A problem since we change our ftp to ftps

[jimmy1829]

Please check the code guys.
This started to happen since we changed our ftp to ftp on SSL (port 990)

Status: Resolving address of .........................
Status: Connecting to ..............:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220-.......... FTP Server
Response: 220-
Response: 220-Please do not use this server for archiving, delete your files
Response: 220-when you no longer need them.
Response: 220-
Response: 220 Files older than 30 Days will be removed without notification.
Command: USER .................
Response: 331 Password required for .....................
Command: PASS ********
Response: 230 Logged on
Command: SYST
Response: 215 UNIX emulated by FileZilla
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MODE Z
Response: MLST type*;size*;modify*;
Response: MLSD
Response: AUTH SSL
Response: AUTH TLS
Response: UTF8
Response: CLNT
Response: MFMT
Response: 211 End
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Protection level set to P
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (................,6,167)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Status: Retrieving directory listing...
Command: CDUP
Response: 200 CDUP successful. "/" is current directory.
Command: PWD
Response: 257 "/" is current directory.
Command: PASV
Response: 227 Entering Passive Mode (........................,6,168)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of ....................
Status: Connecting to .......................:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...
Response: 220-.....................
Response: 220-
Response: 220-Please do not use this server for archiving, delete your files
Response: 220-when you no longer need them.
Response: 220-
Response: 220 Files older than 30 Days will be removed without notification.
Command: USER ...............
Response: 331 Password required for ........................
Command: PASS ********
Response: 230 Logged on
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Protection level set to P
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (........................,6,169)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing

[jimmy1829]

we have port 1500-3000 open on server side
firewall has these ports open too.
Please help

[botg]

There's still some malicious router and/or firewall sabotaging the connection.

Uninstall all firewalls. Throw away your NAT routers and plug your computer directly into the modem.

[redleg]

Uninstall all firewalls. Throw away your NAT routers and plug your computer directly into the modem.

lol, while I fully understand and appreciate why you often say this, it always sounds so harsh.. I shudder, thinking of it more as me standing in the middle of town square, nekkid... (you'd shudder too seeing such a picture)

jimmy1829, the passive port range seems to be in line with what you have forwarded- around 1700, but I have found FTP(E)S and Prot-P to be very finicky with regards to fails and rightfully so as plain FTP may survive a session over a sloppy, intrusive router or firewall- adding in encryption tightens up everything and when something doesn't check out exact- it fails, as it must.

I see you are using Implicit encryption (FTPS) with passive mode. I gave up on Implicit mode long ago, actually don't even think it was ever formalized, iirc.. anyways, since you know plain FTP worked try changing it to explicit mode (FTPES). try optional encryption first, by checking the "allow explicit" box, then once you get good signins and transfers force explicit encryption by checking the "disallow plain..." box, if this is the goal. Be advised, in explicit mode the welcome message is passed in the plain (clear text, unencrypted), I say this in case there is anything secret(ive) there to be wary of, implicit mode encrypts from initial contact onwards.

It will use the port you run FZs on, found in general settings, not 990 or any port you type in the "listen for implicit..." box on the SSL/TLS settings page.

If this is not working you are still suffering from sabotage and a better understanding of you setup is in order, as well a refresh on the logs, to better assist from that point.

[boco]

I gave up on Implicit mode long ago, actually don't even think it was ever formalized, iirc..

There is no standard for implicit FTPS, and it is no more recommended this days. Some even regard it as beeing bad. I'd go for Explicit.

[redleg]

thanks for confirming that. I don't recall where I stumbled across that bit of info, perhaps here- but I do know it caused me more problems than it was worth to continue troubleshooting... otoh, after initial setup explicit always worked, even in conjunction with TOR hidden services.

[boco]

Note that implicit negotiation was not defined in RFC-4217. As such, it is considered an earlier, deprecated method of negotiating TLS/SSL for FTP.

From http://en.wikipedia.org/wiki/FTPS#Implicit .

http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

[redleg]

yeah, that's cool- I know when I was killing myself to get implict to work with my "beta-test client team" I must have read and reread the wikipedia pages, here and there... I finally gave up and went Explicit w/Prot-P..

I don't recall ever going to the ford-hutchinson page before though, thanks for that link.

[jimmy1829]

thanks guys for all your input
we are currently set on Allow explicit SSL/TLS on normal connections.
But we do not have Force explicit SSL/TLS checked. Shall we?
Also Force PROT P is checked too

[redleg]

checking force explicit will, besides the obvious, prevent implicit from being used as well as plain FTP. I recommend checking it if it fits in well with your policy and force Prot-P ensures the data channel is encrypted, so yes, I recommend that one as well.

are we getting anywhere on your 425s?

[jimmy1829]

Also how can I tell if the connection is under implicit or explicit SSL

[jimmy1829]

thanks redleg
we have some clients having problem after we changed to FTP on SSL, while others are fine.
Do you know why this happened?

[redleg]

not sure if there is an easier way to tell the difference of an implicit vs explicit session other than during initial client contact.

When implicit is used immediately following connection with server the client initializes TLS/SSL encryption. If the server is not listening for (nor accepting) implicit then you will see a bunch of garbage in your logs as client just seems to blissfully start encrypting everything, unaware of the world around them...

When explicit is used client establishes connection to server, server sends welcome message then client issues "AUTH TLS" command and the session goes from there, before any data transfers take place a PROT command is sent by client, if encryption is required by the server (Force Prot-P) then client will eventually send Prot-P command if it wants to transfer any data...

as for some of your clients no longer able to connect after you have forced encryption I will wager it is due to sabotage by router and/or firewall. You have three threads going so far on related issues- please catch up by reading them and see if any advice already given helps at all.

posting some new logs would also be very useful.

[jimmy1829]

well.. you can see AUTH SSL on the log I posted.
Apparently it was using explicit SSL, am I right?

[redleg]

not in the first post log.

This is an implicit connection session:

Code: Select all

Status: Resolving address of .........................
Status: Connecting to ..............:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS/SSL connection established, waiting for welcome message...

notice the immediate initializing of TLS then the server sends welcome message.

The AUTH SSL (and AUTH TLS) were options the server sent to the client explaining the servers capabilities after the client requested them with the FEAT command.

Now, about the session failing to list directories (the 425 error after MLSD command sent by client) it is still most likely due to improper config of router and/or firewall(s) or simple sabotage by either or both of those. While a plain/unencrypted FTP session may work fine some of the time (or even all of the time) things get a bit more complicated when you encrypt and any change happening on-the-fly to packets exchanged between server and client come under fire immediately and the system fails as it is designed to do- it simply must fail as we are saying this is important enough to protect with encryption, please keep it protected! There can be no tolerance, so any tampering by any outside source (routers and firewalls included) must be considered hostile, as a man in the middle attack, and the session must not progress from there.

Implicit requires only that initial encryption agreement and operates from there protecting both the control and data channels. Once it fails (as in the 425) I would expect it to drop the session altogether and force a reconnect/renegotiation. Explicit has another benefit in that it only encrypts the control channel by default (AUTH SSL or AUTH TLS) and it is not until the PROT-P command (or other PROT- command is given) that the data channel is encrypted.

I hope this is making sense as well not offensive by being overly simplistic, I am trying to keep it easy to understand- while making recommendations and explain what is "probably" going on from my unprofessional viewpoint. What I am wondering is if any of the advice you have already received in the three related threads you started is having any positive impact on your issues...