PDA

View Full Version : Question about FXP SSL


odd
10-05-2007, 02:41 PM
Can you ssl fxp from ioftpd 6.2.1 - ioftpd 5.8.5r?

I tried myslef recently with no success. Did I do something wrong or do I need v.6 on both?

I know, I have alot caching up to do.

Yil
10-05-2007, 04:59 PM
Heya odd. ioFTPD 5.x can only SSL in a server role, therefor there is no way for two 5.x servers to FXP over SSL. Since you have a v6 ioFTPD this should work.

If you're using FlashFXP make sure you enable FXP SSL for both sites. I think Flash properly recognizes that one site (the v6 one) supports SSCN to configure client mode so it will do that and let the other default to a server role. Things should just work.

If it doesn't just work, try disconnecting from both sites and reconnect with the sides switched. So if site A was on the left, site B was on the right connect with B on the left this time. This can reverse the client/server roles for the two sites... I think that's what I did way back when I tested v5 talking to v6 and it didn't work at first. I think FlashFXP got smarter since then though.

odd
10-06-2007, 06:33 AM
Thank you for your help but Iam still haveing problem.

This is what ive found out so far.

It only works If I do a transfer from ioftpd v.6.2.1 - ioftpd v.5.8.5r. If I do the opposite way it wont work(ioftpd v.5.8.5r - ioftpd v.6.2.1).

It looks like i need to get SSCN on and it only works If I do a transfere from v6 to v5 first. When Ive done a this transfer I can transfer both way v5-v6 and v6-v5.
[13:53:08] TYPE I
[13:53:08] 200 Type set to I.
[13:53:08] SSCN ON
[13:53:08] 200 SSCN:CLIENT METHOD
[13:53:08] PASV
[13:53:08] 227 Entering Passive Mode (000,000,000,001,117,86)
[13:53:08] PORT 000,000,000,001,117,86
[13:53:08] 200 PORT command successful.
[13:53:08] STOR file.r08
[13:53:09] 150 Opening BINARY mode data connection for file.r08.
[13:53:09] RETR file.r08
[13:53:09] 150 Opening BINARY mode data connection for file.r08.
[13:53:10] Transferred: file.r08 14,31 MB in 1,41 second (10 418,5 KB/s)

This is what happens If I do the opposite(v5 to v6) first
[13:58:03] TYPE I
[13:58:03] 200 Type set to I.
[13:58:03] TYPE I
[13:58:03] 200 Type set to I.
[13:58:03] CPSV
[13:58:03] 500 'CPSV': Command not understood
[13:58:03] Secure site to site transfers not supported by this ftp server
[13:58:03] Transfer Failed!
[13:58:03] 1 File failed to transfer
[13:58:03] Server Error, Aborted

Any ideas?

Zer0Racer
10-06-2007, 02:25 PM
ioFTPD v5.x can only receive ssl fxp, not send. So when you fxp from ioFTPD v6.x to v5.x it should be encrypted - but when you do it the other way around (and have "Secure Site To Site Transfers" enabled for both) you will get that error message since v5.x cannot initiate the ssl transfer (just receive).

When the fxp works from v5.x to v6.x the data is not encrypted.

/ZR

odd
10-06-2007, 07:04 PM
ioFTPD v5.x can only receive ssl fxp, not send. So when you fxp from ioFTPD v6.x to v5.x it should be encrypted - but when you do it the other way around (and have "Secure Site To Site Transfers" enabled for both) you will get that error message since v5.x cannot initiate the ssl transfer (just receive).

When the fxp works from v5.x to v6.x the data is not encrypted.

/ZR

So to be clear. I need v6 on both sides to be able to encrypt data transfers both ways and only v6 can fxp to v5 not the opposite way.

I change the settings in ioftpd.ini on the v6-site so it forces everyone to use SSL3 when transfering data, so it should be impossible to transfer unencrypted data. Here is what happens.
Impossible to fxp from v6 to v5 from now on.

Any ideas? and is it only me that are haveing problems getting ssl-fxp to work on v6?

Here is the log:
[01:46:30] TYPE I
[01:46:30] 200 Type set to I.
[01:46:30] TYPE I
[01:46:30] 200 Type set to I.
[01:46:30] SSCN ON
[01:46:30] 200 SSCN:CLIENT METHOD
[01:46:30] PASV
[01:46:30] 227 Entering Passive Mode (000,000,000,000,117,65)
[01:46:30] PORT 000,000,000,000,117,65
[01:46:30] 200 PORT command successful.
[01:46:30] STOR file.r22
[01:46:30] 150 Opening BINARY mode data connection for file.r22.
[01:46:30] RETR file.r22
[01:46:30] 150 Opening BINARY mode data connection for file.r22.
[01:46:30] 426 Connection closed: The specified network name is no longer available.
[01:46:30] ABOR
[01:46:30] 426 Connection closed: Incorrect function.
[01:46:30] 226 ABOR command successful.
[01:46:30] ABOR
[01:46:30] 226 ABOR command successful.
[01:46:31] Transfer Failed!

