Secure FTP file uploads fail or get truncated.

  • 3373082
  • 24-Apr-2007
  • 27-Apr-2012

Environment

Novell NetWare 6.5 (Support Packs 1 - 8)
Novell NetWare 6.0 (Support Packs 3 - 5)
Novell NetWare 5.1 (Support Packs 6 - 8)
Novell NetWare FTP Server

Situation

Secure FTP file uploads fail or get truncated.
 
When a file is uploaded to a Novell NetWare FTP server using an SSL connection, one or more of the following symptoms may occur:

- the transfer completes but the file is not fully written (empty or truncated). The data is sometimes considered to be corrupted, although technically the data which gets written is correct, but the end of the file is missing.

- the transfer completes but the FTP connection is lost, resulting in the error: 451 Error in data connection.
 
- the transfer completes without error and the file is intact, but is held open by the server (cannot be deleted, renamed, overwritten).

Resolution

Many FTP-SSL clients fail to issue an SSL Close Notification before closing their SSL connections. This can result in failure to properly close the FTP data connection, leading to various difficulties which can cause the above symptoms.
 
Several NetWare adjustments and fixes have been made over time to compensate for clients which do not issue an SSL-close-notification.  It is very difficult to account for all possible client behaviors, however.  Whether or not any problems are seen will depend upon the FTP Client and version in use, and the version of winsock in use on NetWare (primarily WSPSSL.NLM).
 
The recommended update level of winsock depends upon the NetWare Support Pack which is in place.  Various facets of these issue have come and gone over time as winsock has changed, so do not presume that certain winsock updates are "safe" from these issues except as noted here.
 
 
If NetWare 6.5 Support Pack 5 is in use:
 
Use the post-SP5 update known as NW 6.5 SP5 Update 1.  This contains several important updates, including a winsock update which was known (when available individually) as wsock6i.exe.  It will provide WSPSSL.NLM dated March 25, 2006.   It is also safe to apply the winsock update wsock6L.zip, which provides WSPSSL.NLM version 6.24.02, dated March 30, 2007.  These 2 updates (6i and 6L) appear to give equivalent levels of success with these issue.
 
 
If NetWare 6.5 Support Pack 6 is in use:
 
Use wsock6L.zip.  This update provides WSPSSL.NLM version 6.24.02, dated March 30, 2007.
 
 
If NetWare 6.5 Support Pack 7 or 8 is in use:
 
These support packs do not need additional winsock updates in relation to these concerns.  Winsock updates between these 2 support packs (wsock6n and 6o) behave the same as SP7 and SP8 in these regards.

Additional Information

If the above updates are already in place, and these types of symptoms are still encountered, the following information and suggestions may be helpful:
 
 
1.  Many FTP-SSL clients (such as Core FTP and WS-FTP) can be configured to use SSL on the control connection (for commands) but use unencrypted (non-ssl) data connections (for directory listings and file transfers).  This type of configuration would allow the most crucial information (user name and password) to be protected, but avoid the problems described above by leaving file transfers unencrypted.
 
 
2.  With NetWare 6.5 SP5 or SP6, even with the winsock 6i or 6L updates in place, some FTP-SSL clients may experience a delay at the end up their upload.  They may even indicate an error has occurred.  The uploaded copy of the file should still be fully intact, but it is possible that it will be held open temporarily or even indefinitely by the NetWare server.  It would still be readable by other users, but may not be renamed, deleted, overwritten, etc.
 
To close / release the file:  Connect to the NetWare server where the file resides with NetWare Remote Manager (https://servername:8009).  This may be the server where NetWare FTP runs, or it may be another server.  Under Volume Management, click the volume name.  Browse to the directory containing the file.  Click the magnifying glass icon next to the file.  Scroll down to the section titled "File Lock Information by Connection" and click the "close" box next to the user who uploaded the file).  Then click the button labelled "Close file for marked connections."
 
To avoid this problem, the following options exist:
a.  Try another version of the FTP client.  The client may have been updated to close SSL data connections correctly, or other versions may have small variances which avoid the issue.
b.  Try a completely different FTP client.
c.  Update to NetWare 6.5 SP7 or SP8.  This symptom does not occur at those levels.  However, another symptom can occur.  See item 3 below:
 
 
3.  On NetWare 6.5 SP7 or SP8:  There are no known problems at these levels, so long as the destination of the upload is on the same NetWare Server where FTP Server is running.  However, if the destination of the upload is another NetWare Server (reached through server-to-server NCP), it is possible that the file could be truncated, but the FTP Client would believe it was uploaded successfully.  Also, the upload process might proceed much more slowly than in the past.
 
To avoid this truncation problem, the following options exist:
a.  Try another version of the FTP client.  The client may have been updated to close SSL data connections correctly, or other versions may have small variances which avoid the issue.
b.  Try a completely different FTP client.
c.   Run NetWare FTP Server on the same NetWare Server as the target location, and upload files directly there.
 
 
4.  Many FTP Clients (especially advanced GUI clients such as Filezilla, Core FTP, gFTP, etc) also include the option to use the SFTP (OpenSSH) protocol.  NetWare 6.5 can act as a OpenSSH server as well.  NetWare OpenSSH is an additional product install option on the NetWare 6.5 Product CD.  Like FTP-SSL, it provides secure encryption.  However, it uses different methods, and most SFTP clients implementations don't have the weaknesses which many FTP-SSL clients have.  Like NetWare FTP, NetWare OpenSSH can place files on remote NCP servers.  OpenSSH on NetWare was a completely new service in NetWare 6.5, so early versions of it were low on features and somewhat problematic.  If NetWare OpenSSH is to be used, Novell strongly recommends NetWare 6.5 SP8.
 
 
NOTE:  Specific winsock patches to avoid, when using FTP-SSL:  wsock6k, 6m, possibly 6j.
 
 
Formerly known as TID# 10093959