home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20041116-20060924
/
000287_dold@XReXXsecur.usenet.us.com_Mon Mar 27 13:33:35 2006.msg
< prev
next >
Wrap
Internet Message Format
|
2020-01-01
|
4KB
Path: newsmaster.cc.columbia.edu!panix!newsfeed.media.kyoto-u.ac.jp!news-xfer.nntp.sonic.net!192.160.13.7.MISMATCH!wasp.rahul.net!192.160.13.20.MISMATCH!rahul.net!azure.rahul.net!dold
From: dold@XReXXsecur.usenet.us.com
Newsgroups: comp.protocols.kermit.misc
Subject: Re: secure ftp - tls with ckermit client
Date: Fri, 24 Mar 2006 20:41:50 +0000 (UTC)
Organization: "a2i network"
Lines: 95
Message-ID: <e01lie$ujk$1@blue.rahul.net>
References: <dvvju1$8cb$1@blue.rahul.net> <slrne286k3.isr.fdc@sesame.cc.columbia.edu> <e01bb8$edb$1@blue.rahul.net> <e01ftj$lmr$1@blue.rahul.net> <YBXUf.25825$nB6.5258@news-wrt-01.rdc-nyc.rr.com>
NNTP-Posting-Host: azure.rahul.net
X-Trace: blue.rahul.net 1143232910 31348 192.160.13.38 (24 Mar 2006 20:41:50 GMT)
X-Complaints-To: support@rahul.net
NNTP-Posting-Date: Fri, 24 Mar 2006 20:41:50 +0000 (UTC)
User-Agent: tin/1.6.2-20030910 ("Pabbay") (UNIX) (Linux/2.6.9-34.EL (i686))
X-Comment: Encoded From: line allows replies that preserve original subject
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:15542
Jeffrey Altman <jaltman2@nyc.rr.com> wrote:
> dold@XReXXsecur.usenet.us.com wrote:
> > ftp open /tls www.thesite.com 2121 /user:me
> > fails
> > "ftp: SSL/TLS connect COMMAND error: error:1408F10B:SSL
> > routines:SSL3_GET_RECORD: wrong version number"
> The server does not support FTP over TLS.
> > set ftp authtype tls
> > ftp open www.thesite.com 2121 /user:me
> The server supports FTP AUTH TLS
So TLS is only being used for the login authentication, and no protection
is offered for the actual data?
I do get
Connected to www.thesite.com.
TLS accepted as authentication type
[TLS - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
Compression: None
FTP Command channel is Private (encrypted)
FTP Data channel is Private (encrypted)
After I'm connected, show ftp returns, in part
Available security methods:
ftp authtype: TLS
ftp auto-encryption: on
ftp credential-forwarding: off
ftp command-protection-level: private
ftp data-protection-level: private
ftp secure proxy: (not set)
> > "TLS accepted as authentication type
> > Warning: Server has a self-signed certificate
> > ...
> > Continue? (Y/N)"
> > "Warning: Hostname ("www.thesite.com") does not match server's
> > certificate ("ftp.thesite.com")"
> And the server's name as specified by the certificate is
> "ftp.thesite.com" so you must connect to it with
> ftp open ftp.thesite.com 2121 /user:me
Administrative error that I'd like to get fixed. proftd is listening to
the wrong IP address. Both are on the same machine.
> and the server is using a self-signed certificate which means that
> you must obtain a copy of the certificate and store it into your
> certificate store.
> > How can I confirm that this is a TLS-protected connection?
> kermit tells you
That's where I have ambiguity. It looks like TLS is there, except for the
fact that I can't do /tls on the command line. How is kermit telling me?
If I connect to the same server on the non-TLS port,
I get messages
TLS accepted as authentication type
TLS authentication failed
before the login prompt. After I log in
show ftp
Available security methods:
ftp authtype: (none)
ftp auto-encryption: on
ftp credential-forwarding: off
ftp command-protection-level: clear
ftp data-protection-level: clear
ftp secure proxy: (not set)
> Authentication is all about names. If the names don't match then you
> might as well assume you are communicating with an attacker who is about
> to pick your pocket.
Right. I know this server isn't configured correctly, so I can either hit
"y" many times, "SET AUTHENTICATION TLS VERIFY OFF", or get the site admin
to fix it. I'll take door #2 for now, and ask for the certificate problem
to be corrected.
If the ProFtpd configuration were correct, I think a TLS-client or a
non-TLS client should be able to connect to the same name/IP and port
number. I don't know why it is in this awkward state now, with both the
wrong IP address and the special port number.
--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8,-122.5