EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FTPS on Win 7

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#20804
Posted: 07/17/2012 06:58:42
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Hello, I have a little Problem with the SimpleFTPSClient.

We have an Application ( called SMILERun ) to manage updates for other Applications. The Download of the updates was using a normal FTP-Connection to our Updateserver.
Now we have to use an SSL-Connection to this Updateserver. I have integrate the SimpleFTPSClient Component into the SMILERun and under Windows XP it works fine.
But under Windows 7 it doesn't.

Is there anything special to do for Windows 7?

This Code ( This code is for Delphi 6 ) does login to the FTP-Server :

Code
    jwsbboxftp.port := 21;
    frmFtpForm.Memo1.Lines.Add('Anmeldung');  //FTP-Log
    jwsbboxftp.username:=FTPUserName;
    jwsbboxftp.password:=FTPPasswort;
    jwsbboxftp.address:=FTPHostName;
    try
      jwsbboxftp.UseSSL:=true;
      FirstTickCount := GetTickCount;
      login_versuche:=1;
      frmFtpForm.Memo1.Lines.Add('Login-Versuch mit SSL wird gestartet');  //FTP-Log

      jwsbboxftp.Open;
      frmFtpForm.Memo1.Lines.Add('Open');  //FTP-Log
      jwsbboxftp.Login;
      frmFtpForm.Memo1.Lines.Add('Login');  //FTP-Log
      while ((jwsbboxftp.active=false) and (login_versuche<4)) do
      begin
        frmFtpForm.Memo1.Lines.Add('Login-Versuch '+inttostr(login_versuche)+' Fehlgeschlagen');  //FTP-Log
        dftDelay(1000);                   { Rechenzeit an andere Tasks ect. }
        if Application.Terminated then Break;
        if BreakAction then
        begin
          frmFtpForm.Memo1.Lines.Add('BreakAction');  //FTP-Log
          Break;
        end;
        login_versuche:=login_versuche+1;
        jwsbboxftp.login;
        logged_in:=true;
      end;
    except
      frmFtpForm.Memo1.Lines.Add('Login-Versuch mit SSL gescheitert.');  //FTP-Log
      if sslfallback then
      begin
        frmFtpForm.Memo1.Lines.Add('Login-Versuch ohne SSL wird gestartet.');  //FTP-Log
        jwsbboxftp.Close;

        jwsbboxftp.UseSSL:=false;
        FirstTickCount := GetTickCount;
        login_versuche:=1;
        jwsbboxftp.Open;
        frmFtpForm.Memo1.Lines.Add('Open');  //FTP-Log
        jwsbboxftp.Login;
        frmFtpForm.Memo1.Lines.Add('Login');  //FTP-Log
        while ((jwsbboxftp.active=false) and (login_versuche<4)) do
        begin
          frmFtpForm.Memo1.Lines.Add('Login-Versuch '+inttostr(login_versuche)+' Fehlgeschlagen');  //FTP-Log
          dftDelay(1000);                   { Rechenzeit an andere Tasks ect. }
          if Application.Terminated then Break;
          if FTP_Error then Break;
          if BreakAction then
          begin
            frmFtpForm.Memo1.Lines.Add('BreakAction');  //FTP-Log
            Break;
          end;
          login_versuche:=login_versuche+1;
          jwsbboxftp.login;
          logged_in:=true;
        end;
      end;
    end;


On ' jwsbboxftp.Login; ' an Exception raises and the application jumps to the Except-block. I didn't find any reason for that.

Is there any possibility to see what happend, an errorcode or something else ?

