Article delegate-en/1683 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1656@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FTP over SSL
10 Jun 2002 22:25:25 GMT feedback@delegate.org (Yutaka Sato)


Hi,

On 05/29/02(00:09) I wrote in <_A1656@delegate-en.ML_>
 |For the time being, the answer for your first question only.
 |
 |On 05/28/02(19:44) you po4dabdyi-t7hpmu77wfxr.ml@ml.delegate.org wrote
 |in <_A1655@delegate-en.ML_>
 | |1. draft-murray-auth-ftp-ssl-08.txt and RFC-2228 documents are describing 
 | |the 'PROT P' command to secure data connection. After successful AUTH TLS 
 | |and autentication with USER & PASS, the ftp server expect me to issue a 
 | |PBSZ 0 and PROT P commands to force ftp-data to be SSL encrypted. In other 
 | |case the data sessions are unencrypted. How to make Delegate to issue 
 | |those commands after successful autentication ? (I want nonSSL client to 
 | |connect via delegate to SSL enabled server)
 |
 |Thank you for pointing it out.  It has not been supported and should
 |(must) be.  Since I am still not determined the right place where
 |START-TLS relevant codes are put, ie. in filters/sslway.c or in each
 |protocol interpreters under src/, I'll adopt the easiest solution for
 |sslway.c.  I hope the enclosed patch will do it.

Sorry, I noticed the patch does nothing because it sends PBSZ+PROT
without SSL encoding on control-connection after AUTH TLS.  I made
a new patch which might work.  Since I have no client/server
implementation of AUTH TLS for FTP, I tested the enclosed patch
between chained FTP-DeleGates.  I hope it will work with real FTP
clients/servers.  Specify "sslway -St" as the filter for
control-connection if you would try it.

Cheers,
Yutaka
--
  @ @ Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan

*** ../delegate7.9.5/filters/sslway.c	Wed Feb  6 00:27:46 2002
--- sslway.c	Tue Jun 11 07:05:16 2002
***************
*** 48,54 ****
      -co  apply SSL for the connection to the server
      -ac  aplly SSL for the accepted connection from the client
      -st  accept STARTTLS (protocol is auto-detect) and SSL tunneling
!     -St  require STARTTLS first (protocol is auto-detect)
      -st/protocol enable STARTTLS for the protocol {SMTP,POP,IMAP,FTP}
      -ad  accept either SSL or through by auto-detection of SSL-ClientHello
  
--- 48,54 ----
      -co  apply SSL for the connection to the server
      -ac  aplly SSL for the accepted connection from the client
      -st  accept STARTTLS (protocol is auto-detect) and SSL tunneling
!     -St  force STARTTLS first (protocol is auto-detect) and PBSZ+PROT for FTP
      -st/protocol enable STARTTLS for the protocol {SMTP,POP,IMAP,FTP}
      -ad  accept either SSL or through by auto-detection of SSL-ClientHello
  
***************
*** 230,235 ****
--- 230,236 ----
  	char	*x_CAfile;	/* A CA's certificate */
  	int	 x_do_SSL;	/* use SSL */
  	int	 x_do_STLS;	/* enable STARTTLS */
+ 	int	 x_nego_FTPDATA;
  	int	 x_verify;
  } SSLContext;
  
***************
*** 264,269 ****
--- 265,271 ----
  #define do_accSSL	sslctx[XACC].x_do_SSL
  #define do_accSTLS	sslctx[XACC].x_do_STLS
  #define cl_vrfy		sslctx[XACC].x_verify
+ #define cl_nego_FTPDATA	sslctx[XACC].x_nego_FTPDATA
  
  #define cl_Cert		sslctx[XCON].x_certkey
  #define cl_Ncert	sslctx[XCON].x_certkey.v_Ncert
***************
*** 276,281 ****
--- 278,284 ----
  #define do_conSSL	sslctx[XCON].x_do_SSL
  #define do_conSTLS	sslctx[XCON].x_do_STLS
  #define sv_vrfy		sslctx[XCON].x_verify
+ #define sv_nego_FTPDATA	sslctx[XCON].x_nego_FTPDATA
  
  #define ST_OPT		1
  #define ST_FORCE	2
***************
*** 448,453 ****
--- 451,459 ----
  	fdv[0] = accfd;
  	fdv[1] = confd;
  
