Hangs on LIST command with TLS

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
azgi
500 Command not understood
Posts: 3
Joined: 2020-03-07 01:06
Contact:

Hangs on LIST command with TLS

#1 Post by azgi » 2020-03-07 01:16

I'm having a weird issue connecting to our VSFTPd using TLS. When I try to connect with explicit TLS, Filezilla shows me the certificate and I accept it but then it gets hung up on the LIST command. I've tried Active and Passive connection. The weird part is if I don't use TLS then the LIST command completes and I can download a file. Any idea why Filezilla won't work when I try to use TLS? Thanks

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hangs on LIST command with TLS

#2 Post by botg » 2020-03-07 19:00

See the section about malicious routers and firewalls in our Network Configuration guide.

azgi
500 Command not understood
Posts: 3
Joined: 2020-03-07 01:06
Contact:

Re: Hangs on LIST command with TLS

#3 Post by azgi » 2020-03-07 20:18

Ok thanks... but didn't really see any solution there. We're in a University network with Cisco firewalls. Why would it work fine without TLS but gets hung up when TLS is used?
The same PORT or PASV commands are happening... For example, PORT with TLS enabled:

Code: Select all

Command:	PORT x,y,z,109,138,53  <- this is my external address
Response:	200 PORT command successful. Consider using PASV.
Command:	LIST
Error:	Connection timed out after 20 seconds of inactivity
Error:	Failed to retrieve directory listing
PASV with TLS enabled:

Code: Select all

Command:	PASV
Response:	227 Entering Passive Mode (x,y,z,3,188,146).  <- this is the server's address
Command:	LIST
Error:	Connection timed out after 20 seconds of inactivity
Error:	Failed to retrieve directory listing
Now with TLS disabled,

Code: Select all

Command:	PASV
Response:	227 Entering Passive Mode (x,y,z,3,189,232).
Command:	LIST
Response:	150 Here comes the directory listing.
Response:	226 Directory send OK.
Still don't understand what is actually happening or not working. Are there extra rules I should tell the firewall admins to allow for our server?

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Hangs on LIST command with TLS

#4 Post by botg » 2020-03-09 09:46

azgi wrote:Ok thanks... but didn't really see any solution there. We're in a University network with Cisco firewalls. Why would it work fine without TLS but gets hung up when TLS is used?
botg wrote:See the section about malicious routers and firewalls in our Network Configuration guide.

azgi wrote:Are there extra rules I should tell the firewall admins to allow for our server?
Yes, the entire passive mode port range needs to be always and unconditionally opened and forwarded.

azgi
500 Command not understood
Posts: 3
Joined: 2020-03-07 01:06
Contact:

Re: Hangs on LIST command with TLS

#5 Post by azgi » 2020-03-09 12:30

That did it! thanks
Still strange that it worked fine without TLS. I'm guessing the firewall can detect the traffic without TLS and do its magic to make PASV work, but with TLS it just breaks.

Basically this i'm guessing,
Essentially, it can cause a number of problems if it is enabled by default, without explicit user consent. The FTP connections in their most basic form appear to work, but as soon as there's some deviation from the basic case, everything will fail, leaving the user stumped

User avatar
boco
Contributor
Posts: 24960
Joined: 2006-05-01 03:28
Location: Germany

Re: Hangs on LIST command with TLS

#6 Post by boco » 2020-03-09 13:31

Not strange at all. TLS traffic is encrypted, firewalls and routers cannot make heads and tails out of it. Looks just like digital noise to them. Thus, they actually don't know it's FTP.

Please note that this condition (firewall NOT interfering) is the desired and normal behavior.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply