About FTP Auth TLS

  1. ‹ Older
  2. 3 months ago

    @Andrew L
    Could you please share the details?, why you don't push the changes into the AUTH-TLS branch?

  3. Andrew L

    Sep 11 San Francisco, CA, USA

    When I say it "works" I only mean that AUTH TLS negotiation doesn't fail. I posted this simple example project on the feedback case that demonstrates this.

  4. Cool, perhaps xojo need to add ServerSocket specifically only for SSLSocket, as ServerSocket's AddSocket event is in TCPSocket type?

  5. Edited 3 months ago

    Do you think it's possible to rewrite RB-FTP in 'naked socket'?

    [EDIT]
    Managed to do simple 'rewrite', changed the FTPServer's super into "FTP.Server" and delete FTP.Server's AddSocket and Error, and added these into PushButton3's Action :

    Dim n As NetworkInterface
    If nic.ListIndex <> -1 Then
      n = nic.RowTag(nic.ListIndex)
    Else
      n = System.GetNetworkInterface(0)
    End If
    If Me.Caption = "Listen" Then
      FTPServer.Banner = "Welcome to BSFTPd!"
      FTPServer.AllowWrite = True
      FTPServer.TimeOutPeriod = 60000
      FTPServer.Port = Val(Port.Text)
      FTPServer.NetworkInterface = n
      FTPServer.CertificateFile = SpecialFolder.Documents.Child("server.key")
      FTPServer.CertificatePassword = "demo"
      FTPServer.Secure = False
      FTPServer.ConnectionType = SSLSocket.TLSv12
      FTPServer.Listen()
      AddHandler FTPServer.FTPLog, WeakAddressOf LogHandler
      AddHandler FTPServer.UserLogon, WeakAddressOf UserLogonHandler
      Me.Caption = "Stop"
    Else
      FTPServer.Disconnect
      Me.Caption = "Listen"
    End If

    Now it succeed to pass the AUTH TLS process but stuck at PASV & MLSD/LIST negotiation error :

