curl-users
Re: Error "SSL3_GET_RECORD: wrong version number" while listing ftpsdirectory
Date: Mon, 24 Jan 2005 17:23:18 -0800
Hi! Danile,
Now, I could use cURL to get a list of dir, download a file from remote ftp
server using GlubTech's Secure FTP Wrapper in PASSIVE mode, but still failed
to upload file in PASSIVE mode and failed totally when using PORT mode.
---------------------
$ curl -knv --disable-epsv --disable-eprt -Q "prot p"
ftps://xxxx.xxxx.xxx/test.txt --output rtest.txt
* About to connect() to xxxx.xxxx.xxx port 990
* Trying xxx.xx.xx.xxx... * connected
* Connected to xxxx.xxxx.xxx (xxx.xx.xx.xxx) port 990
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
< 220-"128 Bit Secure FTP Wrapper"
< 220 pwcftp Microsoft FTP Service (Version 4.0).
> USER ZZZ
< 331 Password required for ZZZ.
> PASS zzzzzzz
< 230 User ZZZ logged in.
* We have successfully logged in
> PBSZ 0
< 200 PBSZ Command OK. Protection buffer size set to 0.
> PWD
< 257 "/ZZZ" is current directory.
* Entry path is '/ZZZ'
> prot p
< 200 PROT Command OK. Using Private data connection.
> PASV
< 227 Entering Passive Mode (xxx,xx,xx,xxx,71,60).
* Trying xxx.xx.xx.xxx... * connected
* Connecting to xxx.xx.xx.xxx (xxx.xx.xx.xxx) port 18236
* Connected the data stream with PASV!
> TYPE I
< 200 Type set to I.
> SIZE test.txt
< 213 135
> RETR test.txt
< 125 Data connection already open; Transfer starting.
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL re-using session ID
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
* Getting file with size: 135
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 135 100 135 0 0 78 0 0:00:01 0:00:01 --:--:--
78< 226 Transfer complete.
100 135 100 135 0 0 78 0 0:00:01 0:00:01 --:--:--
0
* Connection #0 to host xxxx.xxxx.xxx left intact
> QUIT
< 221
* Closing connection #0
----------------------------------------
$ curl -knv --disable-epsv --disable-eprt -Q "port p" -T test.txt
ftps://xxxx.xxxx.xxx/ltest.txt
* About to connect() to xxxx.xxxx.xxx port 990
* Trying xxx.xx.xx.xxx... * connected
* Connected to xxxx.xxxx.xxx (xxx.xx.xx.xxx) port 990
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
< 220-"128 Bit Secure FTP Wrapper"
< 220 pwcftp Microsoft FTP Service (Version 4.0).
> USER ZZZ
< 331 Password required for ZZZ.
> PASS zzzzzzz
< 230 User ZZZ logged in.
* We have successfully logged in
> PBSZ 0
< 200 PBSZ Command OK. Protection buffer size set to 0.
> PWD
< 257 "/ZZZ" is current directory.
* Entry path is '/ZZZ'
> prot p
< 200 PROT Command OK. Using Private data connection.
> PASV
< 227 Entering Passive Mode (xxx,xx,xx,xxx,71,61).
* Trying xxx.xx.xx.xxx... * connected
* Connecting to xxx.xx.xx.xxx (xxx.xx.xx.xxx) port 18237
* Connected the data stream with PASV!
> TYPE I
< 200 Type set to I.
> STOR ltest.txt
< 125 Data connection already open; Transfer starting.
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL re-using session ID
* SSL connection timeout
* Closing connection #0
curl: (28) SSL connection timeout
---------------------
$ curl -knv --disable-epsv --disable-eprt -Q "prot p" ftps://xxxx.xxxx.xxx
* About to connect() to xxxx.xxxx.xxx port 990
* Trying xxx.xx.xx.xxx... * connected
* Connected to xxxx.xxxx.xxx (xxx.xx.xx.xxx) port 990
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
< 220-"128 Bit Secure FTP Wrapper"
< 220 pwcftp Microsoft FTP Service (Version 4.0).
> USER ZZZ
< 331 Password required for ZZZ.
> PASS zzzzzzz
< 230 User ZZZ logged in.
* We have successfully logged in
> PBSZ 0
< 200 PBSZ Command OK. Protection buffer size set to 0.
> PWD
< 257 "/ZZZ" is current directory.
