TC 7 RC3: FTPS Connect Failed

[rduke15]

Hello,

I'm trying to connect to a Proftpd server using TLS, but I only get "connect failed". I tried SmartFTP, and it connected fine.

I have the following files in my TC directory:

libeay32.dll 1,040,384 27/02/2007 21:39 -a--
libssl32.dll 196,608 22/04/2007 01:11 -a--
rootcert.pem 1,488 22/04/2007 01:18 -a--

The file rootcert.pem is the certificate of my own CA, which signed the FTP server's certificate. Removing rootcert.pem completely makes no difference.

I am behind NAT, but have Passive mode enabled.

An Ethereal capture doesn't show anything like AUTH TLS or the like. Below is a short version of the capture, with the server's IP and name replaced. After the server rsponse string, TC seems to send something to which the server replies with "500 ... not understood":

Code: Select all

No.     Time        Source           Destination           Protocol Info
      1 0.000000    192.168.1.202    a.b.c.d          TCP      1101 > ftp [SYN] Seq=0 Ack=0 Win=64512 Len=0 MSS=1460
      2 0.130923    a.b.c.d          192.168.1.202    TCP      ftp > 1101 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1400
      3 0.130988    192.168.1.202    a.b.c.d          TCP      1101 > ftp [ACK] Seq=1 Ack=1 Win=64512 Len=0
      4 5.009617    192.168.1.202    a.b.c.d          FTP      Request: \200z\001\003\001\000Q\000\000\000 \000\0009\000\0008\000\0005\000\000\026\000\000\023\000\000
      5 5.036400    a.b.c.d          192.168.1.202    TCP      ftp > 1101 [ACK] Seq=1 Ack=125 Win=5840 Len=0
      6 7.334348    192.168.1.100    192.168.1.255    RIPv1    Response
      7 9.435387    192.168.1.202    a.b.c.d          TCP      1028 > 9922 [PSH, ACK] Seq=0 Ack=0 Win=64156 Len=36
      8 9.460722    a.b.c.d          192.168.1.202    TCP      9922 > 1028 [ACK] Seq=0 Ack=36 Win=11792 Len=0
      9 10.161969   a.b.c.d          192.168.1.202    FTP      Response: 220 ProFTPD 1.2.10 Server (server.example.tld) [a.b.c.d]
     10 10.162456   192.168.1.202    a.b.c.d          TCP      1101 > ftp [RST, ACK] Seq=125 Ack=56 Win=0 Len=0
     11 10.162597   a.b.c.d          192.168.1.202    FTP      Response: 500 \200Z\001\003\001 not understood
     12 10.162621   192.168.1.202    a.b.c.d          TCP      1101 > ftp [RST] Seq=125 Ack=2531470145 Win=0 Len=0

After that, TC just shows the "Connect failed" error dialog.

Thanks for any help...

[zw]

I am having the same problem. It seems that totalcmd sends encrypted commands without first negotiating to do so with AUTH TLS. The commands sent to proftpd are of the style "\200\222^A^C^A" etc. I have tried FileZilla server to check the communication and it works fine (uses AUTH TLS before starting to encrypt). So this seems like a bug related to interaction of totalcmd's tls & proftpd. Any help appreciated. Thanks.

[ghisler(Author)]

There are two types of FTP over SSL: Explicit and implicit. Total Commander supports both:
Explicit FTP over SSL waits for the server greeting message, then sends AUTH TLS and switches to secure mode. This mode is used by servers which support both encrypted and open connections.

Implicit FTP over SSL connects to the host, and then immediately switches to encrypted mode.

Total Commander distinguishes between these two server types by waiting for 5 seconds for the server greeting (in your case, this is "220 ProFTPD 1.2.10 Server (server.example.tld)"). If there is no server greeting for this time, TC switches to implicit mode.

Apparently you have a terribly slow server which does not send a server greeting for these 5 seconds. Therefore you cannot use SSL/TLS mode with this server, sorry.

