home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20031118-20041115
/
000186_jaltman2@nyc.rr.com_Mon Apr 12 08:49:05 2004.msg
< prev
next >
Wrap
Internet Message Format
|
2004-11-14
|
5KB
Path: newsmaster.cc.columbia.edu!iad-feed.news.verio.net!peer1.stngva01.us.to.verio.net!news.verio.net!news.glorb.com!border1.nntp.ash.giganews.com!border2.nntp.ash.giganews.com!nntp.giganews.com!feed5.newsreader.com!newsreader.com!news3.optonline.net!cyclone.rdc-nyc.rr.com!news-out.nyc.rr.com!twister.nyc.rr.com.POSTED!53ab2750!not-for-mail
Message-ID: <407A073D.7040004@nyc.rr.com>
From: Jeffrey Altman <jaltman2@nyc.rr.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.protocols.kermit.misc
Subject: Re: FTP with Auth SSL
References: <c5bv8301ck0@drn.newsguy.com> <GWfec.23377$Nn4.4630542@twister.nyc.rr.com> <c5clci0adl@drn.newsguy.com>
In-Reply-To: <c5clci0adl@drn.newsguy.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 101
Date: Mon, 12 Apr 2004 03:02:44 GMT
NNTP-Posting-Host: 24.193.46.55
X-Complaints-To: abuse@rr.com
X-Trace: twister.nyc.rr.com 1081738964 24.193.46.55 (Sun, 11 Apr 2004 23:02:44 EDT)
NNTP-Posting-Date: Sun, 11 Apr 2004 23:02:44 EDT
Organization: Road Runner - NYC
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14899
Petri wrote:
> In article <GWfec.23377$Nn4.4630542@twister.nyc.rr.com>, Jeffrey Altman says...
>
>>Secure Sockets Layer is the name Netscape gave the
>>protocol when it was proprietary. After it was donated to
>>the IETF and modified to fix some minor security design issues,
>>the protocol was renamed to Transport Layer Security.
>
>
> Yes, I am aware of that historical fact. :)
> The reason I wondered why it complained about TLS when I had specified SSL, is
> that there seem to exist something called "auth ssl" and "auth tls", which is
> something I have to specify correctly in my FTP client when connecting to these
> FTP-servers:
> http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
The distinction between FTP AUTH SSL and FTP AUTH TLS has nothing to do
with the TLSv1 or SSLv3 protocol which is used. If the string "SSL" is
negotiated then the semantics for the FTP command channel are different
than if "TLS" is used. "SSL" is not a standard and should not be used
unless you have no other choice.
Internally, the protocol which is negotiated is TLSv1.
>>You are not providing enough information to diagnose where
>>the TLS connection is failing.
>
>
> Sorry, I search the documentation for debug options, and only found "set ftp
> debug on".
>
>
>>Try turning on debugging:
>> SET AUTH TLS DEBUG ON
>
>
> Where did you find that? :)
> It's not mentioned here:
> http://www.columbia.edu/kermit/ckermit80.html
Try reading the Security Documentation
http://www.columbia.edu/kermit/security.html
which describes the implementation of SSL/TLS, Kerberos, SRP, X.509
certs, etc.
> Thanks for the tip!
> Very strange, if I add that line to the kermit script, I get this output when
> running the script:
> ?No keywords match - debug
>
> But if I write it at the prompt after the script has run, it is accepted.
>
> This output is after having logged in with the script listed earlier and having
> typed the command above:
> ---8<---
> (/home/petri/) C-Kermit>set auth tls debug on
> (/home/petri/) C-Kermit>ftp dir
> ---> TYPE A
> 200 Type set to A.
> ---> PASV
> 227 Entering Passive Mode (127,0,0,1,128,154)
> ---> LIST
> 150 Opening ASCII mode data connection for directory listing.
> =>START SSL connect on DATA
> SSL_handshake:UNKWN before/connect initialization
> SSL_connect:UNKWN before/connect initialization
> SSL_connect:3WCH_A SSLv3 write client hello A
> SSL_read_alert
> SSL_connect:failed in 3RSH_A SSLv3 read server hello A
> ftp: SSL_connect DATA error: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3
> alert illegal parameter
> (/home/petri/) C-Kermit>exit
> ---> QUIT
> 435 Failed TLS negotiation on data channel, disconnected: No such file or
> directory.
> SSL_write_alert
> ---8<---
A firewall is dropping the connection after the initial client
hello is sent.
> The more detailed debug output seems to indicate something that looks like a
> protocol failure.
> I know glftpd isn't exactly a crowning achievement of software engineering,
> maybe there is a way in C-Kermit to specify a more relaxed ssl/tls negotiation?
> But of course, FTP sessions work great from FTP clients on both Windows and
> Linux, so that would rule out fatal server side problems.
> Is there some configuring in kermit I could try to circumvent this problem?
>
> Thanks for your help!
>
>
> Petri
The problem is not in Kermit.