Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
25.2k views
in CompleteFTP by (800 points)
I have been trying to configure EDT FTP server to test an evaluation copy of FTPnet for use with FTPS as a recommendation to a committee for a library to standardize on. At this point. I understand the FTP Server is Beta and EDTs support of the Beta is very limited. I'm hoping someone can enlighten me.

I discovered that the FTP server doesn't install/run under a Domain account (at least through the UI wrapper). I have even looked at creating Domain Accounts using the "mkpasswd -d >> psswd" which failed with RPC server unavailable. My main concern is getting the FTP server up and running with FTPS.

I have a Win2K CA that I have the CA Root Authority Cert (AcmeCACert.cer), a generated Cert containing both Public/Private keys (AcmeFTPCert.cer) and an export of this Cert containing only the Public Key (AcmeFTPPublicCert.cer).

I have a simple .NET v2005 app which sets the parameters below. I keep getting the error message "The server hello message uses a protocol that was not recognized." At this point I have manually modified the default.conf file to point to my certs as shown below.

I looked at the OpenSSL certs provided compared to my certs and the formats look slightly different. the OpenSSLs have a special Newline character after every section but all sections are placed together on one line. Is this a problem for the FTP Server?

Also I looked at my Public/Private Cert compared with my Public Cert and they both appear to have the same exact data in them (which is odd to me as I exported only the public part of the Cert). I've even tried to export a *.pfx which is completely different format all together (i.e. not the Base64 of the *.cer files).

Any ideas?

TLSEngine on
TLSLog /edtFTPD/var/log/tls.log
TLSProtocol TLSv1
TLSRequired on
TLSRSACertificateFile /edtFTPD/etc/AcmeFTPPublicCert.cer
TLSRSACertificateKeyFile /edtFTPD/etc/AcmeFTPCert.cer
TLSCACertificateFile /edtFTPD/etc/AcmeCACert.cer
TLSVerifyClient off

// setting server address and credentials
ftpConnection.ServerAddress = "192.168.1.10";
ftpConnection.ServerPort = 21;
ftpConnection.UserName = "AcmeTest";
ftpConnection.Password = "Secret";

// select explicit FTPS
ftpConnection.Protocol = FileTransferProtocol.FTPSExplicit;
ftpConnection.Connect();

13 Answers

0 votes
by (51.6k points)
Are you saying that edtFTPnet/PRO gives this "server hello' error when connecting to edtFTPD? This is very surprising for obvious reasons. Could you please set the logging level on the client (i.e. edtFTPnet/PRO) to DEBUG and post the log here? There's a how-to that explains how to enable logging in the help.

- Hans (EDT Support)
0 votes
by (800 points)
That is exactly what I am saying. As I have had problems with the install for edtFTPnet/PRO I am not exactly sure what you are referring to on where to find the DEBUG levels for the client code. My Help Files did not get registered and when I tried to register them with H2Reg -r I got an Error with the H2Reg.ini file not having a Registration section (which is commented out). This left me with the Example Viewer application which has a How To branch but nothing that I see about setting a Debug Level variable. In fact the only place I have seen a Debug level variable is in the FTPD server's default.conf file. Can you point me to where i need to look or what I need to do? On a side note after performing more testing and changing the Protocol property from FileTransferProtocol.FTPSExplicit to FileTransferProtocol.FTPSImplicit. I get the "No connection could be made because the target machine actively refused it" error which I will look into next as the account is in the passwd file on the FTP Server. I've also tried changing the TransferType over to ASCII as I read somewhere that FTPS had problems with Binary transfers but this did nothing. Any help would be greatful. TIA
*EDIT*
On further examination, when I changed the protocol to FileTransferProtocol.FTPSImplicit, the code updated my ServerPort to be 990 instead of 21. If I set the ServerPort back to 21 then I get the same error message as before "The server message..."
0 votes
by (51.6k points)
It sounds like there are multiple problems.

Firstly, the server hello problem is probably occurring when you try to connect to an explicit FTPS server using FTPSImplicit. The reason why this happens is that FTPSImplicit tries to form an SSL connection immediately, but the explicit FTPS does not, so instead of responding with the SSL "server hello", it responds with the standard FTP welcome message (i.e. welcome text followed by "200 OK"). The implicit FTPS does not recognize this as an SSL response and therefore complains.

