Thanks a lot for the explanation, John. Is there a specific method in Apache FTP that would allow me to check whether the connection is secured or not?
Cheers, Martin Am 10.07.2014 um 15:27 schrieb John Hartnup <john.hart...@gmail.com>: > "Explicit" means that the client requests SSL specifically (or "Explicitly") > > As delivered the server let's the client use plain FTP if it doesn't > request SSL. > > You can make it insist on SSL by writing an ftplet that rejects USER or > PASS commands unless the session is secured. > > > On 10 July 2014 12:12, Martin Wunderlich <m...@censhare.de> wrote: > >> Hi all, >> >> I have found the solution: The key alias parameter was not specified in >> the FTP server configuration. Once this was set correctly, I was able to >> connect with the client in TLS mode. >> One question remains, though: In order for TLS to be active, the client >> needs to request it specifically (using the setting for explicit TLS). When >> using „Plain FTP“, the client can still connect through an insecure >> connection. >> >> Anyone know why that is? I was assuming that the server would reject >> insecure connections on its SSL port. >> >> Cheers, >> >> Martin >> >> >> Am 09.07.2014 um 19:21 schrieb Martin Wunderlich <m...@censhare.de>: >> >> Hi David, >> >> Thanks a lot for the reply. >> Here is the additional information below. The server configuration is set >> to implicit SSL = false. >> HTH. >> >> Cheers, >> >> Martin >> >> >> *Test 1) Connect with explicit SSL (set in the client) to the Server >> listening on secure port (4243)* >> >> *FileZilla Log: * >> 19:15:39 Trace: CControlSocket::DoClose(64) >> 19:15:39 Trace: CControlSocket::DoClose(64) >> 19:15:39 Status: Connecting to 192.168.178.21:4243... >> 19:15:39 Status: Connection established, waiting for welcome message... >> 19:15:39 Trace: CFtpControlSocket::OnReceive() >> 19:15:39 Response: 220 Service ready for new user. >> 19:15:39 Trace: CFtpControlSocket::SendNextCommand() >> 19:15:39 Command: AUTH TLS >> 19:15:39 Trace: CFtpControlSocket::OnReceive() >> 19:15:39 Response: 234 Command AUTH okay; starting TLS connection. >> 19:15:39 Status: Initializing TLS... >> 19:15:39 Trace: CTlsSocket::Handshake() >> 19:15:39 Trace: CTlsSocket::ContinueHandshake() >> 19:15:39 Trace: CTlsSocket::OnSend() >> 19:15:39 Trace: CTlsSocket::OnRead() >> 19:15:39 Trace: CTlsSocket::ContinueHandshake() >> 19:15:39 Trace: CTlsSocket::Failure(-12, 53) >> 19:15:39 Trace: GnuTLS alert 40: Handshake failed >> 19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received. >> 19:15:39 Trace: CRealControlSocket::OnClose(53) >> 19:15:39 Trace: CControlSocket::DoClose(64) >> 19:15:39 Trace: CFtpControlSocket::ResetOperation(66) >> 19:15:39 Trace: CControlSocket::ResetOperation(66) >> 19:15:39 Error: Could not connect to server >> 19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66) >> >> *FileZilla Config: * >> <Bildschirmfoto 2014-07-09 um 19.17.19.png> >> >> *Server log: * >> 2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler: >> Exception caught, closing session >> javax.net.ssl.SSLHandshakeException: SSL handshake failed. >> at >> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495) >> at >> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) >> at >> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46) >> at >> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796) >> at >> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119) >> at >> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) >> at >> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426) >> at >> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715) >> at >> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668) >> at >> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657) >> at >> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68) >> at >> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141) >> at >> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at java.lang.Thread.run(Thread.java:744) >> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290) >> at >> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) >> at >> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >> at >> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575) >> at >> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349) >> at >> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476) >> ... 