530 Not Logged In when using SSL

Question

Hi,
when trying to connect to an ssl ftp for some reason the library does not send USER / PASS. The samples are pretty self explanatory so I'm not too sure what I'm doing wrong. Here is the code I'm using:

SecureFTPConnection newConn = new SecureFTPConnection();
            
newConn.AutoLogin = true;
newConn.ServerAddress = "127.0.0.1";
newConn.ServerPort = 5001;
newConn.UserName = "username";
newConn.Password = "password";
//newConn.SSLVersion = SSLFTPSSLVersion.TLS1;
newConn.Protocol = FileTransferProtocol.FTPSExplicit;
newConn.ServerValidation = SecureFTPServerValidationType.None;
newConn.Connect();

Here is what's happening by catching the corresponding events:

<- 220 ZDNET mirror v3.1
-> ---> AUTH TLS
<- 234 AUTH TLS successful
-> ---> PBSZ 0
<- 200 Command okay
-> ---> PROT P
<- 530 Not logged in.
-> ---> QUIT
<- 221 Goodbye!

And here is a more detailed log:

INFO [LicenseProperties] 31 May 2007 00:34:31.554 : Licence expiry date: 7/14/2007
INFO [LicenseProperties] 31 May 2007 00:34:31.554 : Trial license
INFO [LicenseProperties] 31 May 2007 00:34:31.560 : Licence expiry date: 7/14/2007
INFO [LicenseProperties] 31 May 2007 00:34:31.560 : Trial license
DEBUG [SSLFTPClient] 31 May 2007 00:34:31.561 : Connecting to 127.0.0.1:5001
DEBUG [HostNameResolver] 31 May 2007 00:34:31.590 : 127.0.0.1 resolved to 127.0.0.1
DEBUG [SSLFTPControlSocket] 31 May 2007 00:34:31.592 : waitOnShutdownSSL=True
DEBUG [ExFTPControlSocket] 31 May 2007 00:34:31.606 : Connecting directly to ftp-server 127.0.0.1:5001
DEBUG [ExFTPControlSocket] 31 May 2007 00:34:31.615 : Created control-socket: SocksContext=, ProxySettings=EnterpriseDT.Net.Proxy.ProxySettings, RemoteHost=127.0.0.1, controlPort=5001, timeout=120000
DEBUG [FTPControlSocket] 31 May 2007 00:34:32.145 : 220 ZDNET mirror v3.1
DEBUG [FTPControlSocket] 31 May 2007 00:34:32.157 : ---> AUTH TLS
DEBUG [FTPControlSocket] 31 May 2007 00:34:32.531 : 234 AUTH TLS successful
DEBUG [SSLFTPControlSocket] 31 May 2007 00:34:32.533 : Beginning Tls1 handshake.
DEBUG [SocketController] 31 May 2007 00:34:33.016 : Processing hello
DEBUG [SSLFTPControlSocket] 31 May 2007 00:34:34.109 : Tls1 handshake complete.
DEBUG [FTPControlSocket] 31 May 2007 00:34:34.110 : ---> PBSZ 0
ALL [AsyncResult] 31 May 2007 00:34:34.115 : Notify setting completed: null 0
ALL [AsyncResult] 31 May 2007 00:34:34.116 : Notify setting wait: 0
ALL [TransferBuffer] 31 May 2007 00:34:34.490 : Wait begin: TransferBuffer.Read
ALL [TransferBuffer] 31 May 2007 00:34:34.490 : Wait end: TransferBuffer.Read
DEBUG [FTPControlSocket] 31 May 2007 00:34:34.490 : 200 Command okay
DEBUG [FTPControlSocket] 31 May 2007 00:34:34.491 : ---> PROT P
ALL [AsyncResult] 31 May 2007 00:34:34.491 : Notify setting completed: null 2
ALL [AsyncResult] 31 May 2007 00:34:34.491 : Notify setting wait: 2
ALL [TransferBuffer] 31 May 2007 00:34:34.864 : Wait begin: TransferBuffer.Read
ALL [TransferBuffer] 31 May 2007 00:34:34.864 : Wait end: TransferBuffer.Read
DEBUG [FTPControlSocket] 31 May 2007 00:34:34.864 : 530 Not logged in.
INFO [FTPControlSocket] 31 May 2007 00:34:34.864 : Expected reply codes = [200]
DEBUG [AsyncProcessor] 31 May 2007 00:34:34.875 : Stopping FTP task processor.
DEBUG [AsyncProcessor] 31 May 2007 00:34:34.875 : FTP task processor stopped.
DEBUG [FTPControlSocket] 31 May 2007 00:34:34.878 : ---> QUIT
ALL [AsyncResult] 31 May 2007 00:34:34.879 : Notify setting completed: null 4
ALL [AsyncResult] 31 May 2007 00:34:34.879 : Notify setting wait: 4
DEBUG [SocketController] 31 May 2007 00:34:35.254 : Status=ShutdownSSL
ALL [TransferBuffer] 31 May 2007 00:34:35.254 : Wait begin: TransferBuffer.Read
ALL [TransferBuffer] 31 May 2007 00:34:35.254 : Wait end: TransferBuffer.Read
ALL [TransferBuffer] 31 May 2007 00:34:35.254 : Wait end: TransferBuffer.Read
DEBUG [SocketController] 31 May 2007 00:34:35.254 : OnReceive closing (size == 0)
DEBUG [FTPControlSocket] 31 May 2007 00:34:35.254 : 221 Goodbye!
DEBUG [SocketController] 31 May 2007 00:34:35.256 : CloseConnection(e=null)
DEBUG [TransferBuffer] 31 May 2007 00:34:35.260 : Close() called when open
DEBUG [SocketController] 31 May 2007 00:34:35.271 : Dispose()
DEBUG [SocketController] 31 May 2007 00:34:35.271 : CloseConnection(e=null)

If I remove "newConn.Protocol = FileTransferProtocol.FTPSExplicit;" the login sequence appears to be the correct one, of course the connection is no longer secure.
I'm using .net 2.0.

Thanks,
Paul
________
Motorcycle tires

Answer 1

Now that is interesting. Normally the PROT command is executed before logging in. This server seems to expect that you be logged in before this command. Weird, this violates the spec.

SecureFTPConnection doesn't permit this sequence to be changed, however you can get finer control by using SSLFTPClient. Try something like this (might need a tweak):

using EnterpriseDT.Net.Ftp.Ssl;

SSLFTPClient ftp = new SSLFTPClient();
ftp.RemoteHost = "myhost";
ftp.ServerValidation = SSLFTPClient.ServerValidationType.None;
ftp.Connect();
ftp.Auth(SSLFTPSSLVersion.TLS1, false);
ftp.Pbsz(0);
ftp.Login("user","password");
ftp.Prot(SSLFTPDataProtectionType.Private);

Answer 2

Hi again,
using the snippet posted above most of the time I get a "Socket closed before handshake is complete" error whereas very few times it works. Any ideas why it would not wait for the handshake to be complete before proceeding with the login?

DEBUG [SSLFTPClient] 31 May 2007 13:23:45.741 : Connecting to 127.0.0.1:5001
DEBUG [HostNameResolver] 31 May 2007 13:23:45.791 : 127.0.0.1 resolved to 127.0.0.1
DEBUG [SSLFTPControlSocket] 31 May 2007 13:23:45.818 : waitOnShutdownSSL=True
DEBUG [ExFTPControlSocket] 31 May 2007 13:23:45.900 : Connecting directly to ftp-server 127.0.0.1:5001
DEBUG [ExFTPControlSocket] 31 May 2007 13:23:45.979 : Created control-socket: SocksContext=, ProxySettings=EnterpriseDT.Net.Proxy.ProxySettings, RemoteHost=127.0.0.1, controlPort=5001, timeout=120000
DEBUG [FTPControlSocket] 31 May 2007 13:23:46.524 : 220 ZDNET mirror v3.1
DEBUG [FTPControlSocket] 31 May 2007 13:23:46.566 : ---> AUTH TLS
DEBUG [FTPControlSocket] 31 May 2007 13:23:46.945 : 234 AUTH TLS successful
DEBUG [SSLFTPControlSocket] 31 May 2007 13:23:46.948 : Beginning Tls1 handshake.
DEBUG [SocketController] 31 May 2007 13:23:47.554 : Processing hello
DEBUG [SocketController] 31 May 2007 13:23:48.558 : Status=ShutdownSSL
DEBUG [SocketController] 31 May 2007 13:23:48.559 : OnReceive closing (size == 0)
DEBUG [SocketController] 31 May 2007 13:23:48.561 : CloseConnection(e=null)
DEBUG [TransferBuffer] 31 May 2007 13:23:48.565 : Close() called when open
ERROR [SocketController] 31 May 2007 13:23:48.627 : OnReceive - caught exception - closing : System.IO.IOException: Socket closed before handshake is complete (2)
System.IO.IOException: Socket closed before handshake is complete (2)
   at x.h(IAsyncResult A_0)
DEBUG [SocketController] 31 May 2007 13:23:48.628 : CloseConnection(e=Socket closed before handshake is complete (2))

And I just came across another problem - "The server hello message uses a protocol that was not recognized":