Secondly, the message, "No connection could be made because the target machine actively refused it", comes when you try to connect to a port that has nothing listening on it. The utility TCPView is useful if you would like to check which ports are being used, both by client-side and server-side processes.

You can find the full manual on our website at http://www.enterprisedt.com/products/edtftpnetpro/doc/manual/index.html. The section on logging is near the bottom of the content-tree.

Finally, if you like you can try FileZilla Server, which is a free FTP/FTPS server that we have found to be reliable. You can find it at http://sourceforge.net/project/showfiles.php?group_id=21558.

- Hans (EDT)
0 votes
by (800 points)
I found the documentation and tried multiple items since my last post. Your first explaination makes sense theoretically but they way I have both the FTPServer configured and the client configured (from what I can tell) would suggest I am on the correct path using the FTPExplicit connection, so I'm a little confused. (I only switched to FTPImplicit in an attempt to debug).

The second answer you gave makes complete sense and that's why I updated my post to reflect that I discovered the reason behind the "No Connection" error. I also tried downloading FileZilla earlier and testing with it, but I didn't not see the FTPS functionality in the client, only the SFTP (using SSH)... I took a look again and assume from their documentation the the ftps:// is their way of implementing FTPS. If this is correct then I have a problem with the FTPS Server.

I also got error messages trying to use CuteFTPs FTPS functionality also. Below are my results. From what I see, it appears that Authorization succeeds but the SSL negotiation fails. I'm not sure if this is because of my X509 Certs or something else. The certificate was created to "Ensure the identity of a remote computer". I'm wondering if it needs to be created using another template to include encryption. I seem to recall reading something about an inability to access Certs in the Machine Store, but that wouldn't make sense here as the files are stored in the directory with the config file. Any suggestions would be greatly appriciated.

FileZilla Errors:
Status:   Connecting to 192.168.1.20 ...
Status:   Connected with 192.168.1.20, negotiating SSL connection...
Error:   Can't establish SSL connection
Error:   Disconnected from server
Error:   Unable to connect!
Status:   Waiting to retry... (5 retries left)


CuteFTP Errors:
      *** CuteFTP 8.0 - build Oct 12 2006 ***

STATUS:>     [1/31/2007 1:21:07 PM] Getting listing ""...
STATUS:>     [1/31/2007 1:21:07 PM] Connecting to FTP server... 192.168.1.20:21 (ip = 192.168.1.20)...
STATUS:>     [1/31/2007 1:21:07 PM] Socket connected. Waiting for welcome message...
      [1/31/2007 1:21:08 PM] 220-You are accessing an edtFTPD server.
       
       You are accessing an edtFTPD server
       edtFTPD is a free component of the edt Platform
       Enterprise Distributed Technologies
       http://www.enterprisedt.com
       
      220 ProFTPD 1.2.9 Server (ServerAuthCert) [ADC-DEV1.cs.myharris.net]
STATUS:>     [1/31/2007 1:21:08 PM] Connected. Authenticating...
COMMAND:>   [1/31/2007 1:21:08 PM] AUTH TLS
      [1/31/2007 1:21:08 PM] 234 AUTH TLS successful
STATUS:>     [1/31/2007 1:21:08 PM] Establishing SSL session...
STATUS:>     [1/31/2007 1:21:08 PM] Initializing SSL module.
STATUS:>     [1/31/2007 1:21:08 PM] Connected. Exchanging encryption keys...
ERROR:>      [1/31/2007 1:21:09 PM] SSL: Error in negotiating SSL connection.


edtFTPnet/Pro Log:
INFO [LicenseProperties] 31 Jan 2007 16:15:55.511 : Licence expiry date: 3/9/2007
INFO [LicenseProperties] 31 Jan 2007 16:15:55.511 : Trial license
INFO [LicenseProperties] 31 Jan 2007 16:15:55.511 : Licence expiry date: 3/9/2007
INFO [LicenseProperties] 31 Jan 2007 16:15:55.511 : Trial license
DEBUG [SSLFTPClient] 31 Jan 2007 16:15:55.511 : Connecting to 192.168.1.20:21
DEBUG [HostNameResolver] 31 Jan 2007 16:15:55.511 : 192.168.1.20 resolved to 192.168.1.20
DEBUG [ExFTPControlSocket] 31 Jan 2007 16:15:55.527 : Connecting directly to ftp-server 192.168.1.20:21
DEBUG [ExFTPControlSocket] 31 Jan 2007 16:15:55.543 : Created control-socket: SocksContext=, RemoteHost=192.168.1.20, controlPort=21, timeout=0
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.121 : 220-You are accessing an edtFTPD server.
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.121 :  
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.121 :  You are accessing an edtFTPD server
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.121 :  edtFTPD is a free component of the edt Platform
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.121 :  Enterprise Distributed Technologies
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.137 :  http://www.enterprisedt.com
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.137 :  
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.137 : 220 ProFTPD 1.2.9 Server (ServerAuthCert) [Acme.com]
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.137 : ---> AUTH TLS
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.137 : 234 AUTH TLS successful
DEBUG [SSLFTPControlSocket] 31 Jan 2007 16:16:01.152 : Beginning Tls1 handshake.
ERROR [SocketController] 31 Jan 2007 16:16:01.183 : OnReceive - caught exception - closing : Org.Mentalis.Security.Ssl.Shared.SslException: The server hello message uses a protocol that was not recognized.
Org.Mentalis.Security.Ssl.Shared.SslException: The server hello message uses a protocol that was not recognized.
   at ec.b(Byte[] A_0, Int32 A_1, Int32 A_2)
   at ec.c(Byte[] A_0, Int32 A_1, Int32 A_2)
   at w.g(IAsyncResult A_0)
DEBUG [TransferBuffer] 31 Jan 2007 16:16:01.183 : Close() called when open
DEBUG [AsyncProcessor] 31 Jan 2007 16:16:01.199 : Stopping FTP task processor.
DEBUG [AsyncProcessor] 31 Jan 2007 16:16:01.199 : FTP task processor stopped.
DEBUG [FTPControlSocket] 31 Jan 2007 16:16:01.199 : ---> QUIT
ERROR [SecureFTPConnection] 31 Jan 2007 16:16:01.230 : An I/O exception occurred. : System.IO.IOException: An I/O exception occurred.
System.IO.IOException: An I/O exception occurred.
   at a8.a(Byte[] A_0, Int32 A_1, Int32 A_2)
   at System.IO.StreamWriter.Flush(Boolean flushStream, Boolean flushEncoder)
   at System.IO.StreamWriter.Flush()
   at EnterpriseDT.Net.Ftp.FTPControlSocket.WriteCommand(String command)
   at EnterpriseDT.Net.Ftp.FTPControlSocket.SendCommand(String command)
   at EnterpriseDT.Net.Ftp.FTPClient.Quit()
   at EnterpriseDT.Net.Ftp.Ssl.SSLFTPClient.Quit()
   at EnterpriseDT.Net.Ftp.FTPConnection.Close(Boolean abruptClose)
   at EnterpriseDT.Net.Ftp.ExFTPConnection.Close(Boolean abruptClose)
   at EnterpriseDT.Net.Ftp.FTPConnection.Close()
   at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
CAUSED BY:
System.Net.Sockets.SocketException: The operation completed successfully
   at er.b(Byte[] A_0, Int32 A_1, Int32 A_2, SocketFlags A_3, AsyncCallback A_4, Object A_5)
   at er.b(Byte[] A_0, Int32 A_1, Int32 A_2, SocketFlags A_3)
   at a8.a(Byte[] A_0, Int32 A_1, Int32 A_2)
0 votes
by (800 points)
I have tried with both TLSV1 and SSLV3 set on the server. I have even configured to use the OpenSSL Certs which came in the install and that doesn't work, which would tell me it's probably not the X509 Certs.
0 votes
by (51.6k points)
Thanks for your persistence. We will get there soon. :)

I found the documentation and tried multiple items since my last post. Your first explaination makes sense theoretically but they way I have both the FTPServer configured and the client configured (from what I can tell) would suggest I am on the correct path using the FTPExplicit connection, so I'm a little confused. (I only switched to FTPImplicit in an attempt to debug).

Yes, you should be using FTPSExplicit.

The second answer you gave makes complete sense and that's why I updated my post to reflect that I discovered the reason behind the "No Connection" error. I also tried downloading FileZilla earlier and testing with it, but I didn't not see the FTPS functionality in the client, only the SFTP (using SSH)... I took a look again and assume from their documentation the the ftps:// is their way of implementing FTPS. If this is correct then I have a problem with the FTPS Server.

Both FileZilla Client and FileZilla Server support FTPS. I was suggesting trying FileZilla Server instead of edtFTPD (link to version 0.9.22). As an alternative for testing, Ipswitch actually run a public server that supports anonymous FTPS connections (host-name=ftp.ipswitch.com, port=21, user-name=anonymous, password=(your e-mail address)). You might like to try to connect to Ipswitch's public server just to confirm that you can get an FTPS connection. Having said that, I don't see any reason why you shouldn't be able to to use FileZilla Server. I just downloaded and installed it again and it definitely does support FTPS.

I also got error messages trying to use CuteFTPs FTPS functionality also. Below are my results. From what I see, it appears that Authorization succeeds but the SSL negotiation fails. I'm not sure if this is because of my X509 Certs or something else. The certificate was created to "Ensure the identity of a remote computer". I'm wondering if it needs to be created using another template to include encryption. I seem to recall reading something about an inability to access Certs in the Machine Store, but that wouldn't make sense here as the files are stored in the directory with the config file. Any suggestions would be greatly appriciated.

No, the certificate does not have any such settings. It's only used for authentication.

At this point, I think the best thing to do is to try another server. Please let us know how you go with it.

- Hans (EDT)
0 votes
by (800 points)
Thanks for sticking with me on this one. I still think I have a problem with the Certificates somewhere. I tried your suggestion of going against ipswitch but
when setting ServerAddress = "ftp.ipswitch.com" I got the error message: "The certificate could not be verified: -i The signature of the certificate cannot be verified."
and when setting ServerAddress = "ftps://ftp.ipswitch.com" I got the error message: "The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for". I didn't assign the ServerCommonName property in either case and wasn't prompted to accept the Server's pulic cert (which I don't have installed anywhere to my knowledge).

I then proceeded to install FileZilla's FTP Server and get it configured. With port = 21, I got the following error message from that attempt
The certificate could not be verified: o - A certification chain processed correctly but terminated in a root certificate not trusted by the trust provider.
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> Connected, sending welcome message...
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220-FileZilla Server version 0.9.22 beta
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> AUTH TLS
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 234 Using authentication type TLS
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> disconnected.oot certificate not trusted by the trust provider.

I tried generating a cert with FileZillas Server, but that didn't work either. The only combination that i could get to work was FileZilla FTP Server using port=21 and port=990 for TLS/SSL in conjunction with FileZilla FTP client using Address=ftps://192.168.1.20 (was using Explicit FTPS as far as I could tell). When I try to use edtFTPnet/Pro with ServerAddress=192.168.1.20 and ServerPort=990, it appears to connect but then the FTP Server appears to disconnect after waiting a few seconds, almost as if it is waiting on the client to accept the Certificate or something. Am I missing something in the examples where I need to have the FTP Server's public certificate locally on my machine somewhere and get it loaded through code? I might be misunderstanding what needs to occur on the client side when dealing with the Server's cert. Right now at most I am setting the .ServerCommonName property to the certificate's CommonName value (i.e. .ServerCommonName="FTPCert "not .ServerCommonName="CN=FTPCert"). It doesn't appear as though I can set the .ServerCertificate property. Am I missing something?
0 votes
by (51.6k points)
Thanks for sticking with me on this one. I still think I have a problem with the Certificates somewhere. I tried your suggestion of going against ipswitch but
when setting ServerAddress = "ftp.ipswitch.com" I got the error message: "The certificate could not be verified: -i The signature of the certificate cannot be verified."
and when setting ServerAddress = "ftps://ftp.ipswitch.com" I got the error message: "The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for". I didn't assign the ServerCommonName property in either case and wasn't prompted to accept the Server's pulic cert (which I don't have installed anywhere to my knowledge).


There are a few how-tos that explain how to deal with the validation of server certicates in the Developer's Guide. Look for "How to use FTPS".