    [07:15:30] [R] Connecting to 192.168.1.227 -> IP=192.168.1.227 PORT=21
    [07:15:30] [R] Connected to 192.168.1.227
    [07:15:30] [R] 220 Welcome to BSFTPd!
    [07:15:30] [R] AUTH TLS
    [07:15:30] [R] 234 AUTH TLS OK.
    [07:15:31] [R] TLSv1.2 negotiation successful...
    [07:15:31] [R] TLSv1.2 encrypted session using cipher AES256-GCM-SHA384 (256 bits)
    [07:15:31] [R] PBSZ 0
    [07:15:31] [R] 200 Command successful.
    [07:15:31] [R] USER anonymous
    [07:15:31] [R] 331 Username received. Proceed by sending the password.
    [07:15:31] [R] PASS (hidden)
    [07:15:31] [R] 230 User logged in successfully, proceed.
    [07:15:31] [R] SYST
    [07:15:31] [R] 215 UNIX Type: L8
    [07:15:31] [R] FEAT
    [07:15:31] [R] 211-Features:
    [07:15:31] [R]  PASV
    [07:15:31] [R]  UTF8
    [07:15:31] [R]  MDTM
    [07:15:31] [R]  SIZE
    [07:15:31] [R]  REST STREAM
    [07:15:31] [R]  TVFS
    [07:15:31] [R]  MLST
    [07:15:31] [R]  XPWD
    [07:15:31] [R]  XCWD
    [07:15:31] [R]  AUTH TLS
    [07:15:31] [R]  PBSZ
    [07:15:31] [R]  PROT
    [07:15:31] [R] 211 End
    [07:15:31] [R] OPTS UTF8 ON
    [07:15:31] [R] 200 Command successful.
    [07:15:31] [R] PWD
    [07:15:31] [R] 257 "/"
    [07:15:31] [R] CWD /
    [07:15:31] [R] 250 The requested file action was successful.
    [07:15:31] [R] PWD
    [07:15:31] [R] 257 "/"
    [07:15:31] [R] PROT P
    [07:15:31] [R] 504 Data security not available.
    [07:15:31] [R] PASV
    [07:15:31] [R] 227 Entering Passive Mode (192,168,1,227,130,91).
    [07:15:31] [R] Opening data connection IP: 192.168.1.227 PORT: 33371
    [07:15:31] [R] MLSD
    [07:15:31] [R] SSL handshake error: This server does not support/allow TLSv1.
    [07:15:31] [R] Info: Change via the Site Manager > Select the site profile > Connection Type > SSL Protocol
    [07:15:31] [R] Data Socket Error: Failed TLSv1.2 negotiation, disconnected
    [07:15:31] [R] 150 Command acknowledged; about to open the data connection.
    [07:15:31] [R] 226 The service has closed the data connection.
    [07:15:31] [R] PASV
    [07:15:31] [R] 227 Entering Passive Mode (192,168,1,227,196,16).
    [07:15:31] [R] Opening data connection IP: 192.168.1.227 PORT: 50192
    [07:15:31] [R] MLSD
    [07:15:31] [R] SSL handshake error: This server does not support/allow TLSv1.
    [07:15:31] [R] Info: Change via the Site Manager > Select the site profile > Connection Type > SSL Protocol
    [07:15:31] [R] Data Socket Error: Failed TLSv1.2 negotiation, disconnected
    [07:15:31] [R] 150 Command acknowledged; about to open the data connection.
    [07:15:31] [R] 226 The service has closed the data connection.
    [07:15:32] [R] List Error
    [07:15:32] [R] PASV
    [07:15:33] [R] 227 Entering Passive Mode (192,168,1,227,186,120).
    [07:15:33] [R] Opening data connection IP: 192.168.1.227 PORT: 47736
    [07:15:33] [R] MLSD
    [07:15:33] [R] SSL handshake error: This server does not support/allow TLSv1.
    [07:15:33] [R] Info: Change via the Site Manager > Select the site profile > Connection Type > SSL Protocol
    [07:15:33] [R] Data Socket Error: Failed TLSv1.2 negotiation, disconnected
    [07:15:35] [R] 150 Command acknowledged; about to open the data connection.
    [07:15:35] [R] 226 The service has closed the data connection.
    [07:15:35] [R] PASV
    [07:15:35] [R] 227 Entering Passive Mode (192,168,1,227,236,223).
    [07:15:35] [R] Opening data connection IP: 192.168.1.227 PORT: 60639
    [07:15:35] [R] MLSD
    [07:15:35] [R] SSL handshake error: This server does not support/allow TLSv1.
    [07:15:35] [R] Info: Change via the Site Manager > Select the site profile > Connection Type > SSL Protocol
    [07:15:35] [R] Data Socket Error: Failed TLSv1.2 negotiation, disconnected
    [07:15:35] [R] 150 Command acknowledged; about to open the data connection.
    [07:15:35] [R] 226 The service has closed the data connection.
    [07:15:36] [R] List Error
    [07:15:42] [R] Connection Lost: 192.168.1.227 (Duration: 12 seconds / Idle: 7 seconds)
  6. Andrew L

    Sep 11 San Francisco, CA, USA
    Edited 3 months ago

    @Aditya Nugraha Do you think it's possible to rewrite RB-FTP in 'naked socket'?

    That's pretty much how the FTP.Server class works already. The "naked socket" I posted in the Feedback case is just a simplified version that hilights the problem.

    e.g. put this in App.Open of the latest AUTH-TLS branch:

      Dim client As New FTP.Server
      client.Banner = "Welcome to BSFTPd!"
      client.NetworkInterface = System.GetNetworkInterface(0)
      client.CertificateFile = SpecialFolder.Desktop.Child("cert") ' replace with actual file
      client.CertificatePassword = "demo" ' replace with actual password
      client.Port = 21
      client.Anonymous = True 
      client.RootDirectory = SpecialFolder.Desktop
      
      client.Listen()
      ' wait for connection
      Do 
        client.Poll
      Loop Until client.IsConnected
      
    ' wait for disconnect
      Do 
        client.Poll
      Loop Until Not client.IsConnected
      Quit

    @Aditya Nugraha ServerSocket's AddSocket event is in TCPSocket type

    SSLSocket is a subclass of TCPSocket, and as such can be used anywhere a TCPSocket is expected.

    I'm pretty sure the problem has to do with enabling TLS after the connection is established. I've noticed that in the "naked" versions the SSLSocket.Connected event is raised once when the TCP connection is established, and again when AUTH TLS succeeds. This behavior is reasonable, but seems to be totally undocumented and I think the ServerSocket isn't expecting it.

