Article delegate-en/1100 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1093@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: delegate as FTPS-proxy blocks
17 Apr 2001 07:50:00 GMT feedback@delegate.org (Yutaka Sato)


Hi,

On 04/15/01(21:11) you dirk laurijssen <piucabdyi-n4ll7ke34nxr.ml@ml.delegate.org> wrote
in <_A1093@delegate-en.ML_>
 |I'm trying to use delegate to connect FTPS-clients to an FTP-server.
 |Both control-and datachannel should be encrypted.
 |
 |To do so, I used :
 |./delegated -P8021 -v FCL="sslway -cert server-cert.pem -key
 |server-key.pem -ac -vu" DGROOT=/usr/var/spool/delegate-nobody
 |SERVER=ftp://<ip-address>:9021
 |
 |When connecting, the FTP-session blocks and shows the log  below.
 |
 |The log seems to indicate that there is no client-certificate, but the
 |WS_FTP-client was configured with certificates and SSL.
 |Any ideas on what's happening or how to debug?

Maybe the client waits the opening message in clear text from the
FTP-server (DeleGate in this case), expecting to do some negotiation
about usage of SSL/TLS, like AUTH SSL command (which should be
processed similarly to STARTTLS in SMTP), in clear text.
But this will not occur because this DeleGate is expecting to start
SSL immediately.

 |Is this setup even possible ?

If the client can be configured to use SSL without negotiation,
at least the control-connection will be relayed with the FTP-DeleGate
with FCL=sslway.  And the enclosed patch will make FTP-DeleGate apply
the FCL=sslway to each data-connection too.  I checked two chained
FTP-DeleGates with FSV=sslway and FCL=sslway respectively do
SSL data-connection by the patch.  But I don't know if there is a
client or a server which goes this way.

Maybe I will read following documents and support them, in near future.

  RFC2228 (Oct.1997)
  draft-murray-auth-ftp-ssl-07.txt (Apr.2001)


Cheers,
Yutaka
--
  @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan

diff -c ../../delegate7.2.1/src/ftp.c ./ftp.c
*** ../../delegate7.2.1/src/ftp.c	Thu Mar 22 16:39:49 2001
--- ./ftp.c	Tue Apr 17 15:12:47 2001
***************
*** 2556,2561 ****
--- 2556,2562 ----
  	extern int IO_TIMEOUT;
  	int fromcache;
  	char xproto[64];
+ 	int xsrc,xdst;
  
  	size = sizeof(buff);
  
***************
*** 2579,2584 ****
--- 2580,2601 ----
  	else
  	if( tosv == 0 && filter_withCFI(Conn,XF_FTOCL) )
  		dst = insertFTOCL(Conn,dst,src,NULL);
+ 	else
+ 	if( tosv ){
+ 		/* src:client dst:server */
+ 		if( 0 <= (xsrc = insertFCL(Conn,src)) )
+ 			src = xsrc;
+ 		else
+ 		if( 0 <= (xdst = insertFSV(Conn,src,dst)) )
+ 			dst = xdst;
+ 	}else{
+ 		/* src:server dst:client */
+ 		if( 0 <= (xdst = insertFCL(Conn,dst)) )
+ 			dst = xdst;
+ 		else
+ 		if( 0 <= (xsrc = insertFSV(Conn,dst,src)) )
+ 			src = xsrc;
+ 	}
  	strcpy(REAL_PROTO,xproto);
  
  	Start = Time();
diff -c ../../delegate7.2.1/src/filter.c ./filter.c
*** ../../delegate7.2.1/src/filter.c	Wed Feb 21 00:13:38 2001
--- ./filter.c	Tue Apr 17 14:50:27 2001
***************
*** 1037,1043 ****
  	return fsock;
  }
  
! static insertFCL(Conn,fromC)
  	Connection *Conn;
  {	char *filter;
  	int fromcl[2];
--- 1037,1043 ----
  	return fsock;
  }
  
! insertFCL(Conn,fromC)
  	Connection *Conn;
  {	char *filter;
  	int fromcl[2];
***************
*** 1099,1105 ****
  	Conn->xf_filters |= XF_FMD;
  	return tosv[1];
  }
! static insertFSV(Conn,client,toS)
  	Connection *Conn;
  {	char *filter;
  	int tosv[2];
--- 1099,1105 ----
  	Conn->xf_filters |= XF_FMD;
  	return tosv[1];
  }
! insertFSV(Conn,client,toS)
  	Connection *Conn;
  {	char *filter;
  	int tosv[2];

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V