[jira] [Commented] (NET-719) FTPS protocal timing problems behind WAF (F5) firewall

Tue, 14 Mar 2023 10:08:06 -0700 


    [ 
https://issues.apache.org/jira/browse/NET-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700313#comment-17700313
 ] 

Gary D. Gregory commented on NET-719:
-------------------------------------

Hi [~skaptara] 

Creating a reproducible test for complex use cases is always a challenge but 
critical if we expect code changes to keep functioning as intended without 
unintentional future regressions.

I can only offer generalities: 
 # As previously mentioned, a test for a fix or change should fail if the 
changes to the main source tree are not applied. This proves that the main 
changes do fix something.
 # You can embed and configure a proxy of some kind in the test; Apache 
HttpComponents provides examples of proxies using HttpCore.
 # You can use a mocking library like Mockito or Powermock to simulate a proxy 
or origin server.
 # A combination of all the above

It is likely that you may spend as much time if not more creating the test than 
the fix (see point 1 above).

HTH

> FTPS protocal timing problems behind WAF (F5) firewall
> ------------------------------------------------------
>
>                 Key: NET-719
>                 URL: https://issues.apache.org/jira/browse/NET-719
>             Project: Commons Net
>          Issue Type: Improvement
>          Components: FTP
>    Affects Versions: 3.9.0
>            Reporter: Stefan Kuhr
>            Priority: Major
>         Attachments: FTPSClient_RETR_Timing_diagram_current_impl-1.png, 
> FTPSClient_RETR_Timing_diagram_problem.png, 
> FTPSClient_RETR_Timing_diagram_solution.png
>
>
> A working data exchange setup stopped working, after the server (vsftpd / 
> RedHat) was moved behind a WAF (F5) web application firewall. The client uses 
> PASV mode and the operation resulted in a socket timeout on the client side, 
> as soon as the data channel came into play (LIST/RETR/STOR).
> A FileZilla client does not exhibit this problem. By looking at the protocol 
> exchanges and laying them down in timing diagrams the problem seems to be, 
> that the WAF expects the client to fully establish the data-channel, after 
> the data-command is send over the control-channel. The current FTPS client on 
> the other hand expects the server reply directly after the command is sent.
> A pull request will be provided.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to