EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem using ElSimpleFTPSClient component

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#29410
Posted: 05/08/2014 22:03:46
by Dave Kocrotus (Basic support level)
Joined: 05/08/2014
Posts: 4

Hello, I am new to secureBlackBox. Recently I was assigned to perform a research on building a system that require FTPS connection.

After some research, a friend of mine propose a recommendation to use Eldos SecureBlackBox (FTPS client component), so I started the evaluation process.

Then, I tried the component using the example provided, but it seems that there is a problem with the connection. The FTPS client example provided can not successfully activate the SSL channel and have the following error message :

"Error occured while enabling SSL/TLS on command channel"

The FTP is in linux box and using ProFTPD server. I asked the linux admin and they gave me the log. What I do not understand is , the ftp server log shows me something like this :

"error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"

I was curious and tried again in another PC, from 5 PC, 2 of them were connected successfully, but the other 3 failed with ftp server log above.

The linux admin gave me the proftpd conf that look like this
======================
...

TLSEngine on
TLSLog /var/log/tls.log
TLSProtocol SSLv23
...
TLSRequired off
...
TLSOptions NoSessionReuseRequired
...
TLSVerifyClient off
...
TLSRenegotiate required off

...
======================

I wonder, what is wrong here, is it something to do with the windows box ?
For information, all windows box are Windows 7 32 bit, and I use Delphi XE2 for testing.

Can somebody explain to me what's wrong with it ?

Thanks.
#29411
Posted: 05/09/2014 01:19:32
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Please try to play with versions checkboxes in Connection properties windows of the sample. Try to enable only SSL3 and only TLS1 and check if this solves the problem.
#29412
Posted: 05/09/2014 01:26:39
by Eugene Mayevski (EldoS Corp.)

To connect correctly you need to set
a) FTPS mode. It can be explicit or implicit. In explicit mode you connect to default port (usually port 21), then STARTTLS command is sent. In implicit mode SSL/TLS handshake takes place right after connection and connection is made to a different port (usually port 990).
b) enable TLS (in the sample TLS is enabled explicitly with a checkbox)
c) choose AUTH command type. Auto works fine in most cases but sometimes a special value is setting
d) enable one or more SSL/TLS version. In your case try enabling SSL2, SSL3 and TLS1 (you might want to enable just one version for tests).


Sincerely yours
Eugene Mayevski
#29413
Posted: 05/09/2014 04:17:02
by Dave Kocrotus (Basic support level)
Joined: 05/08/2014
Posts: 4

It's not working.

I did all combinations as you suggest, by using 1 SSL/TLS version and even enabling all version.
I use auto, acAuthTLS and other combination for authcommand, but the result still just like before, only 2 PC successfully connected with the FTP server.

The Linux box admin gave me the log that look like this (seems similar to the previous error) :
=====================
. . . .
mod_tls/2.4.3[21398]: TLS/TLS-C negotiation failed on control channel
mod_tls/2.4.3[21405]: TLS/TLS-C requested, starting TLS handshake
mod_tls/2.4.3[21405]: unable to accept TLS connection: protocol error:
(1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
. . . .
=====================

is there any other method to ensure what is wrong with the negotiation in the SSL channel ?
#29414
Posted: 05/09/2014 04:22:02
by Dave Kocrotus (Basic support level)
Joined: 05/08/2014
Posts: 4

For additional information, I use the explicit SSL and always enabling the FTPS mode.

And here is the server log upon successfull connection to server :
================
mod_tls/2.4.3[22631]: TLS/TLS-C requested, starting TLS handshake
mod_tls/2.4.3[22631]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
mod_tls/2.4.3[22631]: Protection set to Private
mod_tls/2.4.3[22631]: starting TLS negotiation on data connection
mod_tls/2.4.3[22631]: TLSv1/SSLv3 renegotiation accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
mod_tls/2.4.3[22631]: TLSv1/SSLv3 data connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
================
#29415
Posted: 05/09/2014 04:23:10
by Eugene Mayevski (EldoS Corp.)

If the server is accessible from outside, we can do the following: I will move this topic to the confidential HelpDesk, you post the address of the server to the HelpDesk and we try to connect to the server. In order to do this we do NOT need login/password, so there's no information leak involved. If this is acceptable for you, please let me know here.


Sincerely yours
Eugene Mayevski
#29416
Posted: 05/09/2014 04:36:17
by Dave Kocrotus (Basic support level)
Joined: 05/08/2014
Posts: 4

OK, my client agree to give access to their FTP server to test the condition.
#29417
Posted: 05/09/2014 05:14:41
by Eugene Mayevski (EldoS Corp.)

Please visit the HelpDesk where I've created a support ticket for you.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1006 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!