curl-users
Re: FTP/SSL issue; Help!
Date: Tue, 7 Apr 2009 09:46:46 -0400
I did some further investigation and also contacted the "server"
company, and here is what they said:
"Your FTP client must also be able to send the CCC (clear control
channel) command and support sever authentication. Client
authentication is not supported". I am not very clear on what exactly
they mean by server and client authentication.
I tried --ftp-ssl-ccc (jnstead of --ftp-ssl), but it failed right away
at the USER command saying that the "Server policy requires that all
clients be secured. Access denied 503". I also tried changing the CCC
mode to active (--ftp-ssl-ccc-mode active), but got the same error.
I have asked them if they use a specific port range for passive
connections, and am waiting for a response.
Thanks
On Tue, Apr 7, 2009 at 2:01 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>
>> "Max" <maxshop01_at_gmail.com> wrote in message
>> news:a4e55e0c0904061944o6237f1a2l7aef1044400b99ae_at_mail.gmail.com...
>> I have one other question... is it necessary to open ALL "high" ports
>> (1023 and above) or can I specify a range? Thanks
>
> For pasv that depends on the server capabilities. In pasv mode the server
> listens to a port and the tells the client to connect to it. Some servers
> hav the option to restrict the ports they can listen on.
>
>
> On Mon, Apr 6, 2009 at 1:51 PM, Max <maxshop01_at_gmail.com> wrote:
>>
>> Thanks Marcus. I got confirmation from the Admin that there is a
>> firewall indeed.
>>
>> We are not having any issues for regular passive FTP (i.e. non-SSL)
>> connections to other FTP sites. I believe that this is because the
>> command channel is not encrypted and the firewall can determine
>> accordingly. Right?
>>
>> As for the FTP with SSL connection issue, is opening the "high" TCP
>> ports >1023 the only solution?
>>
>> Thanks again.
>>
>> On Sun, Apr 5, 2009 at 8:32 AM, Markus Moeller <huaraz_at_moeller.plus.com>
>> wrote:
>>>
>>>> "Max" <maxshop01_at_gmail.com> wrote in message
>>>> news:a4e55e0c0904041508x7a5a63e4yfdd1ac6cd7433e6e_at_mail.gmail.com...
>>>> So are these all issues firewall related? Is the firewall blocking
>>>> curl from connecting? Sorry for the newbie question. I'll double-check
>>>> with our Admin to make sure that there is no firewall.
>>>
>>>
>>> There are two issues with "stateful" firewalls:
>>>
>>> Firstly if address translation is done, the firewall usally analyses the
>>> ftp
>>> command connection and looks for keywords like (E)PASV and (E)PORT and
>>> then
>>> changes the IP-address with the translated IP-address. With an encrypted
>>> command channel the firewall can not do that anymore. curl has the
>>> --ftp-skip-pasv-ip option to deal with this issue for pasv connections.
>>>
>>> Secondly the firewall usually blocks all connections, but if ftp is
>>> allowed
>>> the firewall looks for keywords like (E)PASV and (E)PORT in the command
>>> connection and then opens dynamically the required. Again with an
>>> encrypted
>>> command channel the firewall can not do that and you need the configure
>>> the
>>> firewall so that all connection on all high ports >1023 are allowed from
>>> your client for pasv ftp.
>>>
>>> Regards
>>> Markus
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
>>> FAQ: http://curl.haxx.se/docs/faq.html
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
> Regards
> Markus
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-04-07