EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FTPSDemo not working

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#4919
Posted: 02/08/2008 09:52:55
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

I have purchased and used successfully the SBB SFTP product, but my customer has now changed the protocol to FTPS. To begin I decided to attempt ftps connections with CuteFTP which is what they used in their connection tests. I was able to connect with CuteFTP and transfer data fine. Next I tried FTPSDemo and I'm having difficulties. It took me a few connection attempts before finding settings that would connect and authenticate. They are Use SSL/TLS, AUTH TLS, SSL3 TLS1. I also tested passive mode with CuteFTP and set FTPSDemo to use passive as well. I'll include complete logs below, but I'm having two problems. First FTPSDemo is reporting "Warning: certificate is not valid!" which CuteFTP does not report. And second, when I try to do a listing, I see the PASV command go out and apparently succeed, and then the last thing I see in the event window is "Control channel transfer error". I'm not entirely sure what that means. Is FTPSDemo failing to use passive mode correctly? The server is only accessible in passive mode; CuteFTP is unable to use PORT mode. So if FTPSDemo is not using passive correctly, this would explain the problem.

Any ideas much appreciated. I've got a deadline and I need to get SBB connecting reliably.

Thanks,
Kevin Donn

I've pasted two logs below. They're separated by a row of dashes. The first is the successful CuteFTP log. The second is from FTPSDemo. Below that I've typed out the contents of the Events window in FTPSDemo since I couldn't copy them.

*** CuteFTP 8.1 - build Nov 12 2007 ***

STATUS:> [2/8/2008 9:25:50 AM] Getting listing ""...
STATUS:> [2/8/2008 9:25:50 AM] Connecting to FTP server... 63.240.254.61:21 (ip = 63.240.254.61)...
STATUS:> [2/8/2008 9:25:50 AM] Socket connected. Waiting for welcome message...
[2/8/2008 9:25:50 AM] 220 ProFTPD 1.3.1rc2 Server (ProFTPD MSIX FTP Server) [63.240.254.61]
STATUS:> [2/8/2008 9:25:50 AM] Connected. Authenticating...
COMMAND:> [2/8/2008 9:25:50 AM] AUTH TLS
[2/8/2008 9:25:50 AM] 234 AUTH TLS successful
STATUS:> [2/8/2008 9:25:50 AM] Establishing SSL session...
STATUS:> [2/8/2008 9:25:50 AM] Initializing SSL module.
STATUS:> [2/8/2008 9:25:50 AM] Connected. Exchanging encryption keys...
STATUS:> [2/8/2008 9:25:51 AM] SSL Connect time: 1109 ms.
STATUS:> [2/8/2008 9:25:51 AM] SSL encrypted session established.
COMMAND:> [2/8/2008 9:25:51 AM] PBSZ 0
[2/8/2008 9:25:52 AM] 200 PBSZ 0 successful
COMMAND:> [2/8/2008 9:25:52 AM] USER mis2Kintf
[2/8/2008 9:25:52 AM] 331 Password required for mis2Kintf
COMMAND:> [2/8/2008 9:25:52 AM] PASS *****
[2/8/2008 9:25:52 AM] 230 User mis2Kintf logged in
STATUS:> [2/8/2008 9:25:52 AM] Login successful.
COMMAND:> [2/8/2008 9:25:52 AM] PWD
[2/8/2008 9:25:52 AM] 257 "/" is the current directory
STATUS:> [2/8/2008 9:25:52 AM] Home directory: /
COMMAND:> [2/8/2008 9:25:52 AM] FEAT
[2/8/2008 9:25:52 AM] Informational Message Only:
211-Features:
MDTM
AUTH TLS
PBSZ
PROT
REST STREAM
SIZE
211 End
STATUS:> [2/8/2008 9:25:52 AM] This site supports features.
STATUS:> [2/8/2008 9:25:52 AM] This site supports SIZE.
STATUS:> [2/8/2008 9:25:52 AM] This site can resume broken downloads.
COMMAND:> [2/8/2008 9:25:52 AM] REST 0
[2/8/2008 9:25:52 AM] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
COMMAND:> [2/8/2008 9:25:52 AM] PBSZ 0
[2/8/2008 9:25:52 AM] 200 PBSZ 0 successful
COMMAND:> [2/8/2008 9:25:52 AM] PROT P
[2/8/2008 9:25:53 AM] 200 Protection set to Private
COMMAND:> [2/8/2008 9:25:53 AM] PASV
[2/8/2008 9:25:53 AM] 227 Entering Passive Mode (63,240,254,61,80,242).
COMMAND:> [2/8/2008 9:25:53 AM] LIST
STATUS:> [2/8/2008 9:25:53 AM] Connecting FTP data socket... 63.240.254.61:20722...
[2/8/2008 9:25:53 AM] 150 Opening ASCII mode data connection for file list
STATUS:> [2/8/2008 9:25:53 AM] Connected. Exchanging encryption keys...
STATUS:> [2/8/2008 9:25:53 AM] SSL Connect time: 234 ms.
STATUS:> [2/8/2008 9:25:53 AM] SSL encrypted session established.
[2/8/2008 9:25:53 AM] 226 Transfer complete
STATUS:> [2/8/2008 9:25:53 AM] Directory listing completed.
----------------------------------------------
<<<220 ProFTPD 1.3.1rc2 Server (ProFTPD MSIX FTP Server) [63.240.254.61]

