cURL / Mailing Lists / curl-users / Single Mail

curl-users

Problems with FTPS through HTTP proxy (long)

From: Zero Uno <zerozerounouno_at_gmail.com>
Date: Thu, 11 Dec 2014 14:59:25 +0100

Hi,
I need to use curl to transfer files using FTPS (explicit, on port 21)
through a HTTP proxy, but I'm having a hard time doing it.
The HTTP proxy is Blue Coat ProxySG, while I do not know the FTP server
used (might be vsftpd). The FTP server certificate is self-signed.

This is the output of curl --version, on the client machine which is RHEL
6.3:

curl 7.39.0 (x86_64-unknown-linux-gnu) libcurl/7.39.0 OpenSSL/1.0.1e
> zlib/1.2.3 c-ares/1.9.1 libidn/1.18 libssh2/1.4.2
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
> pop3s rtsp scp sftp smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL
> libz Metalink

The first problem is that I cannot use an encrypted DATA connection.
If I try this:

curl -v -k --ftp-ssl-reqd --proxy <proxyaddress:port> --proxytunnel ftp://
> <user:pw>@<ftpserver>//filepath

...I get this error:

curl: (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note that the error only appears when curl tries to open the DATA
connection. The encrypted login is fine.

I get the same error when trying the "-1" option, and also if using
--ftp-ssl instead of --ftp-ssl-reqd.

I tried using "-3":

curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure

Using "-2":

curl: (35) Unknown SSL protocol error in connection to <ftpserver>:21

Thinking about a self-signed server certificate issue, I also tried passing
the server certificate to curl with --cacert and removing the -k option,
but the result is the same.

Also please note that Filezilla instead, as far as I can understand from
its log, can successfully transfer the file using FTPS over an encrypted
data channel from the same FTP server through the same proxy. I do not see
any options in Filezilla to only encrypt the login connection.

Now... I can successfully connect using the --ftp-ssl-control to only
encrypt the login and use non-encrypted data transfers. But then a new
problem creeps in: when the data transfer is initiated, the HTTP proxy
sends a string:

HTTP/1.1 200 Connection established

This string is inserted INTO THE DOWNLOADED FILE!

So, if for example curl was expecting an XML file of 1500 bytes, the saved
file will be a corrupt XML because it will begin with that HTTP string
_and_ it will be truncated before the transfer is complete! I suppose it is
truncated because some of the expected 1500 bytes are taken up by the extra
string and the transfer is terminated anyway when the expected number of
bytes has been reached.

Maybe this would not happen if the data transfer was encrypted.

So... any ideas about this problem? Do you think it is libcurl's fault, or
is the proxy behaving bad with that string?
Why cannot curl use SSL for data?
Why does it insert the string into the file?

Thank you for any help!

-- 
01

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-12-11