Article delegate-en/4378 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4377@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: ftps fails to work with client side ssl
26 Feb 2009 05:40:09 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4377@delegate-en.ML_> on 02/26/09(10:37:14)
you Jacob Lundberg <pdeiqbdyi-kvvvzvfz4r3r.ml@ml.delegate.org> wrote:
 |I have a problem proxying ftps clients to ftp servers.  When the client
 |requests a directory listing, it just hangs.  I am including below an
 |example with output from lftp and delegate.

The problem is in the implicit-negotiation of SSL usage in FTPS of which
specification is not well specified.  In your case, DeleGate is waiting
SSL negotiation from the client on the data-connection but lftp does not
do SSL (at least by default) for a FTPS server.
I'm not sure but maybe you can configure your lftp to do it but it is
recommended to use SSL with explicit-negotiation over FTP protocol,
as follows for example.

[DeleGate]
 delegated -fv -P8021 SERVER=ftp STLS=fcl MOUNT="/* ftp://ftp/*"
[Lftp]
 lftp ftp://anonymous@delegate:8021/
 Password:
 lftp> set ftp:ssl-allow-anonymous yes
 lftp> ls


But if you really need SSL only for control-connection, you can apply
SSL only to control-connection (FTP) but not to data-connnection (FTP-DATA)
limiting the protocol as STLS="fcl:ftp" like follows:

[DeleGate]
 delegated -fv -P990 SERVER=ftps STLS=fcl:ftp MOUNT="/* ftp://ftp/*"
[Lftp]
 lftp ftp://anonymous@delegate/
 Password:
 lftp> ls

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

-------------
$ lftp -d ftp://anonymous@1..:8021
Password: 
lftp anonymous@1..:~> set ftp:ssl-allow-anonymous yes
lftp anonymous@1..:~> ls
---- Connecting to 192.168.1.1 (192.168.1.1) port 8021
<--- 220- ysimac2.localdomain PROXY-FTP server (DeleGate/9.9.2-pre4) ready.
<--- 220-   @ @
<--- 220-  ( - ) { DeleGate/9.9.2-pre4 (February 26, 2009) }
<--- 220- AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
<--- 220- Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
<--- 220- Copyright (c) 2001-2009 National Institute of Advanced Industrial Science and Technology (AIST)
<--- 220- WWW: http://www.delegate.org/delegate/
<--- 220- --
<--- 220- You can connect to a SERVER by `user' command:
<--- 220-    ftp> user username@SERVER
<--- 220- or by `cd' command (after logged in as an anonymous user):
<--- 220-    ftp> cd //SERVER
<--- 220- Cache is enabled by default and can be disabled by `cd .' (toggle)
<--- 220- This (proxy) service is maintained by 'test@delegate.org'
<--- 220- 
<--- 220  
---> FEAT
<--- 211-Extensions supported
<---  AUTH TLS
<---  PBSZ
<---  PROT
<--- 211 END
---> AUTH TLS
<--- 234 OK                     
---> USER anonymous
Certificate depth: 0; subject: /O=Internet/OU=DeleGate Users/CN=Anonymous User/emailAddress=anonymous@id.delegate.org; issuer: /C=JP/ST=Ibaraki/L=Tsukuba/O=The DeleGate Project/OU=The Author of DeleGate/CN=Yutaka Sato/emailAddress=author@delegate.org
WARNING: Certificate verification: unable to get local issuer certificate
WARNING: Certificate verification: certificate not trusted
WARNING: Certificate verification: unable to verify the first certificate
<--- 331- Guest login ok, enter your E-mail address as password.
<--- 331  Default value is: ?
---> PASS XXXX
<--- 230- Guest login ok, your E-mail address is <test@delegate.org>
<--- 230  Now you can select a FTP SERVER by cd //SERVER
---> PWD
<--- 257 "/" is current directory.
---> PBSZ 0
<--- 200 OK
---> PROT P
<--- 200 OK
---> PASV
<--- 227 Entering Passive Mode (192,168,1.1,214,88).
---- Connecting data socket to (192.168.1.1) port 54872
---- Data connection established
---> LIST
<--- 150-- LIST for anonymous@ftp.delegate.org.
<---  220- yshome PROXY-FTP server (DeleGate/9.9.2-pre2) ready.
<---  220-   @ @
<---  220-  ( - ) { DeleGate/9.9.2-pre2 (February 9, 2009) }
<---  220- AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
<---  220- Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
<---  220- Copyright (c) 2001-2009 National Institute of Advanced Industrial Science and Technology (AIST)
<---  220- WWW: http://www.delegate.org/delegate/
<---  220- --
<---  220- You can connect to a SERVER by `user' command:
<---  220-    ftp> user username@SERVER
<---  220- or by `cd' command (after logged in as an anonymous user):
<---  220-    ftp> cd //SERVER
<---  220- Cache is enabled by default and can be disabled by `cd .' (toggle)
<---  220- This (proxy) service is maintained by 'test@delegate.org'
<---  220- 
<---  220-extended FTP [MODE XDC][XDC/BASE64]
<---  220  
<---  331- Guest login ok, enter your E-mail address as password.
<---  331  Default value is: ?
<---  230- Guest login ok, your E-mail address is <test@delegate.org>
<---  230  Now you can select a FTP SERVER by cd //SERVER
<--- 150- Opening ASCII mode data connection for LIST (111 bytes).
<--- 150--  @ @  
<--- 150  \( - )/ -- { connected to `ftp.delegate.org' }
drwxrwxr-x 13 delegate     4096 Aug 12  2005 pub
-rw-rw-r--  1 delegate      272 Jan 25  2004 rsa-pubkey.pem
---- Got EOF on data connection
---- Closing data socket
<--- 226 Transfer complete (111 bytes)
-------------

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V