwxr-xr-x   3 root       sys           8192 May 25  2012 ..

 

2 REPLIES 2
dictum9
Super Advisor

Re: ftp stopped working after patches, SSL/TLS initialization failed

I got root to work with ftp and some user accounts but not others. With two user accounts, I get this when try to run ftp:

 

however root works perfectly.. and another mortal user.

 

ERROR! Could not continue the session, failed initializing SSL session context
Ensure that SSL parameters are configured properly.

 

 

 

Steven Schweda
Honored Contributor

Re: ftp stopped working after patches, SSL/TLS initialization failed

   I haven't had patch access in years, and my SSL expertise is slight,
so I know nothing, but...

> [...] ssh, sftp, scp and ftp stopped working to a particular box.

   I may have a guess for the "S" programs, but I'd expect plain-old FTP
to work about as well as ever.

> SSL_CTX_use_certificate_file(/etc/ftpd/security/certs/xxxxxx-rsa-crt.pem)
> error:00000000:lib(0):func(0):reason(0)

   Not the most informative error message I've ever seen.

   My guess at the problem(s) is that the patch bundle included an
OpenSSL update which disabled some old/insecure algorithm(s), and that
your old certificate(s) used the now-disabled algorithm(s).

   My guess at the solution would be that you'd need to generate new
certificates.  I'd expect the stuff under "/etc/ftpd/" to affect the FTP
server, but not the "S" programs. Perhaps some other log file would
suggest a culprit certificate file for them.

   I'd also expect that the release notes for such a patch bundle would
explain this (or some other such) requirement (if there is one).

   But what do I know?