You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-users@mina.apache.org by Martin Wunderlich <ma...@censhare.de> on 2014/06/30 10:57:12 UTC
Error while connection to FTP server running implicit SSL
Hi all,
I am expanding our MINA-based FTP server by adding a setting for implicit vs. explicit SSL. I have made all the necessary changes, but for some reason I can’t connect to the server anymore when implicit SSL is set to true. In explicit SSL mode it works fine.
When trying to connect, I get the error message:
Connection established, waiting for welcome message...
And then the FileZilla client just hangs until it has timed out…
Any ideas anyone?
Thanks a lot.
Cheers,
Martin
Re: Error while connection to FTP server running implicit SSL
Posted by Martin Wunderlich <ma...@censhare.de>.
Thanks a lot for the explanation, John.
Is there a specific method in Apache FTP that would allow me to check whether the connection is secured or not?
Cheers,
Martin
Am 10.07.2014 um 15:27 schrieb John Hartnup <jo...@gmail.com>:
> "Explicit" means that the client requests SSL specifically (or "Explicitly")
>
> As delivered the server let's the client use plain FTP if it doesn't
> request SSL.
>
> You can make it insist on SSL by writing an ftplet that rejects USER or
> PASS commands unless the session is secured.
>
>
> On 10 July 2014 12:12, Martin Wunderlich <ma...@censhare.de> wrote:
>
>> Hi all,
>>
>> I have found the solution: The key alias parameter was not specified in
>> the FTP server configuration. Once this was set correctly, I was able to
>> connect with the client in TLS mode.
>> One question remains, though: In order for TLS to be active, the client
>> needs to request it specifically (using the setting for explicit TLS). When
>> using „Plain FTP“, the client can still connect through an insecure
>> connection.
>>
>> Anyone know why that is? I was assuming that the server would reject
>> insecure connections on its SSL port.
>>
>> Cheers,
>>
>> Martin
>>
>>
>> Am 09.07.2014 um 19:21 schrieb Martin Wunderlich <ma...@censhare.de>:
>>
>> Hi David,
>>
>> Thanks a lot for the reply.
>> Here is the additional information below. The server configuration is set
>> to implicit SSL = false.
>> HTH.
>>
>> Cheers,
>>
>> Martin
>>
>>
>> *Test 1) Connect with explicit SSL (set in the client) to the Server
>> listening on secure port (4243)*
>>
>> *FileZilla Log: *
>> 19:15:39 Trace: CControlSocket::DoClose(64)
>> 19:15:39 Trace: CControlSocket::DoClose(64)
>> 19:15:39 Status: Connecting to 192.168.178.21:4243...
>> 19:15:39 Status: Connection established, waiting for welcome message...
>> 19:15:39 Trace: CFtpControlSocket::OnReceive()
>> 19:15:39 Response: 220 Service ready for new user.
>> 19:15:39 Trace: CFtpControlSocket::SendNextCommand()
>> 19:15:39 Command: AUTH TLS
>> 19:15:39 Trace: CFtpControlSocket::OnReceive()
>> 19:15:39 Response: 234 Command AUTH okay; starting TLS connection.
>> 19:15:39 Status: Initializing TLS...
>> 19:15:39 Trace: CTlsSocket::Handshake()
>> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
>> 19:15:39 Trace: CTlsSocket::OnSend()
>> 19:15:39 Trace: CTlsSocket::OnRead()
>> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
>> 19:15:39 Trace: CTlsSocket::Failure(-12, 53)
>> 19:15:39 Trace: GnuTLS alert 40: Handshake failed
>> 19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received.
>> 19:15:39 Trace: CRealControlSocket::OnClose(53)
>> 19:15:39 Trace: CControlSocket::DoClose(64)
>> 19:15:39 Trace: CFtpControlSocket::ResetOperation(66)
>> 19:15:39 Trace: CControlSocket::ResetOperation(66)
>> 19:15:39 Error: Could not connect to server
>> 19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66)
>>
>> *FileZilla Config: *
>> <Bildschirmfoto 2014-07-09 um 19.17.19.png>
>>
>> *Server log: *
>> 2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler:
>> Exception caught, closing session
>> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
>> at
>> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
>> at
>> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
>> at
>> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
>> at
>> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
>> at
>> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
>> at
>> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
>> at
>> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
>> at
>> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
>> at
>> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
>> at
>> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
>> at
>> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
>> at
>> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
>> at
>> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at java.lang.Thread.run(Thread.java:744)
>> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
>> at
>> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
>> at
>> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
>> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>> at
>> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575)
>> at
>> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
>> at
>> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
>> ... 15 more
>> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
>> at
>> sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
>> at
>> sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
>> at
>> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
>> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
>> at
>> org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767)
>> at
>> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541)
>> ... 17 more
>>
>>
>> *Test 2) Connect without SSL (set in the client) to the Server listening
>> on secure port (4243)*
>>
>> FileZilla log:
>> 19:18:02 Trace: CControlSocket::DoClose(64)
>> 19:18:02 Trace: CControlSocket::DoClose(64)
>> 19:18:02 Status: Connecting to 192.168.178.21:4243...
