Dan - I want to give you an update.

I have some news on using FTP over SSL against a WS-FTP server.
I've been able to make a connection and transfer files (upload and
download) against a WS-FTP server configured with client certificates
disabled using my pycurl script.

But so far no success when both client and server certificates
are involved. I installed a 30 day free trial of JSCAPE and have
exactly the same problem (works on server with cc's disabled but
not when client and server certificates are involved).
(JSCAPE is 3 times slower than libcurl)

Dan - you wrote the following to Holger Paffrath:

> On Fri, 16 Apr 2004, Holger Paffrath wrote:

>> I'm trying to connect to an FTP server over SSL (WS_FTP) which has both the
>> command and data streams encrypted.

> Is this curl 7.11.1?

>> Any help appreciated in pointing me in the right direction.

> Did you compile it yourself? If so, can you try disabling the session-ID cache
> in lib/ssluse.c:1051 to see if that is what causes this problem?

Do you know if this was ever tried? If it hasn't I would like to try it
if I can figure out how to get 7.15 source on my linux box and re-compile
it and integrate it with pycurl (no small task for me - I'm linux challenged).

There are three reasons (maybe not very good reasons) that I think
session-ID cache might be involved.

1) Because you thought so in April of 2004 and you know things!

2) My colleague Bill found this post on the ipswitch forums:
   http://www.ipswitch.com/forums/shwmessage.aspx?forumid=8&messageid=10401
   
   Here's what caught my eye in this post:

>> when I issue an 'ls' command, or do any other function requiring a data
>> channel, it gives an SSL error and disconnects me.

>> I have also attempted connecting from CUTEFTP (a different Windows FTP Client).
>> This works just fine with default settings. However, the CuteFTP client has an
>> option in the SSL section of the configuration called "Reuse cached session for
>> data connection". When I turn this on, I get the exact same problem as I do
>> with the Linux LFTP client.
   
   There's more in this post but the above is what seemed relevant.
   I wrote this guy but haven't heard back yet - I'll keep you posted.

3) The following verbose debug lines seem to indicate that right after the
   data connection it tries to verify the server certificate and in line 58
   there is something about re-using the session ID. Right after that, we get
   the SSL problem.
   
   53 < 150 Opening BINARY data connection for jimL.txt
   54 * Doing the SSL/TLS handshake on the data stream
   55 * successfully set certificate verify locations:
   56 * CAfile: /home/winsld/certs/server01.pem
   57 CApath: none
   58 * SSL re-using session ID
   59 * Unknown SSL protocol error in connection to xxx
   60 * Remembering we are in dir gateway/pointerUpload/data/
   61 * Uploaded unaligned file size (0 out of 206848 bytes)
   62 * Connection #0 to host xxx left intact
   63 * Closing connection #0
    
   When I run my script on the server with client certificates disabled, the
   output is EXACTLY the same up until line 58 - and then we get
   
   59 * SSL connection using DHE-RSA-AES128-SHA
   60 * Server certificate:
   61 * subject: xxx
   62 * start date: 2006-07-17 15:57:53 GMT
   63 * expire date: 2016-07-17 21:57:52 GMT
   64 * issuer: xxx
   65 * SSL certificate verify ok.
   66 * Remembering we are in dir gateway/pointerUpload/data/
   67 < 226 transfer complete
   68 * Connection #0 to host doaftp03.doa.state.wi.us left intact
   69 > QUIT
   70 < 221 Good-Bye
   71 * Closing connection #0
   72 00001 seconds

So, the above is for your information.

My main question to you is:

Do you still think it would be worth disabling the session-ID
cache in lib/ssluse.c:1051 and giving that a try?

Do you know how Holger made out with this?

THANKS Dan

Dave
Received on 2006-08-18