* Entry path is '/ZZZ'
> prot p
< 200 PROT Command OK. Using Private data connection.
> PASV
< 227 Entering Passive Mode (xxx,xx,xx,xxx,71,62).
* Trying xxx.xx.xx.xxx... * connected
* Connecting to xxx.xx.xx.xxx (xxx.xx.xx.xxx) port 18238
* Connected the data stream with PASV!
> TYPE A
< 200 Type set to A.
> LIST
< 125 Data connection already open; Transfer starting.
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL re-using session ID
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
* Getting file with size: -1
01-24-05 07:49PM 0 ltest1.txt
01-20-05 03:07PM 135 test.txt
< 226 Transfer complete.
* Connection #0 to host xxxx.xxxx.xxx left intact
> QUIT
< 221
* Closing connection #0
-----------------------------
curl -knv --disable-epsv --disable-eprt --ftp-port yyyyyyyy -Q "prot p"
ftps://xxxx.xxxx.xxx
* About to connect() to xxxx.xxxx.xxx port 990
* Trying xxx.xx.xx.xxx... * connected
* Connected to xxxx.xxxx.xxx (xxx.xx.xx.xxx) port 990
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: none
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* start date: 2004-03-10 11:51:43 GMT
* expire date: 2007-03-10 11:51:43 GMT
* common name: xxxx.xxxx.xxx (matched)
* issuer: /C=USA/ST=NJ/L=Whippany/O=xxxx/OU=Secure FTP
Wrapper/CN=xxxx.xxxx.xxx
* SSL certificate verify result: error number 1 (18), continuing anyway.
< 220-"128 Bit Secure FTP Wrapper"
< 220 pwcftp Microsoft FTP Service (Version 4.0).
> USER ZZZ
< 331 Password required for ZZZ.
> PASS zzzzzzz
< 230 User ZZZ logged in.
* We have successfully logged in
> PBSZ 0
< 200 PBSZ Command OK. Protection buffer size set to 0.
> PWD
< 257 "/ZZZ" is current directory.
* Entry path is '/ZZZ'
> prot p
< 200 PROT Command OK. Using Private data connection.
> PORT yy,y,y,yy,4,160
* FTP response reading failed
* Connection #0 to host xxxx.xxxx.xxx left intact
curl: (56) FTP response reading failed
* Closing connection #0
######################################
I also tried C-Kermit. I could get list of dir, download, upload
successfully in PASSIVE mode, but still failed in PORT mode.
+++++++++++++++++++++++++++
$ kermit
C-Kermit 8.0.209, 17 Mar 2003, for IBM AIX 4.3
Copyright (C) 1985, 2003,
Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/YYYY/TTTT/) C-Kermit>set auth ssl verify peer-cert
(/YYYY/TTTT/) C-Kermit>set auth ssl verbose on
(/YYYY/TTTT/) C-Kermit>set auth ssl debug on
(/YYYY/TTTT/) C-Kermit>set ftp debug on
(/YYYY/TTTT/) C-Kermit>set file collision backup
(/YYYY/TTTT/) C-Kermit>set file incomplete auto
(/YYYY/TTTT/) C-Kermit>set file names literal
(/YYYY/TTTT/) C-Kermit>set receive pathnames off
(/YYYY/TTTT/) C-Kermit>set send pathnames off
(/YYYY/TTTT/) C-Kermit>set ftp autologin on
(/YYYY/TTTT/) C-Kermit>set ftp passive on
(/YYYY/TTTT/) C-Kermit>set ftp autoauth on
(/YYYY/TTTT/) C-Kermit>set ftp autoenc on
(/YYYY/TTTT/) C-Kermit>set ftp credential-forwarding off
(/YYYY/TTTT/) C-Kermit>set ftp dates on
(/YYYY/TTTT/) C-Kermit>set ftp filenames literal
(/YYYY/TTTT/) C-Kermit>set ftp verbose on
(/YYYY/TTTT/) C-Kermit>set ftp authtype ssl tls
(/YYYY/TTTT/) C-Kermit>set ftp server-character-set ascii
(/YYYY/TTTT/) C-Kermit>set ftp character-set-translation off
(/YYYY/TTTT/) C-Kermit>set auth tls certs-ok on
(/YYYY/TTTT/) C-Kermit>set locus remote
(/YYYY/TTTT/) C-Kermit>ftp open /ssl xxxx.xxxx.xxx /user:ZZZ
/password:zzzzzzz
SSL DEBUG ACTIVE
=>START SSL/TLS connect on COMMAND
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_connect:3RSH_A SSLv3 read server hello A
ssl:client_verify_callback:depth=0 ok=0 err=18-self signed certificate
[0] Certificate Subject:
C=USA
ST=NJ
L=Whippany
O=xxxx
OU=Secure FTP Wrapper
CN=xxxx.xxxx.xxx
[0] Certificate Issuer:
C=USA
ST=NJ
L=Whippany
O=xxxx
OU=Secure FTP Wrapper
CN=xxxx.xxxx.xxx
ssl:client_verify_callback => ok: 1
ssl:client_verify_callback:depth=0 ok=1 err=18-self signed certificate
ssl:client_verify_callback => ok: 1
SSL_connect:3RSC_A SSLv3 read server certificate A
SSL_connect:3RSD_A SSLv3 read server done A
SSL_connect:3WCKEA SSLv3 write client key exchange A
SSL_connect:3WCCSA SSLv3 write change cipher spec A
SSL_connect:3WFINA SSLv3 write finished A
SSL_connect:3FLUSH SSLv3 flush data
SSL_connect:3RFINA SSLv3 read finished A
SSL_handshake:SSLOK SSL negotiation finished successfully
[TLS - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168)
Mac=SHA1
Compression: None
=>DONE SSL/TLS connect on COMMAND
Connected to xxxx.xxxx.xxx.
220-"128 Bit Secure FTP Wrapper"
220 pwcftp Microsoft FTP Service (Version 4.0).
---> USER ZZZ
331 Password required for ZZZ.
---> PASS XXXX
230 User ZZZ logged in.
---> REST 0
350 Restarting at 0.
---> SYST
215 Windows_NT version 4.0
Remote system type is Windows_NT.
---> TYPE A
200 Type set to A.
Default transfer mode is TEXT ("ASCII")
---> MODE S
200 Mode S ok.
---> STRU F
200 STRU F ok.
---> FEAT
211-Extensions supported
PBSZ
PROT
211 END
Server does not support AUTH
Server does not support LANG
Server does not support MDTM
Server does not support MLST
Server does not support PBSZ
Server does not support PROT
Server does not support REST
Server does not support SIZE
Server does not support TVFS
(/YYYY/TTTT/) C-Kermit>ftp quote prot p
---> prot p
200 PROT Command OK. Using Private data connection.
(/YYYY/TTTT/) C-Kermit>ftp dir
---> TYPE A
200 Type set to A.
---> PASV
227 Entering Passive Mode (xxxx,xx,xx,xxxx,71,63).
---> LIST
125 Data connection already open; Transfer starting.
=>START SSL connect on DATA
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_connect:3RSH_A SSLv3 read server hello A
SSL_connect:3RFINA SSLv3 read finished A
SSL_connect:3WCCSA SSLv3 write change cipher spec A
SSL_connect:3WFINA SSLv3 write finished A
SSL_connect:3FLUSH SSLv3 flush data
SSL_handshake:SSLOK SSL negotiation finished successfully
=>DONE SSL connect on DATA
01-04-05 04:07PM 19133060 SWITCHED.050104.1453
01-20-05 03:07PM 135 test.txt
SSL_read_alert
SSL_write_alert
226 Transfer complete.
Server does not support UTF8
(/YYYY/TTTT/) C-Kermit>ftp get /bin test.txt rtest.txt
---> TYPE I
200 Type set to I.
---> SIZE test.txt
213 135
GET test.txt (binary) (135 bytes)---> PASV
227 Entering Passive Mode (xxx,xx,xx,xxx,71,64).
---> RETR test.txt
125 Data connection already open; Transfer starting.
=>START SSL connect on DATA
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_connect:3RSH_A SSLv3 read server hello A
SSL_connect:3RFINA SSLv3 read finished A
SSL_connect:3WCCSA SSLv3 write change cipher spec A
SSL_connect:3WFINA SSLv3 write finished A
SSL_connect:3FLUSH SSLv3 flush data
SSL_handshake:SSLOK SSL negotiation finished successfully
=>DONE SSL connect on DATA
SSL_read_alert
SSL_write_alert
226 Transfer complete.
: OK (0.429 sec, 314 cps)
---> MDTM test.txt
500 'MDTM test.txt': command not understood
(/YYYY/TTTT/) C-Kermit>ftp put /bin rtest.txt ltest.txt
PUT rtest.txt (binary) (135 bytes)---> TYPE I
200 Type set to I.
---> PASV
227 Entering Passive Mode (xxx,xx,xx,xxx,71,66).
---> STOR ltest.txt
125 Data connection already open; Transfer starting.
=>START SSL connect on DATA
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_connect:3RSH_A SSLv3 read server hello A
SSL_connect:3RFINA SSLv3 read finished A
SSL_connect:3WCCSA SSLv3 write change cipher spec A
SSL_connect:3WFINA SSLv3 write finished A
SSL_connect:3FLUSH SSLv3 flush data
SSL_handshake:SSLOK SSL negotiation finished successfully
=>DONE SSL connect on DATA
226 Transfer complete.
: OK (0.545 sec, 247 cps)
(/YYYY/TTTT/) C-Kermit>ftp dir
---> TYPE A
200 Type set to A.
---> PASV
227 Entering Passive Mode (xxx,xx,xx,xxx,71,67).
---> LIST
125 Data connection already open; Transfer starting.
=>START SSL connect on DATA
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_connect:3RSH_A SSLv3 read server hello A
ssl:client_verify_callback:depth=0 ok=0 err=18-self signed certificate
ssl:client_verify_callback => ok: 1
ssl:client_verify_callback:depth=0 ok=1 err=18-self signed certificate
ssl:client_verify_callback => ok: 1
SSL_connect:3RSC_A SSLv3 read server certificate A
SSL_connect:3RSD_A SSLv3 read server done A
SSL_connect:3WCKEA SSLv3 write client key exchange A
SSL_connect:3WCCSA SSLv3 write change cipher spec A
SSL_connect:3WFINA SSLv3 write finished A
SSL_connect:3FLUSH SSLv3 flush data
SSL_connect:3RFINA SSLv3 read finished A
SSL_handshake:SSLOK SSL negotiation finished successfully
=>DONE SSL connect on DATA
01-24-05 08:23PM 135 ltest.txt
01-04-05 04:07PM 19133060 SWITCHED.050104.1453
01-20-05 03:07PM 135 test.txt
SSL_read_alert
SSL_write_alert
226 Transfer complete.
(/YYYY/TTTT/) C-Kermit>set ftp passive off
(/YYYY/TTTT/) C-Kermit>ftp dir
---> TYPE A
200 Type set to A.
---> PORT yy,y,y,yy,166,234
SSL_read_alert
SSL_write_alert
421 Service not available, connection closed by server
+++++++++++++++++++++++++++++++++
Any advise?
Thank you very much for your time and patience!
-- Shun-Li Huang "Daniel Stenberg" <daniel-curl_at_haxx.se> wrote in message news:Pine.LNX.4.61.0501182347470.28813_at_yvahk3.pbagnpgbe.fr... > On Tue, 18 Jan 2005, Shun-Li Huang wrote: > > Note that this quotes here are from "Gary Cohen" of "GlubTech's forum". > Obviously not 100% involved in this topic, curl-wise. > > > We are following spec: > > So is curl, if you use ftp:// URLs. As that is the way that spec says you do > SSL over FTP. > > The ftps:// approach is deprecated and not defined properly anywhere (at least > not in the draft-murray-auth-ftp-ssl-15.txt spec he referred to). One can of > course argue how to behave with such servers and possibly curl doesn't do it > the "best" way. I'm open for suggestions. > > > The initial state of the data connection MUST be 'Clear' (this is the > > behaviour as indicated by [RFC-2228].) > > That is what curl assumes as well with ftp:// URLs. > > > cURL is breaking spec by assuming that the data connection is secure. > > This is false. Everyone can read the source code and verify this. > > curl assumes the data connection is plain text unless you use a ftps:// URL, > in which case it assumes the data connection is using SSL (too). > > > Additionally they send a PBSZ 0 command but no PROT P command. They need to > > do send a PROT command following a PBSZ command. > > That is exactly what curl does. Use ftp://, --ftp-ssl and -v and view the > output to verify. > > > Is his statement about cURL correct? > > No. > > And I didn't see many lines in there that actually tried to identify the > problem you see. > > -- > Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se > Dedicated custom curl help for hire: http://haxx.se/curl.html >Received on 2005-01-25