>> 19:18:02 Status: Connection established, waiting for welcome message...
>> 19:18:02 Trace: CFtpControlSocket::OnReceive()
>> 19:18:02 Response: 220 Service ready for new user.
>> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
>> 19:18:02 Command: USER ftpuser
>> 19:18:02 Trace: CFtpControlSocket::OnReceive()
>> 19:18:02 Response: 331 User name okay, need password for ftpuser.
>> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
>> 19:18:02 Command: PASS ***
>> 19:18:03 Trace: CFtpControlSocket::OnReceive()
>> 19:18:03 Response: 230 User logged in, proceed.
>> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
>> 19:18:03 Command: OPTS UTF8 ON
>> 19:18:03 Trace: CFtpControlSocket::OnReceive()
>> 19:18:03 Response: 200 Command OPTS okay.
>> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
>> 19:18:03 Command: OPTS MLST size;modify;type;
>> 19:18:03 Trace: CFtpControlSocket::OnReceive()
>> 19:18:03 Response: 200 Command OPTS okay.
>> 19:18:03 Status: Connected
>> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
>> 19:18:03 Trace: CControlSocket::ResetOperation(0)
>> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
>> 19:18:03 Trace: Measured latency of 59 ms
>> 19:18:03 Status: Retrieving directory listing...
>> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
>> 19:18:03 Trace: CFtpControlSocket::ChangeDirSend()
>> 19:18:03 Command: PWD
>> 19:18:03 Trace: CFtpControlSocket::OnReceive()
>> 19:18:03 Response: 257 "/" is current directory.
>> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
>> 19:18:03 Trace: CControlSocket::ResetOperation(0)
>> 19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0)
>> 19:18:03 Trace: CFtpControlSocket::ListSubcommandResult()
>> 19:18:03 Trace: state = 1
>> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
>> 19:18:03 Trace: CControlSocket::ResetOperation(0)
>> 19:18:03 Status: Directory listing successful
>> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
>>
>> NOTE: This connection works but it seems to be an insecure one, because no
>> TLS is requested.
>>
>> *FileZIlla config: *
>> <Bildschirmfoto 2014-07-09 um 19.19.15.png>
>>
>> Am 04.07.2014 um 13:43 schrieb David Latorre <dv...@gmail.com>:
>>
>>
>> Martin,
>>
>> Could you attach Filezilla and Mina FTPServer log files as well as
>> FTPServer configuration xml and Filezilla's config (either screenshot or
>> XML file without the passwords)?
>>
>>
>> 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <ma...@censhare.de>:
>>
>> Hi all,
>>
>> I am expanding our MINA-based FTP server by adding a setting for implicit
>> vs. explicit SSL. I have made all the necessary changes, but for some
>> reason I can’t connect to the server anymore when implicit SSL is set to
>> true. In explicit SSL mode it works fine.
>> When trying to connect, I get the error message:
>> Connection established, waiting for welcome message...
>>
>> And then the FileZilla client just hangs until it has timed out…
>>
>> Any ideas anyone?
>> Thanks a lot.
>>
>> Cheers,
>>
>> Martin
>>
>>
>>
>>
>>
>
>
> --
> "There is no way to peace; peace is the way"
Re: Error while connection to FTP server running implicit SSL
Posted by John Hartnup <jo...@gmail.com>.
"Explicit" means that the client requests SSL specifically (or "Explicitly")
As delivered the server let's the client use plain FTP if it doesn't
request SSL.
You can make it insist on SSL by writing an ftplet that rejects USER or
PASS commands unless the session is secured.
