Return-Path: 
 <dev-return-41452-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 38360 invoked from network); 9 Mar 2004 13:16:31 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 9 Mar 2004 13:16:31 -0000
Received: (qmail 36410 invoked by uid 500); 9 Mar 2004 13:16:25 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 36193 invoked by uid 500); 9 Mar 2004 13:16:23 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 36172 invoked from network); 9 Mar 2004 13:16:23 -0000
Received: from unknown (HELO castlerea.stdlib.net) (212.13.199.152)
  by daedalus.apache.org with SMTP; 9 Mar 2004 13:16:23 -0000
Received: from colmmacc by castlerea.stdlib.net with local (Exim 4.20)
	id 1B0h4D-0001gL-Lj; Tue, 09 Mar 2004 13:14:41 +0000
Date: Tue, 9 Mar 2004 13:14:41 +0000
From: Colm MacCarthaigh <colm@stdlib.net>
To: Bose.Ghanta@stratus.com
Cc: "'ben@algroup.co.uk'" <ben@algroup.co.uk>,
	"'openssl-team@openssl.org'" <openssl-team@openssl.org>,
	dev@httpd.apache.org
Subject: Re: ftp site
Message-ID: <20040309131441.GA6366@castlerea.stdlib.net.>
Reply-To: colm@stdlib.net
References: <A2A34F15EE916148BC4C4748223E67A406BA5EDE@exna4.stratus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <A2A34F15EE916148BC4C4748223E67A406BA5EDE@exna4.stratus.com>
User-Agent: Mutt/1.3.28i
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

On Fri, Mar 05, 2004 at 04:35:37PM -0500, Ghanta, Bose wrote:
>  I was working on what I originally thought was a bug in our FTP client.
> Your ftp site has a very long banner (due to the crypto warnings and what
> all), and the bug opened against our FTP client was that it would disconnect
> partly through the login banner.  After using a packet sniffer, I determined
> that what is happening is that at a certain point, as your FTP server is
> sending banner lines, it drops the connection. 

This is a relatively common failure mode for scenarios involving a
stateful protocol-inspecting firewall being in the way. Many popular
implementations insist on a divisional newline being within the first
packet; to establish state (when using PASV) and protect against a
common attack method (see below).  If the banner size starts coming
close to the MTU and the handshake is fragmented these implementations
can break the internet.

See:

	http://www.securityfocus.com/archive/1/46655
	http://www.checkpoint.com/techsupport/alerts/pasvftp.html

for a description of why the check occurs, and see:

	http://lists.virus.org/fw1-0302/msg00599.html

for instructions on how to disable the check in the most common
implementation which displays this behaviour (checkpoint). It would be
worth investigating wether such a device is between you and the 
ftp server, and whether or not it is responsible for your problems.

-- 
Colm MacC�rthaigh                        Public Key: colm+pgp@stdlib.net