>>>AUTH TLS
<<<234 AUTH TLS successful

>>>USER mis2Kintf
<<<331 Password required for mis2Kintf

>>>PASS ****
<<<230 User mis2Kintf logged in

>>>PBSZ 0
<<<200 PBSZ 0 successful

>>>PROT P
<<<200 Protection set to Private

>>>FEAT
<<<211-Features:
MDTM
AUTH TLS
PBSZ
PROT
REST STREAM
SIZE
211 End

>>>TYPE A
<<<200 Type set to A

>>>PASV
<<<227 Entering Passive Mode (63,240,254,61,79,50).

>>>LIST
<<<150 Opening ASCII mode data connection for file list

Events:
Connecting...
Connected
Cert received
Issuer: CN=ftptestfl, C=US, O=Dept. of Education, L=Orlando
Subject: CN=ftptestfl, C=US, O=Dept. of Education, L=Orlando
Warning: certificate is not valid!
Loggged in
SSL version is TLS1
Retrieving directory contents...
Certificate received
Issuer...
Subject...
Control channel transfer error
#4921
Posted: 02/08/2008 10:16:44
by Eugene Mayevski (EldoS Corp.)

1. Are you running the evaluation version of SecureBlackbox for FTPS? If you run it with your license key, it won't work (as the key doesn't enable SSL functionality).

1. Be sure that you test the latest build of SecureBlackbox 5 (version 5.2.124) - there were some compatibility improvements in it.
Or, even better, install SBB 6 beta for testing. It has more compatibility improvements.

3. Certificate validation is a long story. You should set a breakpoint in the demo's OnCertificateValidate event handler and see what exactly error is reported when the certificate is validated.

4. There exists plenty of various FTP servers, each having it's own understanding of the standard and it's own set of bugs. It's hard to say anything without connecting to the particular server and testing with it. I will try to find this ProFTPD and install it.


Sincerely yours
Eugene Mayevski
#4932
Posted: 02/08/2008 15:06:35
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

Quote
1. Are you running the evaluation version of SecureBlackbox for FTPS? If you run it with your license key, it won't work (as the key doesn't enable SSL functionality).

I'm not sure if I was before my first post. I thought I was. I've since downloaded the beta and I got a dialog when FTPSDemo starts up telling me clearly I'm in eval mode.

Quote
2. Be sure that you test the latest build of SecureBlackbox 5 (version 5.2.124) - there were some compatibility improvements in it. Or, even better, install SBB 6 beta for testing. It has more compatibility improvements.

I'm now using 6.0.132 and it has problems as well, although different ones.

Quote
3. Certificate validation is a long story. You should set a breakpoint in the demo's OnCertificateValidate event handler and see what exactly error is reported when the certificate is validated.

I haven't done this yet. After you look at the current logs below, if you still think I should, I will. One problem for me is that the machine I have to test on doesn't have Delphi installed. So breakpoints will be a pretty major undertaking.