On 10 July 2014 12:12, Martin Wunderlich <ma...@censhare.de> wrote:
> Hi all,
>
> I have found the solution: The key alias parameter was not specified in
> the FTP server configuration. Once this was set correctly, I was able to
> connect with the client in TLS mode.
> One question remains, though: In order for TLS to be active, the client
> needs to request it specifically (using the setting for explicit TLS). When
> using „Plain FTP“, the client can still connect through an insecure
> connection.
>
> Anyone know why that is? I was assuming that the server would reject
> insecure connections on its SSL port.
>
> Cheers,
>
> Martin
>
>
> Am 09.07.2014 um 19:21 schrieb Martin Wunderlich <ma...@censhare.de>:
>
> Hi David,
>
> Thanks a lot for the reply.
> Here is the additional information below. The server configuration is set
> to implicit SSL = false.
> HTH.
>
> Cheers,
>
> Martin
>
>
> *Test 1) Connect with explicit SSL (set in the client) to the Server
> listening on secure port (4243)*
>
> *FileZilla Log: *
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Status: Connecting to 192.168.178.21:4243...
> 19:15:39 Status: Connection established, waiting for welcome message...
> 19:15:39 Trace: CFtpControlSocket::OnReceive()
> 19:15:39 Response: 220 Service ready for new user.
> 19:15:39 Trace: CFtpControlSocket::SendNextCommand()
> 19:15:39 Command: AUTH TLS
> 19:15:39 Trace: CFtpControlSocket::OnReceive()
> 19:15:39 Response: 234 Command AUTH okay; starting TLS connection.
> 19:15:39 Status: Initializing TLS...
> 19:15:39 Trace: CTlsSocket::Handshake()
> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
> 19:15:39 Trace: CTlsSocket::OnSend()
> 19:15:39 Trace: CTlsSocket::OnRead()
> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
> 19:15:39 Trace: CTlsSocket::Failure(-12, 53)
> 19:15:39 Trace: GnuTLS alert 40: Handshake failed
> 19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received.
> 19:15:39 Trace: CRealControlSocket::OnClose(53)
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Trace: CFtpControlSocket::ResetOperation(66)
> 19:15:39 Trace: CControlSocket::ResetOperation(66)
> 19:15:39 Error: Could not connect to server
> 19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66)
>
> *FileZilla Config: *
> <Bildschirmfoto 2014-07-09 um 19.17.19.png>
>
> *Server log: *
> 2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler:
> Exception caught, closing session
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> at
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:744)
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> at
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at
> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575)
> at
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
> at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
> ... 15 more
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
> at
> sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
> at
> sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
> at
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
> at
> org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767)
> at
> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541)
> ... 17 more
>
>
> *Test 2) Connect without SSL (set in the client) to the Server listening
> on secure port (4243)*
>
> FileZilla log:
> 19:18:02 Trace: CControlSocket::DoClose(64)
> 19:18:02 Trace: CControlSocket::DoClose(64)
> 19:18:02 Status: Connecting to 192.168.178.21:4243...
> 19:18:02 Status: Connection established, waiting for welcome message...
> 19:18:02 Trace: CFtpControlSocket::OnReceive()
> 19:18:02 Response: 220 Service ready for new user.
> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:02 Command: USER ftpuser
> 19:18:02 Trace: CFtpControlSocket::OnReceive()
> 19:18:02 Response: 331 User name okay, need password for ftpuser.
> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:02 Command: PASS ***
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 230 User logged in, proceed.
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Command: OPTS UTF8 ON
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 200 Command OPTS okay.
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Command: OPTS MLST size;modify;type;
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 200 Command OPTS okay.
> 19:18:03 Status: Connected
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
> 19:18:03 Trace: Measured latency of 59 ms
> 19:18:03 Status: Retrieving directory listing...
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Trace: CFtpControlSocket::ChangeDirSend()
> 19:18:03 Command: PWD
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 257 "/" is current directory.
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0)
> 19:18:03 Trace: CFtpControlSocket::ListSubcommandResult()
> 19:18:03 Trace: state = 1
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Status: Directory listing successful
> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
>
> NOTE: This connection works but it seems to be an insecure one, because no
> TLS is requested.
>
> *FileZIlla config: *
> <Bildschirmfoto 2014-07-09 um 19.19.15.png>
>
> Am 04.07.2014 um 13:43 schrieb David Latorre <dv...@gmail.com>:
>
>
> Martin,
>
> Could you attach Filezilla and Mina FTPServer log files as well as
> FTPServer configuration xml and Filezilla's config (either screenshot or
> XML file without the passwords)?