    @Aditya N Now it succeed to pass the AUTH TLS process but stuck at PASV & MLSD/LIST negotiation error :

    The problem is the PROT P command. It's telling the server to "P"rotect the data connection, typically with SSL/TLS. The RFC is a little vague about whether the data connection should switch into TLS mode before or after the connection attempt. I get weird SSL handshake errors either way, so I'm pretty sure I'm missing some important detail.

    Currently, the AUTH-TLS branch will respond with 504 Data security not available. to indicate that TLS over the data connection is not supported. This is not strictly the correct thing to do, and some clients (like yours) won't accept it. In my tests, Filezilla will proceed without protecting the data connection but only for directory listings (not for files.) I think this is an intentional security measure, but I'm not sure.

  7. @Andrew L
    Based on these , looks like we need (which is already implemented) 2 separate socket, first for handling the plaintext, tls authentication on port 21 and another additional socket for each connected client also for handling passive/active? plaintext,tls connection

    CONNECT [     0] - Incoming connection request
    CONNECT [     0] - FTP Connection request accepted
    COMMAND [     0] - AUTH TLS
      REPLY [     0] - 234 Authentication method accepted
    
    CONNECT [     0] - SSL connection using TLSv1/SSLv3 (RC4-MD5)
    CONNECT [     0] - SSL connection established
    COMMAND [     0] - USER test
      REPLY [     0] - 331 User test, password please
    
    COMMAND [     0] - PASS ***********
    CONNECT [     0] - Native user 'test' authenticated
      REPLY [     0] - 230 Password Ok, User logged in
    
    COMMAND [     0] - PBSZ 0
      REPLY [     0] - 200 PBSZ=0
    
    COMMAND [     0] - PROT P
      REPLY [     0] - 200 PROT P OK, data channel will be secured
    
    COMMAND [     0] - PASV
      REPLY [     0] - 227 Entering Passive Mode (127,0,0,1,43,41)
    
    COMMAND [     0] - STOR test.txt
      REPLY [     0] - 150 Opening data connection
    
    CONNECT [     0] - SSL connection using TLSv1/SSLv3 (RC4-MD5)
    CONNECT [     0] - SSL data connection established
     SYSTEM [     0] - Successfully stored file at 'c:\ftp\test.txt'
      REPLY [     0] - 226 Transfer complete
    
    COMMAND [     0] - QUIT
    CONNECT [     0] - Connection terminated

    So the answer might be after client issuing PROT P, then proceed with plaintext? PASV, and then the next issued commands will send through plain text while reply is not?

    Here is another question that showed that client's issued command is send by plain text?

    [Command]  PWD
    [Response]  257 "/" is current directory.
    [Command]  PWD
    [Response]  257 "/" is current directory.
    [Command]  TYPE A
    [Response]  200 Type set to A
    [Command]  PWD
    [Response]  257 "/" is current directory.
    [Command]  PASV
    [Response]  227 Entering Passive Mode (10,0,0,19,195,113)
    [Command]  LIST -aL
    [Response]  521 PROT P required
    [Command]  PWD
    [Response]  257 "/" is current directory.
    [Command]  PASV
    [Response]  227 Entering Passive Mode (10,0,0,19,195,114)
    [Command]  LIST -aL
    [Response]  521 PROT P required
    [Status] Failed::FTP protocol error. 521 PROT P required.

    RFC #4217 also explained these
    Login Process :

    12.1.  Establishing a Protected Session
    
                  Client                                 Server
         control          data                   data               control
       ====================================================================
    
                                                                    socket()
                                                                    bind()
         socket()
         connect()  ----------------------------------------------> accept()
                   <----------------------------------------------  220
         AUTH TLS   ---------------------------------------------->
                   <----------------------------------------------  234
         TLSneg()  <----------------------------------------------> TLSneg()
         PBSZ 0     ---------------------------------------------->
                   <----------------------------------------------  200
         PROT P     ---------------------------------------------->
                   <----------------------------------------------  200
         USER fred  ---------------------------------------------->
                   <----------------------------------------------  331
         PASS pass  ---------------------------------------------->
                   <----------------------------------------------  230

