cURL / Mailing Lists / curl-users / Single Mail

curl-users

Trouble transversing two firewalls w/ passive ftp

From: Nick Harley <nickharley_at_bcbsal.org>
Date: Tue, 17 Jan 2006 15:02:55 -0600

I'm trying to get through two firewalls using ssl. I had at first had
trouble with the host I was connecting to trying to send back to my
internal IP address. I was able to fix that by using the --ftp-port
command and entering my external IP address. I am able to connect to the
host and negotiate all the way through the transfer process up until the
attempt data stream.

rs6ktst1:root:/ # /usr/local/bin/curl -K
/usr/local/cfg/vitalce.curl.cfg
* About to connect() to externalftp.server port xxx
* Trying NATport... connected
* Connected to externalftp.server (NATport) port xxx
< 220 <<<Connect:Enterprise UNIX 2.2.00 Secure FTP>>> at octapp9 FTP
server ready. Time = 08:42:39
> AUTH SSL
< 234 AUTH TLS-P/SSL OK.
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: certname
* start date: 2005-07-13 00:00:00 GMT
* expire date: 2006-07-13 23:59:59 GMT
* common name: externalftp.server (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class
3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify result: error number 1 (20), continuing
anyway.
> USER username
< 331 Password required for username.
> PASS password
< 230 Connect:Enterprise UNIX login ok, access restrictions apply.
> PBSZ 0
< 200 PBSZ 0 OK.
> PROT P
< 200 PROT P OK, data channel will be secured.
> PWD
< 257 "/currentdirectory" is current directory.
* Entry path is '/currentdirectory'
* Telling server to connect to NATport:48848
> PORT 216,104,80,200,190,208
< 200 PORT command successful.
* Connect data stream actively
> TYPE I
< 200 Type set to I.
> STOR 471700542043000000111020050303.bsi
< 425 Can't build data connection: Connection refused.
* Failed FTP upload: 425
* Uploaded unaligned file size (0 out of 15 bytes)
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- 0:00:06
--:--:-- 0* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

curl: (25) Failed FTP upload: 425

The above system is an AIX 5.2 server. I've also run this from a
Mandrake Linux desktop and get a different error that may be more
descriptive:

curl: (30) Socket Failure: Cannot assign requested address

Here's what my config file looks like:

    --verbose
    --disable-epsv
    --insecure
    --connect-timeout 60
    --ftp-port 216.x.x.x
    --ftp-ssl
    --user username:password
    --upload-file /tmp/file.being.uploaded
    --url http://destination.url.com

The people at the other end of this transfer have said that if I can't
enter passive mode then I won't be able to send these files and they
suggest that I purchase a software package to make it work.

Is it possible to use the ftp port command and enable passive ftp
transfers at the same time? The instructions I have says the two can't
be used together. Is there any other way to make this work? Even if I
wanted to purchase the software they're offering I can't get the company
to return any of my calls. Any help would be greatly appreciated.

Thanks,
Nick Harley

*** *** *** *** *** *** *** *** *** ***
  CONFIDENTIALITY NOTICE
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited. If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***
Received on 2006-01-17