>
>
> 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <ma...@censhare.de>:
>
> Hi all,
>
> I am expanding our MINA-based FTP server by adding a setting for implicit
> vs. explicit SSL. I have made all the necessary changes, but for some
> reason I can’t connect to the server anymore when implicit SSL is set to
> true. In explicit SSL mode it works fine.
> When trying to connect, I get the error message:
> Connection established, waiting for welcome message...
>
> And then the FileZilla client just hangs until it has timed out…
>
> Any ideas anyone?
> Thanks a lot.
>
> Cheers,
>
> Martin
>
>
>
>
>
--
"There is no way to peace; peace is the way"
Re: Error while connection to FTP server running implicit SSL
Posted by Martin Wunderlich <ma...@censhare.de>.
Hi all,
I have found the solution: The key alias parameter was not specified in the FTP server configuration. Once this was set correctly, I was able to connect with the client in TLS mode.
One question remains, though: In order for TLS to be active, the client needs to request it specifically (using the setting for explicit TLS). When using „Plain FTP“, the client can still connect through an insecure connection.
Anyone know why that is? I was assuming that the server would reject insecure connections on its SSL port.
Cheers,
Martin
Am 09.07.2014 um 19:21 schrieb Martin Wunderlich <ma...@censhare.de>:
> Hi David,
>
> Thanks a lot for the reply.
> Here is the additional information below. The server configuration is set to implicit SSL = false.
> HTH.
>
> Cheers,
>
> Martin
>
>
> Test 1) Connect with explicit SSL (set in the client) to the Server listening on secure port (4243)
>
> FileZilla Log:
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Status: Connecting to 192.168.178.21:4243...
> 19:15:39 Status: Connection established, waiting for welcome message...
> 19:15:39 Trace: CFtpControlSocket::OnReceive()
> 19:15:39 Response: 220 Service ready for new user.
> 19:15:39 Trace: CFtpControlSocket::SendNextCommand()
> 19:15:39 Command: AUTH TLS
> 19:15:39 Trace: CFtpControlSocket::OnReceive()
> 19:15:39 Response: 234 Command AUTH okay; starting TLS connection.
> 19:15:39 Status: Initializing TLS...
> 19:15:39 Trace: CTlsSocket::Handshake()
> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
> 19:15:39 Trace: CTlsSocket::OnSend()
> 19:15:39 Trace: CTlsSocket::OnRead()
> 19:15:39 Trace: CTlsSocket::ContinueHandshake()
> 19:15:39 Trace: CTlsSocket::Failure(-12, 53)
> 19:15:39 Trace: GnuTLS alert 40: Handshake failed
> 19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received.
> 19:15:39 Trace: CRealControlSocket::OnClose(53)
> 19:15:39 Trace: CControlSocket::DoClose(64)
> 19:15:39 Trace: CFtpControlSocket::ResetOperation(66)
> 19:15:39 Trace: CControlSocket::ResetOperation(66)
> 19:15:39 Error: Could not connect to server
> 19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66)
>
> FileZilla Config:
> <Bildschirmfoto 2014-07-09 um 19.17.19.png>
>
> Server log:
> 2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler: Exception caught, closing session
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
> at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
> at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
> at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
> at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:744)
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575)
> at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
> ... 15 more
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
> at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
> at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
> at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541)
> ... 17 more
>
>
> Test 2) Connect without SSL (set in the client) to the Server listening on secure port (4243)
>
> FileZilla log:
> 19:18:02 Trace: CControlSocket::DoClose(64)
> 19:18:02 Trace: CControlSocket::DoClose(64)
> 19:18:02 Status: Connecting to 192.168.178.21:4243...
> 19:18:02 Status: Connection established, waiting for welcome message...
> 19:18:02 Trace: CFtpControlSocket::OnReceive()
> 19:18:02 Response: 220 Service ready for new user.
> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:02 Command: USER ftpuser
> 19:18:02 Trace: CFtpControlSocket::OnReceive()
> 19:18:02 Response: 331 User name okay, need password for ftpuser.
> 19:18:02 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:02 Command: PASS ***
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 230 User logged in, proceed.
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Command: OPTS UTF8 ON
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 200 Command OPTS okay.