DEBUG [SSLFTPClient] 31 May 2007 13:54:28.207 : Connecting to 127.0.0.1:5002
DEBUG [HostNameResolver] 31 May 2007 13:54:28.236 : 127.0.0.1 resolved to 127.0.0.1
DEBUG [SSLFTPControlSocket] 31 May 2007 13:54:28.238 : waitOnShutdownSSL=True
DEBUG [ExFTPControlSocket] 31 May 2007 13:54:28.253 : Connecting directly to ftp-server 127.0.0.1:5002
DEBUG [ExFTPControlSocket] 31 May 2007 13:54:28.262 : Created control-socket: SocksContext=, ProxySettings=EnterpriseDT.Net.Proxy.ProxySettings, RemoteHost=127.0.0.1, controlPort=5002, timeout=120000
DEBUG [FTPControlSocket] 31 May 2007 13:54:28.669 : 220 InterNetNews NNRP server INN 2.3.0 ready (posting ok).
DEBUG [FTPControlSocket] 31 May 2007 13:54:28.677 : ---> AUTH TLS
DEBUG [FTPControlSocket] 31 May 2007 13:54:28.943 : 234 AUTH TLS successful
DEBUG [SSLFTPControlSocket] 31 May 2007 13:54:28.946 : Beginning Tls1 handshake.
DEBUG [SocketController] 31 May 2007 13:54:29.325 : Processing hello
ERROR [SocketController] 31 May 2007 13:54:29.333 : OnReceive - caught exception - closing : Org.Mentalis.Security.Ssl.Shared.SslException: The server hello message uses a protocol that was not recognized.
Org.Mentalis.Security.Ssl.Shared.SslException: The server hello message uses a protocol that was not recognized.
   at eg.b(Byte[] A_0, Int32 A_1, Int32 A_2)
   at eg.c(Byte[] A_0, Int32 A_1, Int32 A_2)
   at x.h(IAsyncResult A_0)
DEBUG [SocketController] 31 May 2007 13:54:29.336 : CloseConnection(e=The server hello message uses a protocol that was not recognized.)
DEBUG [TransferBuffer] 31 May 2007 13:54:29.337 : Close() called when open

Thanks
________
Hamann motorsport

Answer 3

These are some really unusual problems. What server or servers are you using? We'd like to try to repeat the problem on our machines.

- Hans (EnterpriseDT)

Answer 4

Hi,
I've tried the following servers:

glFTPd 2.00 Linux+TLS
glFTPd 2.01 Linux+TLS
glFTPd 2.01.1 (psxc-beta) Linux+TLS

All of them return "The server hello message uses a protocol that was not recognized".

They all work fine as I have tried three ftp clients. Below is a log from one of them:

(17:42:07) [2] Connecting to 127.0.0.1:5002
(17:42:08) [2]     AUTH TLS
(17:42:08) [2] 234 AUTH TLS successful
(17:42:08) [2] Encryption algorithm: TLSv1 DHE-DSS-AES256-SHA-256
(17:42:08) [2]     PBSZ 0
(17:42:09) [2] 200 PBSZ 0 successful
(17:42:09) [2]     USER username
(17:42:09) [2] 331 Password required for username.
(17:42:09) [2]     PASS (hidden)
(17:42:09) [2] 230 User username logged in.
(17:42:09) [2]     SYST
(17:42:10) [2] 215 UNIX Type: L8
(17:42:10) [2]     PROT P
(17:42:10) [2] 200 Protection set to Private
(17:42:10) [2]     FEAT
(17:42:10) [2] 211- Extensions supported:
(17:42:10) [2]  AUTH TLS
(17:42:10) [2]  AUTH SSL
(17:42:10) [2]  PBSZ
(17:42:10) [2]  PROT
(17:42:10) [2]  CPSV
(17:42:10) [2]  SSCN
(17:42:10) [2]  MDTM
(17:42:10) [2]  SIZE
(17:42:10) [2]  REST STREAM
(17:42:10) [2]  SYST
(17:42:10) [2] 211 END
(17:42:10) [2]     TYPE A
(17:42:10) [2] 200 Type set to A.
(17:42:10) [2]     PWD
(17:42:11) [2] 257 "/" is current directory.
(17:42:11) [2]     PASV
(17:42:11) [2] 227 Entering Passive Mode (xxx)
(17:42:11) [2] Opening data connection IP: (xxx)
(17:42:11) [2]     LIST
(17:42:11) [2] 150 Opening ASCII mode data connection for directory listing using SSL/TLS.
(17:42:12) [2] Encryption algorithm: TLSv1 DHE-DSS-AES256-SHA-256

________
Lexus link

Answer 5

Ok, we'll install this server & take a look.

Answer 6

It turns out that glftpd only supports ephemeral diffie helman ciphers (as far as we can tell), which currently aren't supported by edtFTPnet/PRO. We will look at implementing some of these ciphers.

Answer 7

Web searches have revealed that our client is not the only one to have trouble finding a cipher-suite that glFTPd supports, so it is fairly restrictive in this regard. I guess you probably already know this, but there are several other free, open-source FTP/FTPS servers available for Linux, e.g. ProFTPD and PureFTPD. I think you'll find that these are more active projects with a much large user-base.

Just out of interest, why did you choose glFTPd? Were there some features that you liked in particular? Or was there perhaps something you didn't like about the more well-known servers?

- Hans (EnterpriseDT)

Answer 8

It turns out that glftpd only supports ephemeral diffie helman ciphers (as far as we can tell), which currently aren't supported by edtFTPnet/PRO. We will look at implementing some of these ciphers.

That's excellent news.

Just out of interest, why did you choose glFTPd? Were there some features that you liked in particular? Or was there perhaps something you didn't like about the more well-known servers?

This is an older machine which has been running gl for a long time now. A few years back proftpd did not support ssl and script wise the support just wasn't there. Meanwhile we have developed numerous scripts, so we can't afford to lose everything and switch to a different server. I'm really just a developer but from what I understand it would be a hassle to change now when gl offers everything we need (other than being able to find an api that works :)).

Thanks,
Paul
________
Acura Tl History