While you're finding your feet it's a good idea to switch off server validation by setting:
ftpConnection.ServerValidation = SecureFTPServerValidationType.None;


If server validation is enabled then you need to have either the server's certificate or one of its issuing certificates installed in the machine's certificate store. One easy way to do this is via the Certificate Manager, which you can display using:
SSLFTPCertificate.ShowCertificateManager();


I then proceeded to install FileZilla's FTP Server and get it configured. With port = 21, I got the following error message from that attempt
The certificate could not be verified: o - A certification chain processed correctly but terminated in a root certificate not trusted by the trust provider.
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> Connected, sending welcome message...
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220-FileZilla Server version 0.9.22 beta
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> AUTH TLS
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> 234 Using authentication type TLS
(000001) 2/1/2007 10:22:24 AM - (not logged in) (192.168.1.20)> disconnected.oot certificate not trusted by the trust provider.

I tried generating a cert with FileZillas Server, but that didn't work either. The only combination that i could get to work was FileZilla FTP Server using port=21 and port=990 for TLS/SSL in conjunction with FileZilla FTP client using Address=ftps://192.168.1.20 (was using Explicit FTPS as far as I could tell). When I try to use edtFTPnet/Pro with ServerAddress=192.168.1.20 and ServerPort=990, it appears to connect but then the FTP Server appears to disconnect after waiting a few seconds, almost as if it is waiting on the client to accept the Certificate or something. Am I missing something in the examples where I need to have the FTP Server's public certificate locally on my machine somewhere and get it loaded through code? I might be misunderstanding what needs to occur on the client side when dealing with the Server's cert. Right now at most I am setting the .ServerCommonName property to the certificate's CommonName value (i.e. .ServerCommonName="FTPCert "not .ServerCommonName="CN=FTPCert"). It doesn't appear as though I can set the .ServerCertificate property. Am I missing something?


Yes, I think these errors are all related to the fact that server validation is enabled, but you have not installed any certificates that are able to validate the certificate that the server is presenting during the SSL handshake.

- Hans (EDT)
0 votes
by (800 points)
I had previously been through the majority of the help documentation via the Examples application, granted your online docs seam to be a little more up to date but there are still some very vague explainations on configuration. One of the first things I did before posting was verify that I could connect without TLS/SSL ServerValidation. Here are some of the questions I still have regarding Certificates after reading through the documentation.
* What functionality needs to be included in the Server's Certificate (i.e. ability to encrypt, sign, support for SSL, etc.. I'm guessing we need to use the Certificate Template 1.3.6.1.5.5.7.3.1 per the HowTo's but thats if we are using Self Signed Certs as opposed to requesting a Cert from our local CA)?
* What certificate store does the Server's Public/Private Cert need to be installed in on the Server? (My assumption is Local Computer -> Personal, but this isn't documented anywhere)
* What certificate store does that Server's Root Cert need to be installed in on the Server? (My assumption is Local Computer -> Trusted Root Certification Authorities)
* What certificate store does the Server's Public Cert need to be installed in on the Client? (My assumption is Current User -> Personal for standalone apps and Local Computer -> Personal for Windows Services according to the How To's)
* Usually Certs from a CA have both the public and private keys stored together, then once installed into the Cert Store, the public key can be exported and distributed freely. Where is the documentation on what is exceptable in edtFTP and how it handles the Public, Private and Public/Private key variations?
* Since the Public/Private combined Key is installed in the Certificate Store (and both keys Public/Private combo and Public can't be installed into the same Cert store at the same time), what is the reasoning behind setting up the separate public TLSRSACertificateFile and TLSRSACertificateKeyFile parameters in the FTP Server?
0 votes
by (800 points)
I finally got the edtFTPnet/PRO client code to work against both Filezilla FTP server *AND* edtFTPD server. I am still interested to hear your responses to my prior post. What appears to be the major problem is the format of the Certifcates, what EDT says it supports verse what MS generates appear to be two different things. I downloaded my cert directly from the Cert Store's web interface so I ended up with a *.cer file which contained my public and private keys. Once I install the cert into the Cert Store, I am able to export the Public Key as a *.cer that can be handed out to anyone. These were the same certs that was using in my code, but did not work. I ended up coming across a posting for an Open Source app called XCA used to store certificates in a secure database. The great side functionality though is that it exports your certs in various formats. It took my cert and exported it in the PEM format with a *.pem extension, exported the certificate itself in PEM format with a *.crt extension and also exported the Root CA in PEM format with a *.crt extension. When I referenced these in the edtFTPD's config file everything went much smoother. Now everything that I've seen so far says that *.CER certs are in Base64 encoding and edt says it supports CER, PEM and PFX formats. What's the deal?

Categories

...