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Command: OPTS MLST size;modify;type;
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 200 Command OPTS okay.
> 19:18:03 Status: Connected
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
> 19:18:03 Trace: Measured latency of 59 ms
> 19:18:03 Status: Retrieving directory listing...
> 19:18:03 Trace: CFtpControlSocket::SendNextCommand()
> 19:18:03 Trace: CFtpControlSocket::ChangeDirSend()
> 19:18:03 Command: PWD
> 19:18:03 Trace: CFtpControlSocket::OnReceive()
> 19:18:03 Response: 257 "/" is current directory.
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0)
> 19:18:03 Trace: CFtpControlSocket::ListSubcommandResult()
> 19:18:03 Trace: state = 1
> 19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
> 19:18:03 Trace: CControlSocket::ResetOperation(0)
> 19:18:03 Status: Directory listing successful
> 19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
>
> NOTE: This connection works but it seems to be an insecure one, because no TLS is requested.
>
> FileZIlla config:
> <Bildschirmfoto 2014-07-09 um 19.19.15.png>
>
> Am 04.07.2014 um 13:43 schrieb David Latorre <dv...@gmail.com>:
>
>
>> Martin,
>>
>> Could you attach Filezilla and Mina FTPServer log files as well as
>> FTPServer configuration xml and Filezilla's config (either screenshot or
>> XML file without the passwords)?
>>
>>
>> 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <ma...@censhare.de>:
>>
>>> Hi all,
>>>
>>> I am expanding our MINA-based FTP server by adding a setting for implicit
>>> vs. explicit SSL. I have made all the necessary changes, but for some
>>> reason I can’t connect to the server anymore when implicit SSL is set to
>>> true. In explicit SSL mode it works fine.
>>> When trying to connect, I get the error message:
>>> Connection established, waiting for welcome message...
>>>
>>> And then the FileZilla client just hangs until it has timed out…
>>>
>>> Any ideas anyone?
>>> Thanks a lot.
>>>
>>> Cheers,
>>>
>>> Martin
>>>
>>>
>
Re: Error while connection to FTP server running implicit SSL
Posted by Martin Wunderlich <ma...@censhare.de>.
Hi David,
Thanks a lot for the reply.
Here is the additional information below. The server configuration is set to implicit SSL = false.
HTH.
Cheers,
Martin
Test 1) Connect with explicit SSL (set in the client) to the Server listening on secure port (4243)
FileZilla Log:
19:15:39 Trace: CControlSocket::DoClose(64)
19:15:39 Trace: CControlSocket::DoClose(64)
19:15:39 Status: Connecting to 192.168.178.21:4243...
19:15:39 Status: Connection established, waiting for welcome message...
19:15:39 Trace: CFtpControlSocket::OnReceive()
19:15:39 Response: 220 Service ready for new user.
19:15:39 Trace: CFtpControlSocket::SendNextCommand()
19:15:39 Command: AUTH TLS
19:15:39 Trace: CFtpControlSocket::OnReceive()
19:15:39 Response: 234 Command AUTH okay; starting TLS connection.
19:15:39 Status: Initializing TLS...
19:15:39 Trace: CTlsSocket::Handshake()
19:15:39 Trace: CTlsSocket::ContinueHandshake()
19:15:39 Trace: CTlsSocket::OnSend()
19:15:39 Trace: CTlsSocket::OnRead()
19:15:39 Trace: CTlsSocket::ContinueHandshake()
19:15:39 Trace: CTlsSocket::Failure(-12, 53)
19:15:39 Trace: GnuTLS alert 40: Handshake failed
19:15:39 Error: GnuTLS error -12: A TLS fatal alert has been received.
19:15:39 Trace: CRealControlSocket::OnClose(53)
19:15:39 Trace: CControlSocket::DoClose(64)
19:15:39 Trace: CFtpControlSocket::ResetOperation(66)
19:15:39 Trace: CControlSocket::ResetOperation(66)
19:15:39 Error: Could not connect to server
19:15:39 Trace: CFileZillaEnginePrivate::ResetOperation(66)
FileZilla Config:
Server log:
2014.07.09-19:15:39.601 SEVERE : pool-3-thread-9: DefaultFtpHandler: Exception caught, closing session
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:575)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:894)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:622)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:167)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:767)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:541)
... 17 more
Test 2) Connect without SSL (set in the client) to the Server listening on secure port (4243)
FileZilla log:
19:18:02 Trace: CControlSocket::DoClose(64)
19:18:02 Trace: CControlSocket::DoClose(64)
19:18:02 Status: Connecting to 192.168.178.21:4243...
