421 Response & clients such as WS_FTP

Questions dealing with specific FTP clients and Cerberus FTP Server.
Post Reply
msymons
New User
Posts: 4
Joined: Fri Oct 05, 2012 11:22 am

421 Response & clients such as WS_FTP

Post by msymons » Fri Oct 05, 2012 11:47 am

Using Cerberus Server v5.0.5, I enabled SSL/TLS and then specified "verify certificate".

Here's what the server log then looks like
2012/10/05 15:53:36 [10] FTP connection request accepted from 127.0.0.1
2012/10/05 15:53:36 [10] AUTH TLS
2012/10/05 15:53:36 [10] 234 Authentication method accepted
2012/10/05 15:53:36 [10] SSL accept error: A failure in the SSL library occurred, usually a protocol error: peer did not return a certificate
2012/10/05 15:53:36 [10] Unable to establish SSL connection
2012/10/05 15:53:36 [10] 421 Unable to negotiate secure connection
2012/10/05 15:53:36 [10] Connection terminated
So far, so good. The 421 response seems to be absolutely appropriate based on section 10.1 of RFC4217.

However, how come not a single client I have tried is reporting the 421 response?

WS_FTP v12.3 is reporting...
2012.10.05 16:35:32.756] AUTH TLS
[2012.10.05 16:35:32.756] 234 Authentication method accepted
[2012.10.05 16:35:32.787] SSL session NOT set for reuse
[2012.10.05 16:35:37.271] SSL Connect error 2:
[2012.10.05 16:35:37.271] Connect Failed.
[2012.10.05 16:35:37.271] SSL Connect Failed
FileZilla v3.5.3 is reporting:
Command: AUTH TLS
Response: 234 Authentication method accepted
Status: Initializing TLS...
Error: GnuTLS error -53: Error in the push function.
Is it possible that the server is dropping the connection too quickly after issuing the 421?

If there is something that can be done... something to make the 421 visible in client logs, then would it be possible to modify the response text dependent on the error?

Currently, for no certificate supplied:

421 Unable to negotiate secure connection

And for certificate verification failure:

421 Unable to negotiate secure connection

The identical text is not so helpful.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: 421 Response & clients such as WS_FTP

Post by Serin » Sat Oct 06, 2012 2:17 pm

Hello,

Do you actually want to require that client's authenticate using certificates, and if so, do you have the proper server and CA chain setup for this to work correctly? I'm assuming you do, but I just thought I would check.
Is it possible that the server is dropping the connection too quickly after issuing the 421?
I checked the code, and we send the replay, then issue a shutdown, and then issue a close. The order is correct, and the send is synchronous. I suspect the clients simply aren't trying to receive the last response when the SSL negotiation fails.
If there is something that can be done... something to make the 421 visible in client logs
I don't think there is, other than us not dropping the connections. The client should be checking the receive queue as part of their shutdown process.

msymons
New User
Posts: 4
Joined: Fri Oct 05, 2012 11:22 am

Re: 421 Response & clients such as WS_FTP

Post by msymons » Sun Oct 07, 2012 3:27 pm

I am testing an FTPS client (developed in-house) that is about to have client certificate support added in order to connect to a customer's server.

I installed Cerberus Server in order to evaluate it for use as part of our test environment. Very easy to get up and running!

In order to avoid surprises, I tested connecting to the customer using WS_FTP, with the correct certificate installed... but got the "SSL Connect error 2:". An old WS_FTP knowledge-base posting lists 5 possible causes:

http://support.ipswitch.com/kb/WS-20040922-DM01.htm

Connecting to Cerberus using WS_FTP reported an identical "SSL Connect error 2:" whether I was connecting with no client certificate at all or connecting with the wrong certificate. The connection with FileZilla was done just to see what the logs would show...even though it does not support client certificates.

Your answer about 421 is useful. I'll test to make sure that our client looks out for the 421 response.

One thing though... would it be possible to modify the 421 text returned by Cerberus so that it is more specific in stating what the problem is? ie, differentiate between "You need to supply a certificate" and "I do not accept the certificate that you supplied".

Post Reply