First use hangs with implicit SSL + active data connection

AlexH · Post by **AlexH** » Wed Jan 04, 2006 1:54 pm

I am trialing CoreFTP (LE 1.3c buid 1437) to connect to a site that has set its security standard requiring SSL and active mode client connections (yes, I know

...).

I have made sure that my router and software firewall cope with the active port range (50100 - 50200) I have defined within CoreFTP. I have also defined my WAN IP address in the NAT section of CFTP's config.

When I first open the CoreFTP GUI, the automatic "LIST" command attempts to open the active data connection and then hangs, eventually timing out.

If you then hit the refresh button in the remote folder listing window, the "LIST" command is reissued and everything works OK from then on!

See log:

Welcome to Core FTP, release ver 1.3c, build 1437 (U) -- © 2003-2005
WinSock 2.0
Mem -- 1,048,044 KB, Virt -- 2,097,024 KB
Started on Thursday January 05, 2006 at 00:28:AM
Resolving <xxxxxxxxxx> ...

Connect socket #592 to <n.n.n.n>, port 990...TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bitUSER ssl-ftp
331 User name okay, need password.
PASS **********
230 User logged in, proceed.
SYST
215 UNIX Type: L8
Keep alive off...PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command OK. Protection buffer size set to 0.
PROT P
200 PROT command OK. Using private data connection.
PORT 220,253,133,7,195,180
200 PORT Command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
426 Data connection closed, transfer aborted.
Error loading directory...

..... Now we try again & it works!

PBSZ 0
200 PBSZ command OK. Protection buffer size set to 0.
PROT P
200 PROT command OK. Using private data connection.
PORT 220,253,133,7,195,181
200 PORT Command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
TLSv1, cipher TLSv1/SSLv3 (AES128-SHA) - 128 bit226 Transfer complete.

QUIT

221 Goodbye!

Total uploaded files: 0
Total uploaded data: 0
Total downloaded files: 0
Total downloaded data: 0

This behaviour is repeatable (I've been playing with it off and on for some days now - other FTP clients seem to work with it OK).

I'd really like to get CoreFTP to work reliably, as I need to drive some transfers to this site from the command line, and CoreFTP is about the only command-line client that is sufficiently configurable to cope with the site's security requirements.

Thanks in advance,

Alex

AlexH · Post by **AlexH** » Wed Jan 04, 2006 9:05 pm

No, sorry - changing the starting port number does not seem to have any effect. I've also tried a totally different port range just in case.

Good thought though!

It could also be a problem on the server end, or even a router microcode issue too - is anyone else out there using implicit SSL + active connections successfully?

AlexH · Post by **AlexH** » Wed Jan 04, 2006 9:18 pm

.. One other thing I've noticed is that when the connection does work the second time, the server IP address for the data connection is different from the primary connection:

C:>netstat -a
Active Connections
Proto Local Address Foreign Address State
...
TCP ferrari:2169 x.y.127.126:990 ESTABLISHED
...
TCP ferrari:50122 x.y.127.1:59587 ESTABLISHED

- is that likely to be causing problems?

AlexH · Post by **AlexH** » Fri Jan 06, 2006 7:27 am

Thanks for that - I may be confused here, but I thought that since this was an active mode connection, the PORT command was issued by the client to tell the server what IP & port to connect back to the client on

.

The IP address in the PORT command is the same as the address of the client end router - which I have also set in Advanced > Connections > Use NAT IP/Address (as you have suggested).

I am worried by the IP address at the far (server) end. It looks as if when the server establishes the data connection back to the client, it somehow appears to come from a different IP address than was used to connect to the server originally.

Maybe their firewall/router at the server end has multiple interfaces to the www or somesuch....

AlexH · Post by **AlexH** » Mon Jan 09, 2006 7:28 am

I have tried the other flavours of SSL, but it appears the server is not set up to accept them.

Do you have a test server that I could try out against, please (PM me if so)?

I don't know of anyone running a non-routed www connection that I could try from, but I could temporarily set up my connection that way for the purposes of a test. I'll also try from another ISP using a different router to see if that has any effect.

AlexH · Post by **AlexH** » Mon Jan 09, 2006 12:13 pm

... a further update.

I installed CoreFTP on my laptop and dialled up my ISP via a 56k modem connection, thus getting the router & NAT out of the picture.

Unfortunately the result was the same