This project is read-only.

Passing password before TLS AUTH?

May 8, 2013 at 12:49 PM
Edited May 8, 2013 at 1:27 PM
Edit: Ok now i get it: I used connect before setting SSL options. Sorry for wasting time.

Please excuse me for newbie question, but i dont know if that its ok, that when I'm connecting to FTP over TLS/SSL the password was sent before AUTH TLS. On TotalCommander the log of the connection is like that:
Connect to: (2013-05-08 13:12:59)
hostname=ftpadresss
username=login
startdir=
ftpadresss=IPftpadresss
220 ProFTPD 1.3.3a Server (ftpaddress FTP Welcome.) [::ffff:192.168.0.2]
AUTH TLS
234 AUTH TLS successful
Cert subject: /C=PL/CN=*/C=PL/CN=*.ftpadresss/emailAddress=software@ftpadresss Cert issuer: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Level II CA
USER login
331 Password required for login
PASS ***********
230 User loginlogged in
SYST
215 UNIX Type: L8
FEAT
211-Features:
LANG en-US.UTF-8*;en-US
MDTM
MFMT
TVFS
AUTH TLS
UTF8
MFF modify;UNIX.group;UNIX.mode;
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
PBSZ
PROT
SITE MKDIR
SITE RMDIR
SITE UTIME
SITE SYMLINK
REST STREAM
SIZE
211 End
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
OPTS UTF8 ON
200 UTF8 set to on
Connect ok!
PWD
...
So password has been given after AUTH TLS. But when I'm using System.Net.FtpClient its going like that:
220 ProFTPD 1.3.3a Server (ftpadress FTP Welcome.) [::ffff:192.168.0.2]
USER login
331 Password required for login
PASS <omitted>
230 User login logged in
FEAT
211-Features:
LANG en-US.UTF-8*;en-US
MDTM
MFMT
TVFS
AUTH TLS
UTF8
MFF modify;UNIX.group;UNIX.mode;
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
PBSZ
PROT
SITE MKDIR
SITE RMDIR
SITE UTIME
SITE SYMLINK
REST STREAM
SIZE
211 End
OPTS UTF8 ON
200 UTF8 set to on
220 ProFTPD 1.3.3a Server (ftpadress FTP Welcome.) [::ffff:192.168.0.2]
AUTH TLS
234 AUTH TLS successful
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
USER login
331 Password required for login
PASS <omitted>
230 User login logged in
FEAT
211-Features:
LANG en-US.UTF-8*;en-US
MDTM
MFMT
TVFS
AUTH TLS
UTF8
MFF modify;UNIX.group;UNIX.mode;
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
PBSZ
PROT
SITE MKDIR
SITE RMDIR
SITE UTIME
SITE SYMLINK
REST STREAM
SIZE
211 End
OPTS UTF8 ON
200 UTF8 set to on
PWD
Edit: I checked connection by WireShark, password was sent as plaintext by System.Net.FtpClient. How to change it?
My connection is set like this:
client.Host = ftpHost;
client.Port = ftpPort;
client.Credentials = new NetworkCredential(ftpUsername, ftpPassword);
client.Connect();
client.EncryptionMode = System.Net.FtpClient.FtpEncryptionMode.Implicit;
client.DataConnectionEncryption = true;
client.ValidateCertificate += new System.Net.FtpClient.FtpSslValidation(myCertificateValidation);
May 8, 2013 at 1:36 PM
Edited May 8, 2013 at 1:58 PM
This is not normal, the user/pass are sent after encryption has been negotiated between the client and server. If you are using Explicit encryption the transaction should follow this sequence:
220 xyz server… 
AUTH TLS 
2xx OK 
USER xyz 
2xx Send Pass 
PASS abcd 
2xx OK, Logged in
…… 
If you are using Implicit encryption then SSL is negotiated before any communications in regards to FTP transactions take place. I'll need to see some code so I can understand why credentials would be sent before AUTH when using Explicit
encryption.
May 8, 2013 at 1:55 PM
As i said in edited post, now it's seems to be ok, cause i delete move line with connect after defining EncryptionMode. Now TLS AUTH is doing before prompting password and in WireShark is crypted. I cannot use Implicity mode, dunno if ftp is using 990 or 21 to auth (I tried to set port to 21 after defining EncryptionMode as well). When i tried that i get:
Response: 500 \200F\001\003\001 not understood
Response: 500 Invalid command: try being more creative.
May 8, 2013 at 2:01 PM
I didn't see the edit, replied from my email client. Implicit SSL connections are by default on port 990. What you're seeing above, to put it simply, is System.Net.FtpClient sending encrypted communication to the server which is expecting plain text so all it sees is gibberish.
May 8, 2013 at 2:18 PM
Yep i get it, thanks for help ;]
May 9, 2013 at 10:46 AM
Another day, another struggle. I'm connecting to FTPs using Explicit, all is ok on my pc, but when running on machine in another net im getting:
"System.IO.IOException: The handshake failed due to an unexpected packet format."