Best regards
Joachim Wehmöller
#20805
Posted: 07/17/2012 07:11:39
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Could you clarify what exception do you get. You should also try to connect to the server using our sample application located in \EldoS\SecureBlackbox.VCL\Samples\Delphi\FTPSBlackbox\Client\SimpleFTPSDemo folder and post its log here if something doesn't work.
#20812
Posted: 07/18/2012 01:45:04
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Here is the log :
Code
<<<<220 ProFTP 1.3.4a Server (SMIA008)[xx.xx.xx.xx]

>>>>AUTH TLS
<<<<234 AUTH TLS successful

And here are the events :
Code
Connecting to smia008.telekom.de:21
Connected
Fatal local Error 75784
If you are getting Error 75778, this can mean that the remote server doesn't support specified SSL/TLS version
Error occured while enabling SSL/TLS on command channel

On WinXP it will work properly
#20819
Posted: 07/18/2012 06:03:35
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

It seems that some certificate is installed into Windows certificates store on Win7 machine and is not installed on WinXP. Try to replace your TElSimpleSSLClient.OnCertificateValidate event handler code with the only line:

Code
Validate := true;


and check if it works. If yes then you should find out the problematic certificate and import it from Win7 machine.
#20822
Posted: 07/18/2012 06:26:10
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

With this code it will work.


but if I import the problematic Certificate from the Win7 machine to the win XP machine it will not work anymore on win XP ..?

I have imported the selfsigned certificate from the host to the win7 machine also into the win XP machine.

Is there any hind to find out wich certificate is the problematic one ?
#20823
Posted: 07/18/2012 06:35:48
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
but if I import the problematic Certificate from the Win7 machine to the win XP machine it will not work anymore on win XP ..?

Sorry, you should do wise versa. Most likely some certificate exists on WinXP machine and doesn't exist on Win7 machine. Or network setting on Win7 machine doesn't allow to download CRLs or OCSPs needed to validate a certificate.

If you're using TElX509CertificateValidator inside TElSimpleFTPSClient.OnCertificateValidate then you should implement its TElX509CertificateValidator.OnAfterCertificateValidation event handler and log its Validity and Reason values. This will allow you to find a problematic certificate that can't be validated for some reason. Please refer to this article for details: http://www.eldos.com/documentation/sb...ation.html
#21112
Posted: 08/22/2012 02:53:54
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Ok, now it works all properly, but there is One little question :

When the client established a connetction to the Server the server sends his certificate for autentication. Whats next ?
Sends the Client a secret randomnumber encryptet with the public Key from the server certificate or is the Diffie-Hellman-Key-exchange-Method used to generate a common secret to generate the cryptographic key.

Best Regards
Joachim Wehmöller
#21114
Posted: 08/22/2012 03:35:22
by Ken Ivanov (EldoS Corp.)

SSL/TLS supports a number of different key exchange methods, including Diffie-Hellman, RSA and SRP. It also allows the use of conventional keys pre-shared by the peers (PSK).

The exact key exchange method used depends on the chosen cipher suite, which can be read through the component's CipherSuite property.
#21300
Posted: 09/03/2012 04:07:37
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Quote
Thank you for contacting us.

Could you clarify what exception do you get. You should also try to connect to the server using our sample application located in \EldoS\SecureBlackbox.VCL\Samples\Delphi\FTPSBlackbox\Client\SimpleFTPSDemo folder and post its log here if something doesn't work.


I have another problem to connect to the FTP-Server.
On most of our Clints it works fine, but on some Client it doesn't work.
With the SimpleFTPSDemo- tool we get th following :

Code
<<<<220 ProFTP 1.3.4a Server (XXXXXXX)[xx.xx.xx.xx]

>>>>AUTH TLS
<<<<234 AUTH TLS successfull


Code
Connecting to XXXXXXX.xxxxx:21
Connected
Error occured while enabling SSL/TLS on command channel


No error-Number ist given so I don't know what to do.

Can you give me a hint what then problem is ?

Thanks.
#21301
Posted: 09/03/2012 04:16:17
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

1) Please try to leave only SSL3 and TLS1 protocol versions enabled (switch off SSL2, TLS1.1 and TLS1.2) and check if it helps.

2) If it doesn't, please comment out the existing contents of OnCertificateValidate event handler, add a single "Validate = true;" line to it and try to connect again.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2678 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!