Article delegate-en/3435 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3431@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: ftps fails to work with client side ssl utilized.... connected but directory hangs
01 Aug 2006 18:50:59 GMT Michael Ingardia <pmugqbdyi-uqy4d4q7vhjr.ml@ml.delegate.org>


The ftp server that I am trying to hit is www.end2endlogic.com which is 
a linux fedora 3 server running vsftpd.  It is publically accessible.   
I am using filezilla as a client to connect to this as a ftps client.  
Directly it works fine, through the delegate using ssl it fails, with 
out client side ssl it works.

The delegate server I am using is on my laptop so that is not accessible 
publically.  I do have several servers on the net that I could use to 
install a version of delegate that I am using and verify that I get the 
same results, and then allow you access to the server.  I will do so if 
that is what your looking for as I was excited to see that you responded.

To run a test however you should be able to reproduce the results I got 
by using the windows version of delegate (version 9_2_3) and attempting 
to point it at ftp server www.end2endlogic.com.

I set up a user for you, but you might want to send me a private mail so 
I can send you the credentials as this is a public forum.

In the mean time I looked at the logs you suggested and see the following:

07/29 20:53:11.05 [1076] 8+0/3: ConnectToServer connected [29] 
{70.88.30.83:21 <- 192.168.1.106:3087} [0.010s]
07/29 20:53:11.05 [1076] 8+0/3: willSTLS_SV: ServerFlags=40030
07/29 20:53:11.05 [1076] 8+0/3: inherited AsProxy: 50330
07/29 20:53:11.05 [1076] 8+0/3: willSTLS_SV: ServerFlags=40030
07/29 20:53:11.05 [1076] 8+0/3: willSTLS_SV: ServerFlags=40030
(WIN) 53:11.213 [888] >>>> [0] 1836 is not socket, retrying 
WSADuplicateSocket ...
(WIN) 53:11.213 [1076] spawn() = 1592 [888], children(alive=2,total=2) 
0.160s
(WIN) 53:11.213 [1076] spawn() = 1592 [4]0.160
07/29 20:53:11.22 [888] 8+0: STLS -> CMAP="--mitm,sslway:FSV:starttls"
07/29 20:53:11.22 [888] 8+0: STLS -> CMAP="--mitm,sslway:FCL:starttls"
07/29 20:53:11.23 [888] 8+0: ## SSLway certfile not found or wrong: 
server-cert.pem [at C:\Program Files\DeleGate\work\21]
07/29 20:53:11.23 [888] 8+0: ## SSLway keyfile not found or wrong: 
server-key.pem [at C:\Program Files\DeleGate\work\21]
07/29 20:53:11.23 [888] 8+0: ## SSLway key does not match cert: 
server-key.pem server-cert.pem
07/29 20:53:11.23 [888] 8+0: ## SSLway -- Using Default Certificate
07/29 20:53:11.23 [888] 8+0: ## SSLway ## 0.000000 connected/accepted
07/29 20:53:11.23 [888] 8+0: ## SSLway initialized ctx #0000000 0 X
07/29 20:53:11.24 [888] 8+0: gethostbyname(-) unknown[0.00s]
07/29 20:53:11.24 [888] 8+0: [FSV] callFilter2: 26=1 32=1 sslway
07/29 20:53:11.35 [888] 8+0: ## SSLway ## 0.110000 connected/accepted
07/29 20:53:11.35 [888] 8+0: ## SSLway server's cert. = 
**subject<</C=US/ST=GA/L=Atlanta/O=end2endlogic/OU=corp/CN=www.end2endlogic.com/emailAddress=mri@end2endlogic..>> 
**issuer<</C=US/ST=GA/L=Atlanta/O=end2endlogic/OU=corp/CN=www.end2endlogic.com/emailAddress=mri@end2endlogic..>>
07/29 20:53:11.37 [1076] 8+0/3: LoginPWD: "/home/mri"
07/29 20:53:11.58 [1076] 8+0/6/3: #### PBSZ 0
07/29 20:53:11.63 [1076] 8+0/6/3: #### PROT P
07/29 20:53:11.68 [1076] 8+0/7/4: ## viaCFI: ToC=23 ClientSock=28
07/29 20:53:11.68 [1076] 8+0/7/4: FTP-control-remote: 127.0.0.1:21 [28]
07/29 20:53:11.68 [1076] 8+0/7/4: FTP-data-local[31]: 127.0.0.1:3092
07/29 20:53:11.68 [1076] 8+0/7/4: ## viaCFI [mkPASV]: fileno(ts)=29 ToSX=30
07/29 20:53:11.68 [1076] 8+0/7/4: ## viaCFI [mkPASV]: fileno(ts)=29 ToSX=30
07/29 20:53:11.68 [1076] 8+0/7/4: connectTO: assume in non-blocking mode
(WIN) 53:11.684 [1076] setNonblockingSocket(32,1)=0
(WIN) 53:11.684 [1076] setNonblockingSocket(32,0)=0
07/29 20:53:11.69 [1076] 8+0/7/4: ftp_conndata: connected 
192.168.1.106:3086->end2endlogic.com/70.88.30.83:2056 [32](0.0)
07/29 20:53:11.69 [1076] 8+0/7/4: willSTLS_SV: ServerFlags=40230
(WIN) 53:11.854 [1004] >>>> [0] 1836 is not socket, retrying 
WSADuplicateSocket ...
(WIN) 53:11.854 [1076] spawn() = 1500 [1004], children(alive=3,total=3) 
0.160s
(WIN) 53:11.854 [1076] spawn() = 1500 [4]0.160