I found your post:
Is the server you're connecting to setup to accept only SSL connections on port 21? If not you need to be using Explicit.
I', already using Explicit, when switching to Implicit I am not able to connect on my pc (not tested on second one yet). FTP server is: ProFTPD 1.3.3a Server
May 9, 2013 at 12:01 PM
I can't tell you what the right answer is because I have no idea what the configurations on the servers are. All I can tell you is use Explicit on port 21 and the AUTH command will be used or use Implicit on port 990. Don't set the port number in System.Net.FtpClient unless you are using a non-standard configuration, it will automatically pick the right port otherwise.

If you want a better answer than that you need to show code and details on how the servers are configured so I can try to do more than guess.
May 9, 2013 at 3:09 PM
I will not be able to get config of server ;[. What i can write is: my code of use your lib. Logs from connections on your lib [good, and bad] and using FileZilla [again good from one net, and bad from another] So here it is:

CODE:
public string ProcessUpload(string fileUrl, string fileName)
    {
        string result = "";
        using (System.Net.FtpClient.FtpClient client = new System.Net.FtpClient.FtpClient())
        {
            try
            {

                client.Host = ftpHost;                    
                client.ValidateCertificate += new System.Net.FtpClient.FtpSslValidation(myCertificateValidation);
                client.Credentials = new NetworkCredential(ftpUsername, ftpPassword);                    
                client.EncryptionMode = System.Net.FtpClient.FtpEncryptionMode.Explicit;
                client.Connect();
                client.DataConnectionEncryption = true;                    
                DoUpload(client, "/", fileName);

            }
            catch (Exception ex)
            {
                result += ex.ToString();
            }
            finally
            {
                client.Disconnect();
            }
        }
        return result;
    }
   static void myCertificateValidation(System.Net.FtpClient.FtpClient control, System.Net.FtpClient.FtpSslValidationEventArgs e)
    {
        e.Accept = true;
    }
LOGS FROM LIB:
GoodOne
BadOne
LOGS FROM FileZilla:
GoodOne
I will add Bad soon.
May 9, 2013 at 3:38 PM
Edited May 9, 2013 at 3:46 PM
This:
220 ProFTPD 1.3.3a Server (Faceaddicted.pl FTP Welcome.) [::ffff:192.168.0.2]
AUTH TLS
234 AUTH TLS successful
-- HERE --> Testing connectivity using Socket.Poll()...
-- HERE --> Read stale data off the socket, maybe our connection timed out.
-- HERE --> Testing connectivity using Socket.Poll()...
Tells me there is a long delay (> 15 seconds) trying to authenticate the SSL certificate. If that is the case try increasing client.SocketPollInterval to 60000 which is the equivalent of 1 minute and see you're able to successfully connect.
May 9, 2013 at 3:45 PM
This MSDN blog covers slow certification authentication with SslStream which is what System.Net.FtpClient uses under the hood. This thread also covers the same issue with ProFTPd.
May 10, 2013 at 10:34 AM
Firstly, thank you so much for help. I really appreciate that.
Now what happens: I run FileZilla on second PC and it fails also. Same error as with FtpClient. It seems that on that second PC is some kind of problem with Certifacates. That PC is in domain with lot of security stuff. I have informed Admin about that problem and I'm waiting for resolution from him.