    Further Client<--->Server interactions

    12.7.  A Firewall-Friendly Data Transfer with Protection
    
                  Client                                 Server
         control          data                   data               control
       ====================================================================
    
         PASV -------------------------------------------------------->
                                                 socket()
                                                 bind()
             <------------------------------------------ 227 (w,x,y,z,a,b)
                          socket()
         STOR file --------------------------------------------------->
                          connect()  ----------> accept()
             <-------------------------------------------------------- 150
                          TLSneg()   <---------> TLSneg()
                          TLSwrite()  ---------> TLSread()
                          TLSshutdown() -------> TLSshutdown()
                          close()     ---------> close()
             <-------------------------------------------------------- 226
    
  8. Andrew L

    Sep 13 San Francisco, CA, USA

    @Aditya Nugraha So the answer might be after client issuing PROT P, then proceed with plaintext? PASV, and then the next issued commands will send through plain text while reply is not?

    No, the PROT P command is issued after the control socket has switched to TLS successfully. And once TLS is enabled then both ends of the connection have to use it until/unless its disabled.

    @Aditya N RFC #4217 also explained these
    Login Process :

    Hmm, the diagram says to send status code 150 but I've been sending 200. I'll have to test out 150; maybe that's what I was missing :)

  9. Yes, what i meant by login process was, after the PASS as per-12.1 diagram. Most of the FTP client or others who referring to RFC is pretty strict about it's implementation. In which code does the response 200 get sent?, i found several or PBSZ and PROT.

    So what do you think about re-implementing it on "naked socket" on master and auth-tls branch?, as xojo seems probably pretty long to wait for it to get implemented.

  10. Andrew L

    Sep 13 San Francisco, CA, USA

    @Aditya N So what do you think about re-implementing it on "naked socket" on master and auth-tls branch?

    The FTP.Server class already works that way, no re-implementation is needed.

  11. I cannot seems making it work passing the FTP Client and server TLS negotiation without deleting AddSocket, Error handler from ServerSocket and put it on Open's Handler as your suggested example or doing it in naked socket.

  12. Andrew L

    Sep 13 San Francisco, CA, USA

    That's what I've been saying, but that's also a separate problem from securing the data connection with PROT P.

  13. @Norman P
    Pinging you about feedback #49500

  14. Jorge B

    Sep 19 Cuenca - Ecuador

    Try www.chilkatsoft.com
    www.example-code.com/xojo/ftp.asp

  15. Andrew L

    Sep 20 San Francisco, CA, USA

    @Jorge B Try www.chilkatsoft.com
    www.example-code.com/xojo/ftp.asp

    We're talking about FTP servers, not clients.

  16. @Jorge B
    Already aware of chilkatsoft but it seems like Andrew Lamber said, it's for FTP Client. Thanks Anyway :-).

    @Andrew L
    Have you seen Greg O'Lone reply on the feedback #49500 ?, he said the behavior is by design :-(, ServerSocket cannot on the fly changes to secure mode after the connection has been established.

  17. Andrew L

    Sep 21 San Francisco, CA, USA

    @Aditya N Have you seen Greg O'Lone reply on the feedback #49500 ?, he said the behavior is by design

    Yes. Though it seems like a bug to me.

  18. last week

    @Andrew L , the Feedback Case #49500 status now is verified, how long will it take for xojo developer to fix it normally?

  19. Andrew L

    Dec 5 San Francisco, CA, USA

    I don't know. Xojo, Inc. doesn't give time tables for completion of anything.

  20. Edited last week

    I know, i just need rough estimate just in-case if you have been reported a bug before and got fixed.

    This is just important to me as these subject is my main point of interest. I hope Xojo Inc will hear my voice and vote for the feedback.

  21. Greg O

    Dec 6 Xojo Inc Somewhere near Raleigh, NC

    @Aditya N I know, i just need rough estimate just in-case if you have been reported a bug before and got fixed.

    This is just important to me as these subject is my main point of interest. I hope Xojo Inc will hear my voice and vote for the feedback.

    To be clear, the time from reporting a bug to having it fixed is not a constant. Some bugs are relatively easy to fix and take a few minutes to resolve. Others (like this one) are blocked by other bugs and can’t be fixed until the others are.

or Sign Up to reply!