Quote
4. There exists plenty of various FTP servers, each having it's own understanding of the standard and it's own set of bugs. It's hard to say anything without connecting to the particular server and testing with it. I will try to find this ProFTPD and install it.

Much appreciated.

Here are my latest logs from 6.0.132 and FTPSDemo:

<<<220 ProFTPD 1.3.1rc2 Server (ProFTPD MSIX FTP Server) [63.240.254.61]

>>>AUTH TLS
<<<234 AUTH TLS successful

>>>USER mis2Kintf
<<<331 Password required for mis2Kintf

>>>PASS ****
<<<230 User mis2Kintf logged in

>>>PBSZ 0
<<<200 PBSZ 0 successful

>>>PROT P
<<<200 Protection set to Private

>>>FEAT
<<<211-Features:
MDTM
AUTH TLS
PBSZ
PROT
REST STREAM
SIZE
211 End

>>>TYPE A
<<<200 Type set to A

>>>PASV
<<<227 Entering Passive Mode (63,240,254,61,81,1).

>>>LIST
<<<150 Opening ASCII mode data connection for file list

<<<425 Unable to build data connection: Not owner

Events:
Connecting
Connected
Cert received
Issuer:
Subject:
Warning: certificate is not valid!
Logged in
SSL Version is TLS1
Retrieving directory contents ...
Cert received
Issuer:
Subject:
Unsupported algorithm 32767
#4936
Posted: 02/09/2008 01:08:26
by Eugene Mayevski (EldoS Corp.)

The output is confusing (at least). The server sends error 425 and after that it should not open the data channel, which it does. This seems to be a bug in the server for me. Probably it is misconfiguration of the particular server and I can't do anything without access to it. If you can arrange a test account on the server, please post the information to the HelpDesk.


Sincerely yours
Eugene Mayevski
#4937
Posted: 02/09/2008 10:32:06
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

That's very disconcerting. The server is a government server and there is no way in twelve hells I'd be able to get you access to it. The red tape would be miles long. Is there really simply no other way to proceed? Were you unable to reproduce the behavior with an eval install of the server software? I'm not looking forward to trying to find other ftps software. The SBB sftp product was so good and easy to use.

kd
#4938
Posted: 02/09/2008 11:08:19
by Eugene Mayevski (EldoS Corp.)

ProFTPD is only available in source code for linux. This means that we need to install the server and configure it. The most likely result would be that everything works fine on our side and after spending a day we end up needing to get access to your server.

Of course I'll try to install the software now, but no guarantees.


Sincerely yours
Eugene Mayevski
#4939
Posted: 02/09/2008 11:49:57
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

I fear you're right that everything will just work on your test server, but it seems worth a shot. I know there's no practical way to give you access to the server. I've considered trying to get their configuration files, but I doubted even that would be enough since they've got it connected to an LDAP server and God knows what else. It is only a test server so I'll take a shot at seeing if I can get you access, but I think it's extremely unlikely.

kd
#4940
Posted: 02/09/2008 11:55:36
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

Also, when you say you would need access to the server, do you mean user access or admin access? In other words, do you think you'll need the ability to actually alter the configuration of the server? That will almost certainly not be possible. Even getting just user access will be very difficult if not impossible.

kd
#4941
Posted: 02/09/2008 12:04:10
by Eugene Mayevski (EldoS Corp.)

You can just send us the credentials you use, this will be enough. We don't need any access besides possibility to request file listing (in order to transfer the data via DATA channel). For test server this should be trivial to arrange - just create a limited account.

Prelimiary tests show no problems - I've installed proftpd 1.3.1 on linux and in test configuration it ran smoothly. So the problem is either with TLS or with specific access rights (the reason for 425 error). Not sure that I can reproduce this ...


Sincerely yours
Eugene Mayevski
#4942
Posted: 02/09/2008 12:13:11
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

I wish it were as simple as giving you my credentials. There are a lot of parties in play and the security requirements for the whole system are very stiff. I'll have to check into a couple things, but I might be able to let you use my credentials. Before we go down that road, though, let's make sure you'll even be allowed through the firewall. I think at the moment there's no IP filtering going on. Just try to hit it at 63.240.254.61. If you can get that far, I'll work on trying to get credentials you can use.

kd
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 6657 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!