Yil
10-06-2007, 09:38 PM
Actually Zero I think it's possible to have totally encrypted FXP between v5 and v6. The trick is you need to get flash to set the v6 to act as a client (which is what SSCN does for all transfers) or to act in receiver role.

If you do a v6->v5 which is what odd did, Flash figures out only one site supports SSCN so it enables client mode on that site, and from then on everything works great in BOTH directions which is again what appears to be happening. v5->v6 first and Flash didn't do the right thing. It looks like it tried to use CPSV on v5 which is a dumb thing to do since v5 never advertised support for the command in a FEAT response since v5 doesn't support that either. Is this the latest version of Flash? Like I said I think older versions didn't do as well as newer versions.

Also, did you try switching sides? It sounds silly, but because I think Flash interprets the client/server role differently depending on the side you queue the transfer on it really might make a difference.

For the moment just make sure you send a 1k file or something from v6 to v5 first and from then on everything should work fine :)

odd
10-07-2007, 06:13 AM
Is this the latest version of Flash? Like I said I think older versions didn't do as well as newer versions.
Ive tried latest beta(FlashFXP V 3.5.1(build 1200) [3.6 RC1]) and v3.4.0 I think i was with no success.

Also, did you try switching sides? It sounds silly, but because I think Flash interprets the client/server role differently depending on the side you queue the transfer on it really might make a difference.
Have tried this also with no success.

For the moment just make sure you send a 1k file or something from v6 to v5 first and from then on everything should work fine :)
This doesnt work anymore. Since I forced everyone to use encryption when transfereing data with the command in ioftpd.ini I havent been able to fxp anymore. Everytime it fails.
When it worked before it had to be unencrypted.

FlashFXP V 3.5.1(build 1200) [3.6 RC1]
IP: 111.111.111.111 is ioFTPD V.6.2.1
IP: 222.222.222.222 is ioFTPD V.5.8.5r

I have, as said before forced users to use secure data transfers in ioftpd.ini with following settings:
Require_Encrypted_Auth = !MS *
Require_Encrypted_Data = *

[12:59:02] [L] TYPE I
[12:59:02] [L] 200 Type set to I.
[12:59:02] [R] TYPE I
[12:59:02] [R] 200 Type set to I.
[12:59:02] [L] SSCN ON
[12:59:02] [L] 200 SSCN:CLIENT METHOD
[12:59:02] [L] PASV
[12:59:02] [L] 227 Entering Passive Mode (111,111,111,111,117,83)
[12:59:02] [R] PORT 111,111,111,111,117,83
[12:59:02] [R] 200 PORT command successful.
[12:59:02] [R] STOR file.r00
[12:59:02] [R] 150 Opening BINARY mode data connection for file.r00.
[12:59:02] [L] RETR file.r00
[12:59:02] [L] 150 Opening BINARY mode data connection for file.r00.
[12:59:02] [L] 426 Connection closed: Incorrect function.
[12:59:02] [L] ABOR
[12:59:02] [R] 426 Connection closed: The specified network name is no longer available.
[12:59:02] [L] 226 ABOR command successful.
[12:59:02] [R] ABOR
[12:59:02] [R] 226 ABOR command successful.
[12:59:02] [R] Transfer Failed!
[12:59:02] [L] TYPE A
[12:59:02] [L] 200 Type set to A.
[12:59:02] [L] PASV
[12:59:02] [L] 227 Entering Passive Mode (111,111,111,111,117,60)
[12:59:02] [L] Opening data connection IP: 111,111,111,111 PORT: 30012
[12:59:02] [L] LIST -al
[12:59:02] [L] Connected. Negotiating SSL session..
[12:59:02] [L] SSL negotiation successful...
[12:59:02] [L] SSL encrypted session using cipher RC4-MD5 (128 bits)
[12:59:02] [L] 150 Opening ASCII mode data connection for directory listing.
[12:59:02] [L] List Complete: 2 KB in 0,24 seconds (10,6 KB/s)
[12:59:02] [R] TYPE A
[12:59:02] [R] 200 Type set to A.
[12:59:02] [R] PASV
[12:59:02] [R] 227 Entering Passive Mode (222,222,222,222,5,157)
[12:59:02] [R] Opening data connection IP: 222,222,222,222 PORT: 1437
[12:59:02] [R] LIST -al
[12:59:02] [R] Connected. Negotiating SSL session..
[12:59:02] [R] 150 Opening ASCII mode data connection for directory listing.
[12:59:02] [R] SSL negotiation successful...
[12:59:02] [R] SSL encrypted session using cipher RC4-MD5 (128 bits)
[12:59:03] [R] List Complete: 2 KB in 0,33 seconds (7,0 KB/s)
[12:59:03] Transfer queue completed
[12:59:03] 1 File failed to transfer