Hi
We have made some positive progress and identified the issue. So if anyone is intereted here it is: "As we use an active FTP session, the data channel is initiated back from the ftp server to the ftp client. In the cleartext world the firewall does a fixup ie it reads the expected port from the data stream and builds the appropriate entry in its tables. In the encrypted world it never see's this so it blocks it" We have had to add a new firewall rule and it all kicked into life. Cheers Craig From: [email protected] To: [email protected] Subject: FTP-SSL problem Date: Wed, 20 May 2009 15:29:09 +0000 Hi Hope someone can help me - i have compiled lftp-3.7.13 with openssl-0.9.8k on an aix 5.3 machine using gcc. When I try to connect to the remote host using TLS the initial handshake works fine but it cannot open a data port. If I use lftp in regular mode there is no problem with using the data port. My current settings are: set ftp:passive-mode no set ftp:ssl-allow yes set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-protect-data yes set ftp:ssl-protect-list yes set ftp:use-mdtm no set ftp:use-size no set ssl:cert-file ./cert.pem set ssl:key-file ./key.pem Session log: ---> FEAT <--- 211- Extensions supported: <--- AUTH TLS <--- PBSZ <--- PROT <--- CCC <--- 211 END ---> AUTH TLS <--- 234 AUTH command accepted ---> USER ftp Certificate depth: 0; subject: /C=GB/ST=UK/L=xxxx/O=xxxxx/OU=xxxxx/CN=xxxxx/emailAddress=xxxxxx; issuer: /C=GB/ST=xx/L=xxx/O=xxx/OU=xxx/CN=xxxxxx/emailAddress=xxxxx WARNING: Certificate verification: self signed certificate <--- 331 User name is OK. Password needed for:ftp ---> PASS XXXX <--- 230 User logged in ---> PWD <--- 502 Command not implemented ---> PBSZ 0 <--- 200 PBSZ command successful ---> PROT P <--- 200 PROT command successful ---> TYPE I <--- 200 Type set to 'I' ---> PORT 10,165,192,26,252,246 <--- 200 'PORT' command OK. IP and Port set as:10.165.192.26:64758 ---> RETR /dev/tfs/BiiStaExpA <--- 150 BINARY data connection established for 'RETR' <--- 425 Cannot open data connection ---- Closing data socket ---> PORT 10,165,192,26,253,9 <--- 200 'PORT' command OK. IP and Port set as:10.165.192.26:64777 ---> RETR /dev/tfs/BiiStaExpA <--- 150 BINARY data connection established for 'RETR' <--- 425 Cannot open data connection ---- Closing data socket ---> PORT 10,165,192,26,253,26 <--- 200 'PORT' command OK. IP and Port set as:10.165.192.26:64794 ---> RETR /dev/tfs/BiiStaExpA <--- 150 BINARY data connection established for 'RETR' <--- 425 Cannot open data connection Hoping someone can point me in the right direction My network admin colleague made the following observation "its odd we send you a syn packet, and expecting back a syn_ack but your client sends us a reset ack instead to close the connection. Do you see anything on your logs for a reason why?" Many thanks in advance. Craig Windows Live Messenger just got better. Find out more! _________________________________________________________________ Share your photos with Windows Live Photos – Free. http://clk.atdmt.com/UKM/go/134665338/direct/01/