+ 	if( cl_nego_FTPDATA )
+ 		nego_FTPDATAcl(conSSL,"",0);
+ 
  	for(;;){
  		nready = 0;
  		rfdv[0] = rfdv[1] = 0;
***************
*** 471,476 ****
--- 477,484 ----
  			else	rcc = read(accfd,buf,sizeof(buf));
  			if( rcc <= 0 )
  				break;
+ 			if( sv_nego_FTPDATA )
+ 				rcc = nego_FTPDATAsv(accSSL,buf,rcc);
  			writes("C-S",conSSL,confd,buf,rcc);
  		}
  		if( rfdv[1] ){
***************
*** 479,484 ****
--- 487,494 ----
  			else	rcc = read(confd,buf,sizeof(buf));
  			if( rcc <= 0 )
  				break;
+ 			if( cl_nego_FTPDATA )
+ 				nego_FTPDATAcl(conSSL,buf,rcc);
  			writes("S-C",accSSL,accfd,buf,rcc);
  		}
  	}
***************
*** 578,583 ****
--- 588,595 ----
  		ERROR("STARTTLS to server -- %s",proto);
  		if( strcasecmp(proto,"FTP") == 0 ){
  			fputs("AUTH TLS\r\n",ts);
+ 			if( do_conSTLS & ST_FORCE )
+ 				cl_nego_FTPDATA = 1;
  		}else
  		if( strcasecmp(proto,"SMTP") == 0 ){
  			fputs("STARTTLS\r\n",ts);
***************
*** 654,660 ****
  		if( strcasecmp(arg,"TLS") == 0 || strcasecmp(arg,"SSL") == 0 ){
  			msg = "234 OK\r\n";
  			write(accfd,msg,strlen(msg));
! 			ERROR("AUTH TLS from FTP client -- OK");
  			break;
  		}
  
--- 666,674 ----
  		if( strcasecmp(arg,"TLS") == 0 || strcasecmp(arg,"SSL") == 0 ){
  			msg = "234 OK\r\n";
  			write(accfd,msg,strlen(msg));
! 			ERROR("AUTH %s from FTP client -- 234 OK",arg);
! 			if( do_accSTLS == ST_FORCE )
! 				sv_nego_FTPDATA = 1;
  			break;
  		}
  
***************
*** 717,722 ****
--- 731,789 ----
  	}
  	return 0;
  }
+ static nego_FTPDATAsv(accSSL,buf,len)
+ 	SSL *accSSL;
+ 	char *buf;
+ {	char com[32],arg[32],*dp,*msg;
+ 
+ 	buf[len] = 0;
+ 	dp = wordscanX(buf,com,sizeof(com));
+ 	wordscanX(dp,arg,sizeof(arg));
+ 	if( strcasecmp(com,"PBSZ") == 0 ){
+ 		msg = "200 OK\r\n";
+ 		SSL_write(accSSL,msg,strlen(msg));
+ 		ERROR("PBSZ %s from FTP client -- 200 OK",arg);
+ 		len = 0;
+ 	}
+ 	else
+ 	if( strcasecmp(com,"PROT") == 0 ){
+ 		msg = "200 OK\r\n";
+ 		SSL_write(accSSL,msg,strlen(msg));
+ 		ERROR("PROT %s from FTP client -- 200 OK",arg);
+ 		len = 0;
+ 		sv_nego_FTPDATA = 0;
+ 	}
+ 	return len;
+ }
+ #define FTP_LOGIN_OK	"230"
+ static nego_FTPDATAcl(conSSL,sbuf,len)
+ 	SSL *conSSL;
+ 	char *sbuf;
+ {	char *msg,buf[64],resp[64];
+ 	int rcc;
+ 
+ 	if( len != 0 )
+ 	if( strncmp(sbuf,FTP_LOGIN_OK,strlen(FTP_LOGIN_OK)) != 0 )
+ 		return;
+ 
+ 	msg = "PBSZ 0\r\n";
+ 	SSL_write(conSSL,msg,strlen(msg));
+ 	rcc = SSL_read(conSSL,buf,sizeof(buf));
+ 	buf[rcc] = 0;
+ 	linescanX(buf,resp,sizeof(resp));
+ 	ERROR("STARTTLS/FTP PBSZ 0 -> %s",resp);
+ 	if( atoi(resp) != 200 )
+ 		return;
+ 
+ 	msg = "PROT P\r\n";
+ 	SSL_write(conSSL,msg,strlen(msg));
+ 	rcc = SSL_read(conSSL,buf,sizeof(buf));
+ 	buf[rcc] = 0;
+ 	linescanX(buf,resp,sizeof(resp));
+ 	ERROR("STARTTLS/FTP PROT P -> %s",resp);
+ 	if( atoi(resp) == 200 )
+ 		cl_nego_FTPDATA = 0;
+ }
  
  static HTTP_CAresp(fd,certfile)
  	char *certfile;
***************
*** 818,824 ****
  
  static put_help()
  {
! 	syslog_ERROR("SSLway 2002-01-18 <ysato@delegate.org>\r\n");
  }
  main(ac,av)
  	char *av[];
--- 885,891 ----
  
  static put_help()
  {
! 	syslog_ERROR("SSLway 2002-06-11 <ysato@delegate.org>\r\n");
  }
  main(ac,av)
  	char *av[];

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V