Article delegate-en/1420 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1419@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Howto? SSL FTP Tunneling
15 Nov 2001 21:59:39 GMT feedback@delegate.org (Yutaka Sato)


Hi,

On 11/16/01(03:40) you "Bryan Dees" <ppqcqbdyi-mnhltarlynjr.ml@ml.delegate.org> wrote
in <_A1419@delegate-en.ML_>
 |delegated -P10021 SERVER=ftp://host:10021/ \
 |CMAP="sslway -st:FCL:ftp:*:*" CMAP=sslway:FCL:ftp-data:*:*
 |
 |I'd prefer to allow my customers to connect to the same port
 |for FTP and SFTP.
 |Do you think you'll be able to apply those fixes soon?

Maybe the problem which occurs when this DeleGate is used by non-SSL
client is that ftp-data connection is always in SSL unconditionally.
The enclosed patch to sslway.c will introduce "-ad" option which mean
automatic detection of SSL session start (ClientHello) on the connection.
I hope using it like CMAP="sslway -ad:FCL:ftp-data" will do. 

Cheers,
Yutaka
--
  @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan


*** ../761/filters/sslway.c	Wed Jun 27 05:28:33 2001
--- sslway.c	Fri Nov 16 06:47:27 2001
***************
*** 276,281 ****
--- 276,285 ----
  #define do_conSTLS	sslctx[XCON].x_do_STLS
  #define sv_vrfy		sslctx[XCON].x_verify
  
+ #define ST_OPT		1
+ #define ST_FORCE	2
+ #define ST_AUTO		4 /* auto-detection of SSL by Client_Hello */
+ 
  static passfilename(keyfile,passfile)
  	char *keyfile,*passfile;
  {	char *dp;
***************
*** 527,539 ****
  	return proto;
  }
  static isinSSL(fd)
! {	char buf[1];
  
  	buf[0] = 0x7F;
  	RecvPeek(fd,buf,1);
  	if( (buf[0] & 0x80) || buf[0] < 0x20 ){
  		ERROR("STARTTLS got binary [%X] from client",0xFF&buf[0]);
! 		return 1;
  	}
  	return 0;
  }
--- 531,551 ----
  	return proto;
  }
  static isinSSL(fd)
! {	unsigned char buf[8];
  
  	buf[0] = 0x7F;
  	RecvPeek(fd,buf,1);
  	if( (buf[0] & 0x80) || buf[0] < 0x20 ){
  		ERROR("STARTTLS got binary [%X] from client",0xFF&buf[0]);
! 		if( buf[0] == 0x80 ){
! 			RecvPeek(fd,buf,6);
! 			ERROR("SSL Hello [%X][%X][%X][%X][%X][%X]",
! 				buf[0],buf[1],buf[2],buf[3],buf[4],buf[5]);
! 			if( buf[1] == 0x80 )
! 			if( buf[2] == 1 ) /* major */
! 			if( buf[4] == 1 ) /* minor */
! 				return 1;
! 		}
  	}
  	return 0;
  }
***************
*** 585,590 ****
--- 597,607 ----
  		if( xi == 0 /* && accept implicit SSL too */ ){
  			if( isinSSL(accfd) )
  				return 0;
+ 			if( do_accSTLS == ST_AUTO ){
+ 				ERROR("SSL-autodetect C-S: not in SSL");
+ 				do_accSSL = 0;
+ 				return 0;
+ 			}
  		}
  		if( fgets(buf,sizeof(buf),fc) == NULL )
  			return -1;
***************
*** 652,657 ****
--- 669,684 ----
  		fflush(ts);
  	    }
  	    if( rfdv[1] ){
+ 		if( xi == 0 ){
+ 			if( isinSSL(confd) ){
+ 				return 0;
+ 			}
+ 			if( do_accSTLS == ST_AUTO ){
+ 				ERROR("SSL-autodetect S-C: not in SSL");
+ 				do_accSSL = 0;
+ 				return 0;
+ 			}
+ 		}
  		if( proto == NULL ){
  			proto = relay_opening(proto,fs,tc,buf,sizeof(buf));
  			if( proto == NULL )
***************
*** 845,850 ****
--- 872,880 ----
  			do_accSTLS = do_conSTLS = arg[1]=='s'?1:2;
  			if( arg[3] == '/' && arg[4] != 0 )
  				stls_proto = strdup(arg+4);
+ 		}else
+ 		if( strncasecmp(arg,"-ad",3) == 0 ){
+ 			do_accSTLS = do_conSTLS = ST_AUTO;
  		}else
  		if( strncmp(arg,"-ac",3) == 0 ){
  			do_accSSL = 1;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V