19:18:02 Status: Connection established, waiting for welcome message...
19:18:02 Trace: CFtpControlSocket::OnReceive()
19:18:02 Response: 220 Service ready for new user.
19:18:02 Trace: CFtpControlSocket::SendNextCommand()
19:18:02 Command: USER ftpuser
19:18:02 Trace: CFtpControlSocket::OnReceive()
19:18:02 Response: 331 User name okay, need password for ftpuser.
19:18:02 Trace: CFtpControlSocket::SendNextCommand()
19:18:02 Command: PASS ***
19:18:03 Trace: CFtpControlSocket::OnReceive()
19:18:03 Response: 230 User logged in, proceed.
19:18:03 Trace: CFtpControlSocket::SendNextCommand()
19:18:03 Command: OPTS UTF8 ON
19:18:03 Trace: CFtpControlSocket::OnReceive()
19:18:03 Response: 200 Command OPTS okay.
19:18:03 Trace: CFtpControlSocket::SendNextCommand()
19:18:03 Command: OPTS MLST size;modify;type;
19:18:03 Trace: CFtpControlSocket::OnReceive()
19:18:03 Response: 200 Command OPTS okay.
19:18:03 Status: Connected
19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
19:18:03 Trace: CControlSocket::ResetOperation(0)
19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
19:18:03 Trace: Measured latency of 59 ms
19:18:03 Status: Retrieving directory listing...
19:18:03 Trace: CFtpControlSocket::SendNextCommand()
19:18:03 Trace: CFtpControlSocket::ChangeDirSend()
19:18:03 Command: PWD
19:18:03 Trace: CFtpControlSocket::OnReceive()
19:18:03 Response: 257 "/" is current directory.
19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
19:18:03 Trace: CControlSocket::ResetOperation(0)
19:18:03 Trace: CFtpControlSocket::ParseSubcommandResult(0)
19:18:03 Trace: CFtpControlSocket::ListSubcommandResult()
19:18:03 Trace: state = 1
19:18:03 Trace: CFtpControlSocket::ResetOperation(0)
19:18:03 Trace: CControlSocket::ResetOperation(0)
19:18:03 Status: Directory listing successful
19:18:03 Trace: CFileZillaEnginePrivate::ResetOperation(0)
NOTE: This connection works but it seems to be an insecure one, because no TLS is requested.
FileZIlla config:
Am 04.07.2014 um 13:43 schrieb David Latorre <dv...@gmail.com>:
> Martin,
>
> Could you attach Filezilla and Mina FTPServer log files as well as
> FTPServer configuration xml and Filezilla's config (either screenshot or
> XML file without the passwords)?
>
>
> 2014-06-30 10:57 GMT+02:00 Martin Wunderlich <ma...@censhare.de>:
>
>> Hi all,
>>
>> I am expanding our MINA-based FTP server by adding a setting for implicit
>> vs. explicit SSL. I have made all the necessary changes, but for some
>> reason I can’t connect to the server anymore when implicit SSL is set to
>> true. In explicit SSL mode it works fine.
>> When trying to connect, I get the error message:
>> Connection established, waiting for welcome message...
>>
>> And then the FileZilla client just hangs until it has timed out…
>>
>> Any ideas anyone?
>> Thanks a lot.
>>
>> Cheers,
>>
>> Martin
>>
>>
Re: Error while connection to FTP server running implicit SSL
Posted by David Latorre <dv...@gmail.com>.
Martin,
Could you attach Filezilla and Mina FTPServer log files as well as
FTPServer configuration xml and Filezilla's config (either screenshot or
XML file without the passwords)?
2014-06-30 10:57 GMT+02:00 Martin Wunderlich <ma...@censhare.de>:
> Hi all,
>
> I am expanding our MINA-based FTP server by adding a setting for implicit
> vs. explicit SSL. I have made all the necessary changes, but for some
> reason I can’t connect to the server anymore when implicit SSL is set to
> true. In explicit SSL mode it works fine.
> When trying to connect, I get the error message:
> Connection established, waiting for welcome message...
>
> And then the FileZilla client just hangs until it has timed out…
>
> Any ideas anyone?
> Thanks a lot.
>
> Cheers,
>
> Martin
>
>