15 more >> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266) >> at >> sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894) >> at >> sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622) >> at >> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) >> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227) >> at >> org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767) >> at >> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541) >> ... 17 more >> >> >> *Test 2) Connect without SSL (set in the client) to the Server listening >> on secure port (4243)* >> >> FileZilla log: >> 19:18:02 Trace: CControlSocket::DoClose(64) >> 19:18:02 Trace: CControlSocket::DoClose(64) >> 19:18:02 Status: Connecting to 192.168.178.21:4243... >> 19:18:02 Status: Connection established, waiting for welcome message... >> 19:18:02 Trace: CFtpControlSocket::OnReceive() >> 19:18:02 Response: 220 Service ready for new user. >> 19:18:02 Trace: CFtpControlSocket::SendNextCommand() >> 19:18:02 Command: USER ftpuser >> 19:18:02 Trace: CFtpControlSocket::OnReceive() >> 19:18:02 Response: 331 User name okay, need password for ftpuser. >> 19:18:02 Trace: CFtpControlSocket::SendNextCommand() >> 19:18:02 Command: PASS *** >> 19:18:03 Trace: CFtpControlSocket::OnReceive() >> 19:18:03 Response: 230 User logged in, proceed. >> 19:18:03 Trace: CFtpControlSocket::SendNextCommand() >> 19:18:03 Command: OPTS UTF8 ON >> 19:18:03 Trace: CFtpControlSocket::OnReceive() >> 19:18:03 Response: 200 Command OPTS okay. >> 19:18:03 Trace: CFtpControlSocket::SendNextCommand() >> 19:18:03 Command: OPTS MLST size;modify;type; >> 19:18:03 Trace: CFtpControlSocket::OnReceive() >> 19:18:03 Response: 200 Command OPTS okay. >> 19:18:03 Status: Connected >> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) >> 19:18:03 Trace: CControlSocket::ResetOperation(0) >> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0) >> 19:18:03 Trace: Measured latency of 59 ms >> 19:18:03 Status: Retrieving directory listing... >> 19:18:03 Trace: CFtpControlSocket::SendNextCommand() >> 19:18:03 Trace: CFtpControlSocket::ChangeDirSend() >> 19:18:03 Command: PWD >> 19:18:03 Trace: CFtpControlSocket::OnReceive() >> 19:18:03 Response: 257 "/" is current directory. >> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) >> 19:18:03 Trace: CControlSocket::ResetOperation(0) >> 19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0) >> 19:18:03 Trace: CFtpControlSocket::ListSubcommandResult() >> 19:18:03 Trace: state = 1 >> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0) >> 19:18:03 Trace: CControlSocket::ResetOperation(0) >> 19:18:03 Status: Directory listing successful >> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0) >> >> NOTE: This connection works but it seems to be an insecure one, because no >> TLS is requested. >> >> *FileZIlla config: * >> <Bildschirmfoto 2014-07-09 um 19.19.15.png> >> >> Am 04.07.2014 um 13:43 schrieb David Latorre <dvl...@gmail.com>: >> >> >> Martin, >> >> Could you attach Filezilla and Mina FTPServer log files as well as >> FTPServer configuration xml and Filezilla's config (either screenshot or >> XML file without the passwords)? >> >> >> 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <m...@censhare.de>: >> >> Hi all, >> >> I am expanding our MINA-based FTP server by adding a setting for implicit >> vs. explicit SSL. I have made all the necessary changes, but for some >> reason I can’t connect to the server anymore when implicit SSL is set to >> true. In explicit SSL mode it works fine. >> When trying to connect, I get the error message: >> Connection established, waiting for welcome message... >> >> And then the FileZilla client just hangs until it has timed out… >> >> Any ideas anyone? >> Thanks a lot. >> >> Cheers, >> >> Martin >> >> >> >> >> > > > -- > "There is no way to peace; peace is the way"
signature.asc
Description: Message signed with OpenPGP using GPGMail