I've build some kind of advanced proxy.
I'd like to allow users to connect to some SSL server trough this proxy.
FlashFxp logs in the proxy with SSL, then send a SITE command to get on the remote server, etc
But when the data transfert starts, there's a problem.
Flash is printing a warning cause the "Data Channel FingerPrint Doesn't match control Connection."
Well, it seems normal to me since the control connection is on proxy and the data comes from the remote server.

Can anyone help me to find a way to get that works?
A log of a successful connection trough a proxy and with SSL would be helpful too.

Thanks


Here's the log:



[R] Logged off: <XXXREMOVED AT POSTERS REQUESTXXX>
[R] Connecting to RemoteServer.com via Proxy -> IP=myproxy.com PORT=12345
[R] Connected to RemoteServer.com via Proxy
[R] 220 Authentify Yourself
[R] USER proxy
[R] 331 Enter your password
[R] PASS (hidden)
[R] 230 User test logged in.
[R] USER test@remoteserver.com 4321
[R] 230 User logged in proxy
[R] AUTH TLS
[R] 234 AUTH SSL successful
[R] Connected. Negotiating TLSv1 session..
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
[R] PBSZ 0
[R] 200 PBSZ successfull
[R] PASS (hidden)
[R] 230- Successfully logged in proxy server
[R] 230- Trying to connect to Dundee's FTP...
[R] 230 User Test logged in.
[R] SYST
[R] 215 UNIX Type: L8
[R] CWD /
[R] 250 CWD command successful.
[R] PWD
[R] 257 "/" is current directory.
[R] PROT P
[R] 227 Entering Passive Mode (144,37,96,43,186,133)
[R] Opening data connection IP: 144.37.96.43 PORT: 47749
[R] LIST -al
[R] Connected. Negotiating TLSv1 session..
[R] 150 Opening ASCII mode data connection for directory listing.
[R] Warning: Data Channel FingerPrint Doesn't match control Connection.
[R] Failed TLSv1 negotiation, disconnected

This brings up an interesting point. Perhaps a fingerprint mismatch should be ignored for proxy types that don't proxy the data connection.

I did some tests with a couple ftp proxies and I was unable to reproduce this problem.

Does the ftp proxy establish it's own ssl/tls connection to the ftp server? Perhaps that's why I can't reproduce it.

Would it be possible to give me a copy of the proxy you're using or allow me to test with it directly?

Could u copy me a log of a successful connection with SSL trough a proxy?
Cause i have no real proxy to test, and im not sure how this is supposed to be done.
Gimme that, and i'll put a version available for tests that does the same thing than in your log :)

Mmm...
Here's a lil precision. I dont want data to go trough the proxy.
Maybe that's why u dont get any prob bigstar?

Here's the proxy server I used for testing.
http://www.analogx.com/contents/download/network/proxy.htm

When using this ftp proxy the data connection doesn't go through the ftp proxy.

Cant someone copy me a log of a successfull conection trough a proxy, using SSL?

Haaaaaa
I think i know the problem.
The first SSL negociation was done between the proxy and the client. Not between client and remote server, trough the proxy.

If anyone is willing to test my proxy:

It doesnt seems to work with SSL.
Make a few tests and gimme news.

<< EDITED BY BIGSTAR >>

Sorry I don't think this is a good idea, It's a security risk to users who try your proxy since their ftp user/pass is sent through your proxy.

lol
I mean. Try with some public ftps, or something like that.

and anyway

[R] 230 User PROXY logged in.
[R] SITE BillMurray@random.ip.org:6270
[R] 331 Enter your password
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[R] Connection failed (Connection closed by client)


The problem is before the pass.
So u guys can try with some sites u know and put a fake pass, anyway u shouldnt reach the point to send the pass....lol

I know it will reveal me some ip/ports.....

Do you happen to know of any public ssl/tls sites?


Also based on the error it looks like your using TLS and you should be using SSL.

TLS is ok.

thats's without the proxy:


[R] Connecting to random.ip.org -> IP=1.2.3.4 PORT=2760
[R] Connected to random.ip.org
[R] 220 Welcome
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits)


Im working on a version i'll put available for u bigstar

Test version rdy.
Where can i send it to u bigstar? Or anyone else...

Btw, the prog is in java. Hope u have jdk installed.

Sorry I don't have jdk installed.

I understand that the ftp server is using TLS but is your proxy using TSL as well? I don't think it is.

Sorry for the late post bigstar, i've been busy with an important exam.
Could u copy me a log(change the ips, ports, etc)?

is the proxy connection made like that?

Client connects to proxy, send a l/p.
Client sends a "USER ftpuser@ftphost:port" command to the proxy.
The proxy connects to ftphost:port and sends a "USER ftpuser"
The client negociate SSL with the remote server TROUGH the proxy.
Client sends the encrypted pass.