421 Response & clients such as WS_FTP

Home Forums General FTP Client Help 421 Response & clients such as WS_FTP

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #30312
    msymons
    Participant

    Using Cerberus Server v5.0.5, I enabled SSL/TLS and then specified “verify certificate”.

    Here’s what the server log then looks like

    Quote:


    2012/10/05 15:53:36 [10] FTP connection request accepted from 127.0.0.1

    2012/10/05 15:53:36 [10] AUTH TLS

    2012/10/05 15:53:36 [10] 234 Authentication method accepted

    2012/10/05 15:53:36 [10] SSL accept error: A failure in the SSL library occurred, usually a protocol error: peer did not return a certificate

    2012/10/05 15:53:36 [10] Unable to establish SSL connection

    2012/10/05 15:53:36 [10] 421 Unable to negotiate secure connection

    2012/10/05 15:53:36 [10] Connection terminated


    So far, so good. The 421 response seems to be absolutely appropriate based on section 10.1 of RFC4217.

    However, how come not a single client I have tried is reporting the 421 response?

    WS_FTP v12.3 is reporting…

    Quote:


    2012.10.05 16:35:32.756] AUTH TLS

    [2012.10.05 16:35:32.756] 234 Authentication method accepted

    [2012.10.05 16:35:32.787] SSL session NOT set for reuse

    [2012.10.05 16:35:37.271] SSL Connect error 2:

    [2012.10.05 16:35:37.271] Connect Failed.

    [2012.10.05 16:35:37.271] SSL Connect Failed

    FileZilla v3.5.3 is reporting:

    Quote:


    Command: AUTH TLS

    Response: 234 Authentication method accepted

    Status: Initializing TLS…

    Error: GnuTLS error -53: Error in the push function.

    Is it possible that the server is dropping the connection too quickly after issuing the 421?

    If there is something that can be done… something to make the 421 visible in client logs, then would it be possible to modify the response text dependent on the error?

    Currently, for no certificate supplied:

    421 Unable to negotiate secure connection

    And for certificate verification failure:

    421 Unable to negotiate secure connection

    The identical text is not so helpful.

    #36607
    imported_Serin
    Participant

    Hello,

    Do you actually want to require that client’s authenticate using certificates, and if so, do you have the proper server and CA chain setup for this to work correctly? I’m assuming you do, but I just thought I would check.

    Quote:

    Is it possible that the server is dropping the connection too quickly after issuing the 421?

    I checked the code, and we send the replay, then issue a shutdown, and then issue a close. The order is correct, and the send is synchronous. I suspect the clients simply aren’t trying to receive the last response when the SSL negotiation fails.

    Quote:

    If there is something that can be done… something to make the 421 visible in client logs

    I don’t think there is, other than us not dropping the connections. The client should be checking the receive queue as part of their shutdown process.

    #36608
    msymons
    Participant

    I am testing an FTPS client (developed in-house) that is about to have client certificate support added in order to connect to a customer’s server.

    I installed Cerberus Server in order to evaluate it for use as part of our test environment. Very easy to get up and running!

    In order to avoid surprises, I tested connecting to the customer using WS_FTP, with the correct certificate installed… but got the “SSL Connect error 2:”. An old WS_FTP knowledge-base posting lists 5 possible causes:

    http://support.ipswitch.com/kb/WS-20040922-DM01.htm” class=”bbcode_url”>http://support.ipswitch.com/kb/WS-20040922-DM01.htm

    Connecting to Cerberus using WS_FTP reported an identical “SSL Connect error 2:” whether I was connecting with no client certificate at all or connecting with the wrong certificate. The connection with FileZilla was done just to see what the logs would show…even though it does not support client certificates.

    Your answer about 421 is useful. I’ll test to make sure that our client looks out for the 421 response.

    One thing though… would it be possible to modify the 421 text returned by Cerberus so that it is more specific in stating what the problem is? ie, differentiate between “You need to supply a certificate” and “I do not accept the certificate that you supplied”.

Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart