Discussion:
Problem using Ftp ssl through proxy.
Martijn ten Heuvel
2006-01-05 10:53:24 UTC
Permalink
Hello,

I'm currently trying to use curl to an ftps server from within my
network, through our proxy-server. For tests sake, i've installed
filezilla server on my desktop.

I'm running a a hp-ux11.11 box, using curl version 7.15.0 from the
hp-ux software archive
(eg. http://hpux.its.tudelft.nl/)

Without the proxy, everything works fine.
Even to strange ports, the eventual production must connect to
something like 12345. For this test, I'm using 21.

The connection setup works, but after the set-up of the session and
issuing 'PASV', curl connects again - which results in this problem.

Any ideas what could be the problem here? Or am i trying something
that simply isn't possible?

thanks,
Martijn

/usr/local/bin/curl --user martijnh:moeilijk \
--disable-epsv -v --ftp-ssl --cacert cert.crt \
--proxy 172.27.1.234:80 --proxytunnel \
-l ftp://its001wks119.its.company.com:21

* About to connect() to proxy 172.27.1.234 port 80
* Trying 172.27.1.234... connected
* Connected to 172.27.1.234 (172.27.1.234) port 80
* Establish HTTP proxy tunnel to its001wks119.its.company.com:21
* Server auth using Basic with user 'martijnh'
CONNECT its001wks119.its.company.com:21 HTTP/1.0
Host: its001wks119.its.company.com:21
User-Agent: curl/7.15.0 (hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.20
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established
< Proxy-agent: BlueCoat-Security-Appliance
<
* Proxy replied OK to CONNECT request
< 220 kiekeboe
AUTH SSL
< 234 Using authentication type SSL
* successfully set certificate verify locations:
* CAfile: cert.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:

/* snip self-generated-certificate */

* SSL certificate verify ok.
USER martijnh
< 331 Password required for martijnh
PASS moeilijk
< 230 Logged on
PBSZ 0
< 200 PBSZ=0
PROT P
< 200 Protection level set to P
PWD
< 257 "/" is current directory.
* Entry path is '/'
PASV
* Connect data stream passively
< 227 Entering Passive Mode (172,27,145,185,4,37)
* Trying 172.27.1.234... connected
* Connecting to 172.27.145.185 (172.27.1.234) port 80
* Establish HTTP proxy tunnel to 172.27.145.185:1061
* Server auth using Basic with user 'martijnh'
CONNECT 172.27.145.185:1061 HTTP/1.0
Host: 172.27.145.185:1061
User-Agent: curl/7.15.0 (hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.20
Proxy-Connection: Keep-Alive
Daniel Stenberg
2006-01-05 11:27:23 UTC
Permalink
Post by Martijn ten Heuvel
Any ideas what could be the problem here? Or am i trying something
that simply isn't possible?
...
Post by Martijn ten Heuvel
CONNECT 172.27.145.185:1061 HTTP/1.0
Host: 172.27.145.185:1061
User-Agent: curl/7.15.0 (hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.20
Proxy-Connection: Keep-Alive
Is your proxy setup to allow CONNECT requests to "any" port like this?

Either way, the fact that the proxy doesn't respond at all seems like a proxy
flaw to me.
--
Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Martijn ten Heuvel
2006-01-05 12:24:55 UTC
Permalink
Post by Daniel Stenberg
Post by Martijn ten Heuvel
Any ideas what could be the problem here? Or am i trying something
that simply isn't possible?
...
Post by Martijn ten Heuvel
CONNECT 172.27.145.185:1061 HTTP/1.0
Host: 172.27.145.185:1061
User-Agent: curl/7.15.0 (hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.20
Proxy-Connection: Keep-Alive
Is your proxy setup to allow CONNECT requests to "any" port like this?
Either way, the fact that the proxy doesn't respond at all seems like a proxy
flaw to me.
curl puts this last request in the proxytunnel, tcpdump on the unix
host sees it going out to the proxy, but the ftpserver on the other
side doesn't get a new connection. It does, however, get the exact
string curl just put into the proxytunnel:

12:29:47 - (not logged in) (172.27.1.234)> Connected, sending welcome message...
12:29:47 - (not logged in) (172.27.1.234)> 220
12:29:47 - (not logged in) (172.27.1.234)> AUTH SSL
12:29:47 - (not logged in) (172.27.1.234)> 234 Using authentication type SSL
12:29:47 - (not logged in) (172.27.1.234)> SSL connection established
12:29:47 - (not logged in) (172.27.1.234)> USER martijnh
12:29:47 - (not logged in) (172.27.1.234)> 331 Password required for martijnh
12:29:47 - (not logged in) (172.27.1.234)> PASS ********
12:29:47 - martijnh (172.27.1.234)> 230 Logged on
12:29:47 - martijnh (172.27.1.234)> PBSZ 0
12:29:47 - martijnh (172.27.1.234)> 200 PBSZ=0
12:29:47 - martijnh (172.27.1.234)> PROT P
12:29:47 - martijnh (172.27.1.234)> 200 Protection level set to P
12:29:47 - martijnh (172.27.1.234)> PWD
12:29:47 - martijnh (172.27.1.234)> 257 "/" is current directory.
12:29:47 - martijnh (172.27.1.234)> PASV
12:29:47 - martijnh (172.27.1.234)> 227 Entering Passive Mode
(172,27,145,185,4,163)
12:29:47 - martijnh (172.27.1.234)> CONNECT 172.27.145.185:1187 HTTP/1.0
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> Host: 172.27.145.185:1187
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> User-Agent: curl/7.15.0
(hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3
libidn/0.5.20
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> Proxy-Connection: Keep-Alive
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:57 - martijnh (172.27.1.234)> disconnected.

Any ideas?

thanks,

Martijn
Ben Madsen - Mailing List
2006-01-05 18:48:40 UTC
Permalink
I think your problem is that, like many others, your proxy server don't
support FTPS. Proxy servers that don't support FTPS don't know how to
decode the SSL encrypted communication that needs to exist between the
client and the server.

See here for a list of compatible clients, servers and proxy servers:
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

However, looking at the specs for your proxy, it looks like it does
support SOCKS, which I think Curl supports as well. Maybe try using the
SOCKS proxy settings for your communications.

-Ben
Post by Martijn ten Heuvel
Post by Daniel Stenberg
Post by Martijn ten Heuvel
Any ideas what could be the problem here? Or am i trying something
that simply isn't possible?
...
Post by Martijn ten Heuvel
CONNECT 172.27.145.185:1061 HTTP/1.0
Host: 172.27.145.185:1061
User-Agent: curl/7.15.0 (hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.20
Proxy-Connection: Keep-Alive
Is your proxy setup to allow CONNECT requests to "any" port like this?
Either way, the fact that the proxy doesn't respond at all seems like a proxy
flaw to me.
curl puts this last request in the proxytunnel, tcpdump on the unix
host sees it going out to the proxy, but the ftpserver on the other
side doesn't get a new connection. It does, however, get the exact
12:29:47 - (not logged in) (172.27.1.234)> Connected, sending welcome message...
12:29:47 - (not logged in) (172.27.1.234)> 220
12:29:47 - (not logged in) (172.27.1.234)> AUTH SSL
12:29:47 - (not logged in) (172.27.1.234)> 234 Using authentication type SSL
12:29:47 - (not logged in) (172.27.1.234)> SSL connection established
12:29:47 - (not logged in) (172.27.1.234)> USER martijnh
12:29:47 - (not logged in) (172.27.1.234)> 331 Password required for martijnh
12:29:47 - (not logged in) (172.27.1.234)> PASS ********
12:29:47 - martijnh (172.27.1.234)> 230 Logged on
12:29:47 - martijnh (172.27.1.234)> PBSZ 0
12:29:47 - martijnh (172.27.1.234)> 200 PBSZ=0
12:29:47 - martijnh (172.27.1.234)> PROT P
12:29:47 - martijnh (172.27.1.234)> 200 Protection level set to P
12:29:47 - martijnh (172.27.1.234)> PWD
12:29:47 - martijnh (172.27.1.234)> 257 "/" is current directory.
12:29:47 - martijnh (172.27.1.234)> PASV
12:29:47 - martijnh (172.27.1.234)> 227 Entering Passive Mode
(172,27,145,185,4,163)
12:29:47 - martijnh (172.27.1.234)> CONNECT 172.27.145.185:1187 HTTP/1.0
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> Host: 172.27.145.185:1187
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> User-Agent: curl/7.15.0
(hppa2.0w-hp-hpux11.11) libcurl/7.15.0 OpenSSL/0.9.8a zlib/1.2.3
libidn/0.5.20
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:47 - martijnh (172.27.1.234)> Proxy-Connection: Keep-Alive
12:29:47 - martijnh (172.27.1.234)> 500 Syntax error, command unrecognized.
12:29:57 - martijnh (172.27.1.234)> disconnected.
Any ideas?
thanks,
Martijn
Martijn ten Heuvel
2006-01-05 19:53:11 UTC
Permalink
Post by Ben Madsen - Mailing List
I think your problem is that, like many others, your proxy server
don't support FTPS. Proxy servers that don't support FTPS don't know
how to decode the SSL encrypted communication that needs to exist
between the client and the server.
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
However, looking at the specs for your proxy, it looks like it does
support SOCKS, which I think Curl supports as well. Maybe try using
the SOCKS proxy settings for your communications.
-Ben
Hi Ben, others,

Thanks for the assistance. I still think it's gotta do with curl. I've
completed soms tests using FileZilla under windows xp. It was REALLY
slow, so you're propably right. Did get it to work though, even
communicating with the outside world. Had to put a couple of holes in
the firewall which isn't my favourite method, but it works.

Thanks for the assistance though, Daniel's remarks about the proxy made
me switch to plan b..

regards,
Martijn

Loading...