Hello Alexander,
Lftp sends a PROT P command after reply "200 CCC command successful" of ftp
server. In RFC4217 we can see,
TLSshutdown should be the next step. On our z/OS FTP Client CCC works fine.
I've done a PROT P command after a CCC Command on our z/OS FTP Client and have
got following reply:
EZA1701I >>> prot p
503 Command PROT rejected - PROT not allowed after CCC command
So I assume PROT P command sequence after "200 CCC command successful" reply on
lftp isn't correct.
Regards
Josef
12.3. Establishing a Protected Session and then Clearing with the CCC
Command
Client Server
control data data control
====================================================================
socket()
bind()
socket()
connect() ----------------------------------------------> accept()
<---------------------------------------------- 220
AUTH TLS ---------------------------------------------->
<---------------------------------------------- 234
TLSneg() <----------------------------------------------> TLSneg()
PBSZ 0 ---------------------------------------------->
<---------------------------------------------- 200
PROT P ---------------------------------------------->
<---------------------------------------------- 200
USER fred ---------------------------------------------->
<---------------------------------------------- 232
CCC ---------------------------------------------->
<---------------------------------------------- 200
TLSshutdown() <-------------------------------------> TLSshutdown()
-----Ursprüngliche Nachricht-----
Von: Berger, Josef
Gesendet: Mittwoch, 4. Februar 2009 13:29
An: 'Alexander V. Lukyanov'
Betreff: AW: Lftp how direct client to use EPSV ?
Hello Alexander,
I've very good news. After our firewall collegues have allowed high ports
(65024-65535) lftp pasv with patch works fine, Thanks!.
As you were so kind to inform me, lftp supports the CCC command when setting
ftp:ssl-use-ccc yes, I've tried it out.
Lftp log and trace shows lftp sends CCC to z/OS FTP server and gets
successfully message. Next lftp sends PROT P to z/OS Ftp server and gets
acknowledge it. In client trace we can see acknowledge arrivs on lftp, but no
further action is taken.
Please can you give me again advice to CCC problem ?.
Many thaks
Regards
Josef
[r...@izl009 ~]# lftp -d 10
lftp 10:~> set ftp:ssl-use-ccc yes
lftp 10:~> open 194.250.150.100
---- Resolving host address...
---- 1 address found: 194.250.150.100
lftp 194.250.150.100:~> user iz00760
Password:
lftp [email protected]:~> ls
---- Connecting to 194.250.150.100 (194.250.150.100) port 21
<--- 220-IZTIP0FT IBM FTP CS V1R10 at IZT3.ESERVER.IZB, 13:24:22 on 2009-02-04.
<--- 220 Connection will close if idle for more than 5 minutes.
---> FEAT
<--- 211- Extensions supported
<--- AUTH TLS
<--- PBSZ
<--- PROT
<--- 211 End
---> AUTH TLS
<--- 234 Security environment established - ready for negotiation
---> USER iz00760
Certificate depth: 0; subject:
/C=DE/ST=BAYERN/L=NBG/O=IZB/OU=OE544/CN=W1.ESERVER.IZB; issuer: /C=DE/O=IZB
Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co. KG/CN=IZB Class 2 CA
WARNING: Certificate verification: unable to get local issuer certificate
WARNING: Certificate verification: certificate not trusted
WARNING: Certificate verification: unable to verify the first certificate
<--- 331 Send password please.
---> PASS XXXX
<--- 230 IZ00760 is logged on. Working directory is "IZ00760.".
---> PWD
<--- 257 "'IZ00760.'" is working directory.
---> PBSZ 0
<--- 200 Protection buffer size accepted
---> CCC
<--- 200 CCC command successful
---> PROT P
**** control-socket: Connection reset by peer
---- Closing control socket
Interrupt
lftp [email protected]:~>
-----Ursprüngliche Nachricht-----
Von: Alexander V. Lukyanov [mailto:[email protected]]
Gesendet: Dienstag, 27. Januar 2009 14:25
An: Berger, Josef
Cc: [email protected]
Betreff: Re: Lftp how direct client to use EPSV ?
On Tue, Jan 27, 2009 at 09:05:26AM +0100, Berger, Josef wrote:
> To check the set ftp:ignore-pasv-address we have been refreshed lftp
> to Version 3.7.8. when using this setting, Data connection also hangs. In
> the lftp log we can see the message "Address returned by PASV seem to be
> incorrect and has been fixed". Any idea how we can switch correct to extended
> passive mode would be appreciated.
Ok, please try this patch.
--
Alexander
