Unsecure passive FTP sessions forcing SSL

Please post here if you have problems in using Wing FTP Server.
Post Reply
jbriscoe
Posts: 6
Joined: Mon Nov 22, 2010 7:09 pm

Unsecure passive FTP sessions forcing SSL

Post by jbriscoe »

All of this pertains to passive ftp only.

We have a problem with unsecured ftp sessions. Wing FTP is forcing a SSL connection to the client which is causing a couple of problems for us. First, the site is not usable by a client that is not SSL-capable. Second, our server sits behind a firewall which handles address translation for passive connections, i.e. it will translate our internal IP to the external IP when it passes through, however this is not occuring because Wing is sending encrypted data when it shouldn't be. This can be verified by using a non-ssl enabled FTP client, for example:

# ldd /usr/bin/ftp
linux-vdso.so.1 => (0x00007fffd6279000)
libreadline.so.6 => /lib/libreadline.so.6 (0x00007f25d5e81000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007f25d5c3d000)
libc.so.6 => /lib/libc.so.6 (0x00007f25d58b9000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f25d56b5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f25d60e0000)

As you can see, this client has not been compiled with any ssl/tls libraries. Regardless of what we tell WingFTP to use for our external IP address, this client can not get a passive connection and will hang because Wing is trying to send encrypted data to it:

# ftp -p cc
Connected to cc.
220 Wing FTP Server 3.6.6 ready...
Name (cc:johnb): test
331 Password required for test
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
<HANG>

Using vsftpd, passive works flawlessly. Our firewall is able to translate the passive addresses when it passes through and we have no problems. Can you please address this? Please let me know if you need any more information.

Thank you
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Unsecure passive FTP sessions forcing SSL

Post by FTP »

Hi,jbriscoe

I think your problem was not caused by SSL, your client connect to the server via normal FTP, not SSL.

As you said, the problem may be caused by passive mode, please check out the KB article for setting up it:
http://www.wftpserver.com/bbs/viewtopic.php?f=5&t=5
jbriscoe
Posts: 6
Joined: Mon Nov 22, 2010 7:09 pm

Re: Unsecure passive FTP sessions forcing SSL

Post by jbriscoe »

Hello,

I know my client (in that example) is connecting via normal FTP, not SSL. I went out of my way to demonstrate that fact to you by showing you that my client was not built against any SSL libraries. The problem is that even though I am connecting with regular FTP, Wing is attempting to encrypt data to my client - which is when it hangs. Our firewall is not able to inspect (and translate) the CMD channel messages from the server because they are encrypted.

My client should see something like:

227 Entering Passive Mode (192,168,0,1,252,70) if the passive external ip address is not properly configured, or
227 Entering Passive Mode (An.External.Ip.Here,252,70) if it is.

My client receives neither, it receives an encrypted response from the server at that point. Our firewall will automatically translate our internal IP to our external IP when it passes through, but it can't do it in this instance because it's encrypted (and my client is unable to communicate via SSL.) We need the CMD channel to go out unencrypted, and encrypting the DATA (in a secure connection) at that point is fine.

I can configure vsftpd to have an identical configuration (passive address, ports, etc) and it works because those CMD channel messages are not encrypted.
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Unsecure passive FTP sessions forcing SSL

Post by FTP »

Your issue is very strange, but I think Wing FTP Server won't use forcing SSL as you said. The only possible thing is: your client send a ftp command "AUTH SSL" or "AUTH TLS", then the session will use SSL connection.

You can also check our demo server, it is also running under Linux, www.wftpserver.com/onlinedemo.htm
jbriscoe
Posts: 6
Joined: Mon Nov 22, 2010 7:09 pm

Re: Unsecure passive FTP sessions forcing SSL

Post by jbriscoe »

I can verify this by simply using telnet to our server, here is a comparison with 2 telnet sessions:

VSFTPD:

# telnet 192.168.0.1 21
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
220 (vsFTPd 2.2.2)
USER test
331 Please specify the password.
PASS password
230 Login successful.
PWD
257 "/home/test"
PASV
227 Entering Passive Mode (192,168,0,1,126,54).

WINGFTP:

# telnet 192.168.0.1 21
Trying 192.168.0.1...
Connected to our.ftpserver.com.
Escape character is '^]'.
220 Wing FTP Server 3.6.6 ready...
USER test
331 Password required for test
PASS password
230 User test logged in.
PWD
257 "/" is current directory.
PASV
<HANG>

I do not get either internal or external IP (and port information) when I send the PASV command as I should. What's interesting is that this does not occur on your test server.

# telnet demo.wftpserver.com 21
Trying 216.18.195.46...
Connected to demo.wftpserver.com.
Escape character is '^]'.
220 Wing FTP Server 3.7.2 ready...
USER demo-user
331 Password required for demo-user
PASS demo-user
230 User demo-user logged in.
PWD
257 "/" is current directory.
PASV
227 Entering Passive Mode (216,18,195,46,4,7)

Is there another setting that could be causing this? I've been through the WingFTP configuration and haven't seen anything that could be related. If you'd like I can privately give you a test login and password to our ftp server and you can verify yourselves.
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Unsecure passive FTP sessions forcing SSL

Post by FTP »

First, try to upgrade to the latest version 3.7.2.

And our demo server has no any special settings, you can check out the demo server settings via web admin.

I think your issue is caused by failure of opening port. Please check out the KB article what I referred previously: http://www.wftpserver.com/bbs/viewtopic.php?f=5&t=5, especially in the passive port range, normal you can specify passive port range from 1024 to 1096, please make sure you have enough right to open the port.
jbriscoe
Posts: 6
Joined: Mon Nov 22, 2010 7:09 pm

Re: Unsecure passive FTP sessions forcing SSL

Post by jbriscoe »

It turns out this was caused by our firewall attempting to do some translation on FTP packets going to port 21. I'm still not sure why vsftpd worked fine on the same port, but it looks like it's all working now.

Thanks for the help!
Post Reply