[wanderer]

There are two types of FTP over SSL: Explicit and implicit.

Couldn't this be defined in the FTP connection properties by the user (combo with values: Automatic-as done now with the 5" delay / manual-explicit / manual-implicit)?

[Clo]

2wanderer

Hello !

• Sounds logical…Maybe simply an entry in <wcx_ftp.ini> to extend the 5-second hard-coded delay could help ?

 KR
Claude
Clo

[Alessandro Del Prete]

There are two types of FTP over SSL: Explicit and implicit. Total Commander supports both:
Explicit FTP over SSL waits for the server greeting message, then sends AUTH TLS and switches to secure mode. This mode is used by servers which support both encrypted and open connections.

Implicit FTP over SSL connects to the host, and then immediately switches to encrypted mode.

Total Commander distinguishes between these two server types by waiting for 5 seconds for the server greeting (in your case, this is "220 ProFTPD 1.2.10 Server (server.example.tld)"). If there is no server greeting for this time, TC switches to implicit mode.

Apparently you have a terribly slow server which does not send a server greeting for these 5 seconds. Therefore you cannot use SSL/TLS mode with this server, sorry.

Sorry Christian but I think this is not a good technique to understand whether a server uses explicit or implicit mode.

First of all, an ftp server that also supports implicit mode would use two different ports: 21 for standard ftp and 990 (tipically) for ftps implicit mode; this is because in implicit mode the session is presumed "secured" from the beginning, hence the dedicated port.

I would also like to note that implicit mode is deprecated because it is not flexible as explicit mode, it is not backed by any standard/RFC and it requires a dedicated port so it has an impact on firwall configurations etc.

Explicit mode on the other hand is very flexible because it lets the client control which parts of the sessions require encryption, so you could authenticate in encrypted mode but you could transfer data in unencrypted mode, it's all up to the client, with the use of AUTH and CCC commands. Since it is just an extension of the FTP protocol it doesn't require a dedicated port.

You are instead trying to distinguish between an implicit mode configured ftps server and an explicit mode ftps server using a 5 second timeout on connect. I think this is not the good way to go.

On the FTP configuration window you should put two mutually exclusive checkboxes (Implicit and Explicit mode) and enable them when the user enables SSL/TLS. When the user selects implicit mode, you could add ":990" at the end of the fpts:// URL and the user could be able to manually modify the implicit mode port.

This would not require any timeout waiting (except for standard protocol timeouts) to understand something that is already defined by standards/RFCs.

Just my $0.02...

[ghisler(Author)]

I'm sorry but the average user has no idea what implicit and explicit ssl is. That's why I have implemented an auto-detect function. It's working very well, except for servers which do not respond for a long time. If you have a better idea how to detect such, servers, then please let me know!

In TC 7.5, you will be able to turn off implicit ssl via the wcx_ftp.ini.

[Alessandro Del Prete]

Even if the user doesn't know what explicit and implicit means, putting 2 options there (default Explicit) would require two tries maximum to make it work with every server, that's not too difficult...even for an average user.

If you want to leave the autodetect, you should at least put a configurable timeout, supposing the average user knows what a timeout is...

Let me ask you one thing: how do you distinguish a server timeout (for technical problems) from a not-supported standard (explicit/implicit) during the autodetect phase? Those are 2 different states...but you won't distinguish them with that technique; that's why I don't think it is a good design.

I would suggest a simple listbox with 3 values: Autodetect, Explicit, Implicit (default Autodetect, so the average users are happy ) and you will have satisfied everybody.

Christian, average users use FTP clients and every FTP client gives the user the possibility to specify the Explicit/Implicit modes...after all, TC gives us the PASV mode option, do you really think the average user knows what that means? No, the average user tries to make it work, if it doesn't work it checks tha PASV option and many times his PFW/NAT device (or both) makes him connect...

Just think about it...I think that putting in more configurable options in TC is a good think, not the contrary.

Anyway...keep up the great job...you know that my comments are always aimed to improve this great product you develop.