Author Topic: Explict FTP over ports 990 work but not over 21  (Read 7167 times)

Offline FrankMartens

  • New user
  • *
  • Posts: 4
    • View Profile
Explict FTP over ports 990 work but not over 21
« on: September 17, 2009, 05:35:57 pm »
ProFTPD on AIX...

SO I have a really strange problem... Implicit FTP SSL does not work over control port 990 but Explicit FTP works. ALSO! Implicit AND Explicit FTP SSL does NOT work over 21.

So... here's what I'm trying to figure out... why does Explicit FTP SSL NOT work over control port 21?

Here's my config file (removed certain details for security)...
Code: [Select]
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
#
ServerName              "ProFTPD AIX Installation"
ServerType              inetd
DefaultServer           on
TimeoutIdle             600
TimeoutNoTransfer       600
TimeoutStalled          0

# Uncomment and SIGHUP inetd for debugging.
DebugLevel              9
SystemLog               /var/log/proftpd_debug.log
#
ServerIdent             off
UseReverseDNS           off
IdentLookups            off
#
PassivePorts            59200   59299           # These should be safe
#
# Port 21 is the standard FTP port.
Port                    21
Umask                   022
MaxInstances            10

# Set the user and group under which the server will run.
User                    nobody
Group                   nobody
#
<Limit LOGIN>
        AllowUser               <USER LIST>
        DenyAll
</Limit>
#
<Directory />
        AllowOverwrite          on
</Directory>
#
########################################################
# TLS
#
<IfModule mod_tls.c>
TLSEngine       on
TLSProtocol     SSLv23
TLSRequired     on
TLSRenegotiate  none
TLSOptions      ExportCertData StdEnvVars NoCertRequest
#TLSOptions     EnableDiag
TLSVerifyClient off
TLSRSACertificateFile    <SIGNED crt file>
TLSRSACertificateKeyFile    <SIGNED key file>
TLSCACertificateFile        <INTERMED crt file>
TLSLog  /var/log/proftpd_tls.log
</IfModule>
#

Here's the /var/log/proftpd_debug.log file (server and ips removed for security)....
Code: [Select]
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): ROOT PRIVS at scoreboard.c:761
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): RELINQUISH PRIVS at scoreboard.c:763
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): ROOT PRIVS at scoreboard.c:791
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): RELINQUISH PRIVS at scoreboard.c:822
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): ident lookup disabled
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): connected - local  : <local ip>:21
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): connected - remote : <remove ip>:36421
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): FTP session opened.
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): dispatching PRE_CMD command 'AUTH TLS' to mod_tls
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): dispatching PRE_CMD command 'AUTH TLS' to mod_core
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): dispatching PRE_CMD command 'AUTH TLS' to mod_core
Sep 17 13:01:36 <server> proftpd[3776738] <server> (<ip>): dispatching CMD command 'AUTH TLS' to mod_tls
Sep 17 13:01:37 <server> proftpd[3776738] <server> (<ip>): mod_tls/2.1.2: scrubbing 1 passphrase from memory
Sep 17 13:01:37 <server> proftpd[3776738] <server> (<ip>): FTP session closed.

Here's the /var/log/proftpd_tls.log file (servers and ips removed for security)...
Code: [Select]
Sep 17 13:01:36 mod_tls/2.1.2[3776738]: TLS/TLS-C requested, starting TLS handshake
Sep 17 13:01:37 mod_tls/2.1.2[3776738]: unable to accept TLS connection:
  (1) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Sep 17 13:01:37 mod_tls/2.1.2[3776738]: TLS/TLS-C negotiation failed on control channel

I have spent hours trying everything imaginable under the sun except for a recompile (which I'd like to avoid but maybe the compile was messed up somehow). The only thing I found to work was switching Explicit FTP to use port 990 for control.

Ok now here's what's weird... Explicit FTP SSL works on another AIX server (same version) using port 21 with no problems!
-Frank Martens
"The face of a child can say it all, especially the mouth part of the face." -Jack Handey

Offline FrankMartens

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Explict FTP over ports 990 work but not over 21
« Reply #1 on: September 17, 2009, 05:37:07 pm »
For got to give proftpd version and openssl version (same on both servers)...
Code: [Select]
- ProFTPD Version: 1.3.1 (stable)
 -   Scoreboard Version: 01040002
 -   Built: Wed Nov 28 13:00:45 EST 2007
 -     Module: mod_core.c
 -     Module: mod_xfer.c
 -     Module: mod_auth_unix.c
 -     Module: mod_auth_file/0.8.3
 -     Module: mod_auth.c
 -     Module: mod_ls.c
 -     Module: mod_log.c
 -     Module: mod_site.c
 -     Module: mod_delay/0.6
 -     Module: mod_auth_pam/1.0.1
 -     Module: mod_tls/2.1.2

OpenSSL> version
OpenSSL 0.9.8i 15 Sep 2008
OpenSSL>
-Frank Martens
"The face of a child can say it all, especially the mouth part of the face." -Jack Handey

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5015
    • View Profile
    • http://www.castaglia.org/
Re: Explict FTP over ports 990 work but not over 21
« Reply #2 on: September 17, 2009, 06:32:48 pm »
ProFTPD's mod_tls did not support implicit FTPS until quite recently; see:

  http://bugs.proftpd.org/show_bug.cgi?id=3266

(This was done because implicit FTPS was dropped from the RFCs; unfortunately there are still many clients which continue to use this now-deprecated and outdated method.)

Do you have any routers, firewalls, NAT devices which filter traffic to port 21?  Such devices often cause problems when they can no longer inspect the plaintext traffic, such as when encryption in used.

Offline FrankMartens

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Explict FTP over ports 990 work but not over 21
« Reply #3 on: September 17, 2009, 06:42:02 pm »
Ok that I understood. But the client is not using Implicit FTPS but Explicit.

My only conclusion is that I think you're right about the router/firewall. I've beat around in circles with the network teams and they claim that the routers are the same between the two different servers (like I said... this works on one server but not the other with the same software versions). But my theory is that somehow one of the routers is sniffing or monitoring traffic on port 21 but it isn't on port 990.
-Frank Martens
"The face of a child can say it all, especially the mouth part of the face." -Jack Handey

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5015
    • View Profile
    • http://www.castaglia.org/
Re: Explict FTP over ports 990 work but not over 21
« Reply #4 on: September 17, 2009, 06:58:00 pm »
How about other non-standard ports for FTP, e.g. 234 or 111 or somesuch?  Something the firewall/routers wouldn't expect?

Offline FrankMartens

  • New user
  • *
  • Posts: 4
    • View Profile
Re: Explict FTP over ports 990 work but not over 21
« Reply #5 on: September 17, 2009, 07:10:53 pm »
Well... Explicit FTP is working over 990 ... so I'm not going to worry about it too much.

But here's another question that I just thought of... would the firewall still flip out over Explicit FTP even though the initial part of the connection is being communicated in clear text? Or did I miss-understand Explicit FTP?
-Frank Martens
"The face of a child can say it all, especially the mouth part of the face." -Jack Handey

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5015
    • View Profile
    • http://www.castaglia.org/
Re: Explict FTP over ports 990 work but not over 21
« Reply #6 on: September 17, 2009, 08:41:29 pm »
Well, it depends on the network device in question at that point.  Some firewalls/routers/NAT only seem to care when they can't read the PORT commands (for dynamically opening the requested port); others seem to cause problems whenever they can't read _anything_ on the control connection.

 

sighted planning