"Explicit" means that the client requests SSL specifically (or "Explicitly")
As delivered the server let's the client use plain FTP if it doesn't request SSL. You can make it insist on SSL by writing an ftplet that rejects USER or PASS commands unless the session is secured. On 10 July 2014 12:12, Martin Wunderlich <m...@censhare.de> wrote: > Hi all, > > I have found the solution: The key alias parameter was not specified in > the FTP server configuration. Once this was set correctly, I was able to > connect with the client in TLS mode. > One question remains, though: In order for TLS to be active, the client > needs to request it specifically (using the setting for explicit TLS). When > using „Plain FTP“, the client can still connect through an insecure > connection. > > Anyone know why that is? I was assuming that the server would reject > insecure connections on its SSL port. > > Cheers, > > Martin > > > Am 09.07.2014 um 19:21 schrieb Martin Wunderlich <m...@censhare.de>: > > Hi David, > > Thanks a lot for the reply. > Here is the additional information below. The server configuration is set > to implicit SSL = false. > HTH. > > Cheers, > > Martin > > > *Test 1) Connect with explicit SSL (set in the client) to the Server > listening on secure port (4243)* > > *FileZilla Log: * > 19:15:39 Trace: CControlSocket::DoClose(64) > 19:15:39 Trace: CControlSocket::DoClose(64) > 19:15:39 Status: Connecting to 192.168.178.21:4243... > 19:15:39 Status: Connection established, waiting for welcome message... > 19:15:39 Trace: CFtpControlSocket::OnReceive() > 19:15:39 Response: 220 Service ready for new user. > 19:15:39 Trace: CFtpControlSocket::SendNextCommand() > 19:15:39 Command: AUTH TLS > 19:15:39 Trace: CFtpControlSocket::OnReceive() > 19:15:39 Response: 234 Command AUTH okay; starting TLS connection. > 19:15:39 Status: Initializing TLS... > 19:15:39 Trace: CTlsSocket::Handshake() > 19:15:39 Trace: CTlsSocket::ContinueHandshake() > 19:15:39 Trace: CTlsSocket::OnSend() > 19:15:39 Trace: CTlsSocket::OnRead() > 19:15:39 Trace: CTlsSocket::ContinueHandshake() > 19:15:39 Trace: CTlsSocket::Failure(-12, 53) > 19:15:39 Trace: GnuTLS alert 40: Handshake failed > 19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received. > 19:15:39 Trace: CRealControlSocket::OnClose(53) > 19:15:39 Trace: CControlSocket::DoClose(64) > 19:15:39 Trace: CFtpControlSocket::ResetOperation(66) > 19:15:39 Trace: CControlSocket::ResetOperation(66) > 19:15:39 Error: Could not connect to server > 19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66) > > *FileZilla Config: * > <Bildschirmfoto 2014-07-09 um 19.17.19.png> > > *Server log: * > 2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler: > Exception caught, closing session > javax.net.ssl.SSLHandshakeException: SSL handshake failed. > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) > at > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290) > at > sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) > at > sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at > org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575) > at > org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349) > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476) > ... 15 more > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266) > at > sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894) > at > sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622) > at > sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227) > at > org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767) > at > org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541) > ... 17 more > > > *Test 2) Connect without SSL (set in the client) to the Server listening > on secure port (4243)* > > FileZilla log: > 19:18:02 Trace: CControlSocket::DoClose(64) > 19:18:02 Trace: CControlSocket::DoClose(64) > 19:18:02 Status: Connecting to 192.168.178.21:4243... > 19:18:02 Status: Connection established, waiting for welcome message... > 19:18:02 Trace: CFtpControlSocket::OnReceive() > 19:18:02 Response: 220 Service ready for new user. > 19:18:02 Trace: CFtpControlSocket::SendNextCommand() > 19:18:02 Command: USER ftpuser > 19:18:02 Trace: CFtpControlSocket::OnReceive() > 19:18:02 Response: 331 User name okay, need password for ftpuser. > 19:18:02 Trace: CFtpControlSocket::SendNextCommand() > 19:18:02 Command: PASS *** > 19:18:03 Trace: CFtpControlSocket::OnReceive() > 19:18:03 Response: 230 User logged in, proceed. > 19:18:03 Trace: CFtpControlSocket::SendNextCommand() > 19:18:03 Command: OPTS UTF8 ON > 19:18:03 Trace: CFtpControlSocket::OnReceive() > 19:18:03 Response: 200 Command OPTS okay. > 19:18:03 Trace: CFtpControlSocket::SendNextCommand() > 19:18:03 Command: OPTS MLST size;modify;type; > 19:18:03 Trace: CFtpControlSocket::OnReceive() > 19:18:03 Response: 200 Command OPTS okay. > 19:18:03 Status: Connected > 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) > 19:18:03 Trace: CControlSocket::ResetOperation(0) > 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0) > 19:18:03 Trace: Measured latency of 59 ms > 19:18:03 Status: Retrieving directory listing... > 19:18:03 Trace: CFtpControlSocket::SendNextCommand() > 19:18:03 Trace: CFtpControlSocket::ChangeDirSend() > 19:18:03 Command: PWD > 19:18:03 Trace: CFtpControlSocket::OnReceive() > 19:18:03 Response: 257 "/" is current directory. > 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) > 19:18:03 Trace: CControlSocket::ResetOperation(0) > 19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0) > 19:18:03 Trace: CFtpControlSocket::ListSubcommandResult() > 19:18:03 Trace: state = 1 > 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) > 19:18:03 Trace: CControlSocket::ResetOperation(0) > 19:18:03 Status: Directory listing successful > 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0) > > NOTE: This connection works but it seems to be an insecure one, because no > TLS is requested. > > *FileZIlla config: * > <Bildschirmfoto 2014-07-09 um 19.19.15.png> > > Am 04.07.2014 um 13:43 schrieb David Latorre <dvl...@gmail.com>: > > > Martin, > > Could you attach Filezilla and Mina FTPServer log files as well as > FTPServer configuration xml and Filezilla's config (either screenshot or > XML file without the passwords)? > > > 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <m...@censhare.de>: > > Hi all, > > I am expanding our MINA-based FTP server by adding a setting for implicit > vs. explicit SSL. I have made all the necessary changes, but for some > reason I can’t connect to the server anymore when implicit SSL is set to > true. In explicit SSL mode it works fine. > When trying to connect, I get the error message: > Connection established, waiting for welcome message... > > And then the FileZilla client just hangs until it has timed out… > > Any ideas anyone? > Thanks a lot. > > Cheers, > > Martin > > > > > -- "There is no way to peace; peace is the way"
