FileZilla Forums

Hello,

A client is using PHP version 7.1.0 to connect to my server running the latest 0.9.60

$curl = curl_init();
curl_setopt($curl, CURLOPT_USE_SSL, CURLFTPSSL_ALL);
curl_setopt($curl, CURLOPT_SSLVERSION, 6);
curl_setopt($curl, CURLOPT_TCP_NODELAY, 0);
curl_setopt($curl, CURLOPT_URL, "ftps://ben:benuiqw#__#<EMAIL email="wnm@ftp.example.com">wnm@ftp.example.com</EMAIL>/");
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_exec($curl);
curl_close ($curl);
fclose($file);

returns the following:

* Hostname ftp.example.com was found in DNS cache
* Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Connected to ftp.example.com (xxx.xxx.xxx.xxx) port 990 (#0)
* successfully set certificate verify locations:
* CAfile: D:/inetpub/PHP/cacert.pem
CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=ftp.example.com; C=US; ST=My State; L=My City; O=example, LLC; OU=example Team; emailAddress=<EMAIL email="support@example.com">support@example.com</EMAIL>
* start date: Apr 28 00:50:06 2018 GMT
* expire date: Apr 28 00:50:06 2019 GMT
* common name: ftp.example.com (matched)
* issuer: CN=ftp.example.com; C=US; ST=My State; L=My City; O=example, LLC; OU=example Team; emailAddress=<EMAIL email="support@example.com">support@example.com</EMAIL>
* SSL certificate verify ok.
< 220 Hello...now where to begin
> USER ben
< 331 Password required for ben
> PASS *************
< 230 Logged on
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Protection level set to P
> PWD
< 257 "/" is current directory.
* Entry path is '/'
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Entering Extended Passive Mode (|||5086|)
* Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Connecting to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 5086
* Connected to ftp.example.com (xxx.xxx.xxx.xxx) port 990 (#0)
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening data channel for directory listing of "/"
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: D:/inetpub/PHP/cacert.pem
CApath: none
* SSL re-using session ID
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ftp.example.com:990
* Closing connection 0

They say that they are not running a proxy and the passive ports range (5000 to 5100) are configured in their firewall. Any suggestions would be appreciated.</r>

This log has been tampered with so much, it's useless. Please post a complete and unmodified log.

Am I not able to mask identifiable information?

This is the server side log detailing one of the failed attempts to connect. I am only masking the initial portion of the IP address, nothing else is changed:

(009500) 11/8/2018 12:07:27 PM - (not logged in) (xxx.xxx.64.21)> Connected on port 990, sending welcome message...
(009500) 11/8/2018 12:07:27 PM - (not logged in) (xxx.xxx.64.21)> TLS connection established
(009500) 11/8/2018 12:07:27 PM - (not logged in) (xxx.xxx.64.21)> USER uoa
(009500) 11/8/2018 12:07:27 PM - (not logged in) (xxx.xxx.64.21)> 331 Password required for uoa
(009500) 11/8/2018 12:07:27 PM - (not logged in) (xxx.xxx.64.21)> PASS ************
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 230 Logged on
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> PBSZ 0
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 200 PBSZ=0
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> PROT P
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 200 Protection level set to P
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> PWD
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 257 "/" is current directory.
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> EPSV
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 229 Entering Extended Passive Mode (|||5086|)
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> TYPE A
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 200 Type set to A
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> LIST
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 150 Opening data channel for directory listing of "/"
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> 426 Connection closed; aborted transfer of "/"
(009500) 11/8/2018 12:07:27 PM - uoa (xxx.xxx.64.21)> disconnected.

This is the client side log detailing the attempt to connect. I am only masking the initial portion of the IP address and the host name, NOTHING else about this log is altered.

* Hostname ftp.blanc.com was found in DNS cache
* Trying xxx.xxx.35.93...
* TCP_NODELAY set
* Connected to ftp.blanc.com (xxx.xxx.35.93) port 990 (#0)
* successfully set certificate verify locations:
* CAfile: D:/inetpub/PHP/cacert.pem
CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: CN=ftp.blanc.com; C=US; ST=California; L=San Leandro; O=blanc, LLC; OU=blanc Team; emailAddress=support@blanc.com
* start date: Apr 28 00:50:06 2018 GMT
* expire date: Apr 28 00:50:06 2019 GMT
* common name: ftp.blanc.com (matched)
* issuer: CN=ftp.blanc.com; C=US; ST=California; L=San Leandro; O=blanc, LLC; OU=blanc Team; emailAddress=support@blanc.com
* SSL certificate verify ok.
< 220 Hello...now where to begin
> USER uoa
< 331 Password required for uoa
> PASS *******
< 230 Logged on
> PBSZ 0
< 200 PBSZ=0
> PROT P
< 200 Protection level set to P
> PWD
< 257 "/" is current directory.
* Entry path is '/'
> EPSV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 229 Entering Extended Passive Mode (|||5086|)
* Trying xxx.xxx.35.93...
* TCP_NODELAY set
* Connecting to xxx.xxx.35.93 (xxx.xxx.35.93) port 5086
* Connected to ftp.blanc.com (xxx.xxx.35.93) port 990 (#0)
> TYPE A
< 200 Type set to A
> LIST
< 150 Opening data channel for directory listing of "/"
* Maxdownload = -1
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: D:/inetpub/PHP/cacert.pem
CApath: none
* SSL re-using session ID
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ftp.blanc.com:990
* Closing connection 0

This is the php used by the client to connect. I am only masking out their password and the ftp server, nothing else is altered.

$curl = curl_init();
curl_setopt($curl, CURLOPT_USE_SSL, CURLFTPSSL_ALL);
curl_setopt($curl, CURLOPT_SSLVERSION, 6);
curl_setopt($curl, CURLOPT_TCP_NODELAY, 0);
curl_setopt($curl, CURLOPT_URL, "ftps://uoa:uoa*******@ftp.blanc.com/");
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_exec($curl);
curl_close ($curl);
fclose($file);

< 229 Entering Extended Passive Mode (|||5086|)
[..]
* Connecting to xxx.xxx.35.93 (xxx.xxx.35.93) port 5086
* Connected to ftp.blanc.com (xxx.xxx.35.93) port 990 (#0)
[...]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ftp.blanc.com: 990

Looks like your client forgets which port it is supposed to connect to.

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);

That completely disables security, you could just as well post your password on twitter.

Hello,

Missed that clue and my client confirmed the passive port range was not opened on their firewall. With that corrected, the connection is now working.

Thank you for your time.