07/29 20:53:11.85 [1076] 8+0/7/4: -- with PASV
07/29 20:53:11.85 [1076] 8+0/7/4: PASV [B][127,0,0,1,12,20] >> 227 
Entering Passive Mode (127,0,0,1,12,20).^M
07/29 20:53:11.86 [1004] 8+0: STLS -> CMAP="--mitm,sslway:FSV:starttls"
07/29 20:53:11.86 [1004] 8+0: STLS -> CMAP="--mitm,sslway:FCL:starttls"
07/29 20:53:11.88 [1004] 8+0: ## SSLway certfile not found or wrong: 
server-cert.pem [at C:\Program Files\DeleGate\work\21]
07/29 20:53:11.88 [1004] 8+0: ## SSLway keyfile not found or wrong: 
server-key.pem [at C:\Program Files\DeleGate\work\21]
07/29 20:53:11.88 [1004] 8+0: ## SSLway key does not match cert: 
server-key.pem server-cert.pem
07/29 20:53:11.88 [1004] 8+0: ## SSLway -- Using Default Certificate
07/29 20:53:11.88 [1004] 8+0: ## SSLway ## 0.000000 connected/accepted
07/29 20:53:11.88 [1004] 8+0: ## SSLway initialized ctx #0000000 0 X
07/29 20:53:11.88 [1004] 8+0: gethostbyname(-) unknown[0.00s]
07/29 20:53:11.88 [1004] 8+0: [FSV] callFilter2: 26=1 35=1 sslway
07/29 20:53:11.92 [1076] 8+0/8/5: FTP-CACHE: LIST [/home/mri] = [][]:0
07/29 20:53:11.98 [1076] 8+0/8/5: DATA 127.0.0.1:3093 -> 127.0.0.1:3094 
.. 127.0.0.1:3092 -> 127.0.0.1:3097
07/29 20:53:12.00 [1004] 8+0: ## SSLway ## 0.120000 connected/accepted
07/29 20:53:12.00 [1004] 8+0: ## SSLway server's cert. = 
**subject<</C=US/ST=GA/L=Atlanta/O=end2endlogic/OU=corp/CN=www.end2endlogic.com/emailAddress=mri@end2endlogic..>> 
**issuer<</C=US/ST=GA/L=Atlanta/O=end2endlogic/OU=corp/CN=www.end2endlogic.com/emailAddress=mri@end2endlogic..>>
(WIN) 53:12.144 [4012] >>>> [0] 1836 is not socket, retrying 
WSADuplicateSocket ...
(WIN) 53:12.144 [1076] spawn() = 1472 [4012], children(alive=4,total=4) 
0.160s
(WIN) 53:12.144 [1076] spawn() = 1472 [4]0.160
(WIN) 53:12.144 [1076] setNonblockingSocket(32,1)=0
(WIN) 53:12.144 [1076] setNonblockingSocket(31,1)=0
(WIN) 53:12.144 [1076] -- SOCKET recv(32)=-1 error=10054 [0.000]


The last line ... SOCKET recv(32) = -1 error 10054 seems to be the issue.
 From the log you can see that the certificates are getting transfered 
and I see this on the ftp client side ( ie every thing connects as one 
would expect) its only after attempting to get  a directory listing does 
it fail.  I have also tried not using a passive connection, or a using 
the default, all get the same results.  Interestingly enough I can also 
get the same results when using delegate as a socks server ... in all 
cases it gets to the directory listing... and hangs. 

Let me know if you would like to get the credentials to get into the 
server.  The certificate on the server side is a self-signed certificate 
so you should not have any problems there.  If you need the cert I can 
also provide that.

Mike...




Yutaka Sato wrote:
> Hi,
>
> In message <_A3429@delegate-en.ML_> on 07/30/06(11:33:12)
> you Michael Ingardia <pmugqbdyi-uqy4d4q7vhjr.ml@ml.delegate.org> wrote:
>  |I am trying to use Delegate version 9.2.3 on windows ( will try on Linux 
>  |and solaris later this week) as a ftps proxy.  When invoking the server 
>  |as follows:dg9_2_3 -P21,990 SERVER=ftp STLS=fcl,fsv
>  |
>  |The server starts up, and seems to be and running.  Using a ftps client 
>  |I can connect to the proxy and login, and even get to the target ftps 
>  |server just fine.  When I try to retrieve a directory listing however 
>  |the process hangs after receiving the "here comes the listing" message 
>  |from the server.  I have tried several ftps servers and get the same 
>  |result.  Connecting directly to the ftps server does not have this issue 
>  |( using vsftp on fedora 3 as the server).
>  |
>  |Running the proxy as follows however does work.
>  |dg9_2_3 -P21,990 SERVER=ftp STLS=fsv
>  |
>  |But connecting in this way I have to have my ftp clients be regular ftp 
>  |clients not ftps clients.
>  |
>  |I have also tried mitm for STLS and it also hangs upon trying to 
>  |retrieve the directory listing.
>  |
>  |Thoughts?
>
> I think the LOGFILE of your DeleGate shows some hints about the problem.
> If the server is accessible by me, I'll test it.
>
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>
>
>   



  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V