I have found a bug with the handling of proxy/tls listings in flash. It doesnt seem to handle list connections (i havent checked download/upload/fxp connections) over ssl with a proxy.

flash connects fine over ssl/tls with a proxy, however, when the ftp server option "Secure File Listing" is selected it does not work as it should. I believe it initiates the tlsneg() on the wrong ip, on the proxy ip instead of the ip given from the pasv command. For example (in this test i am using proxy server type 12. USER ftp-user@ftp-host:ftp-port):

PWD
257 "/" is current directory.
PROT P
200 Protection set to Private
PASV
227 Entering Passive Mode (*,*,*,*,182,189)
LIST -al
Negotiating SSL/TLS session...
150 Opening ASCII mode data connection for directory listing.

At this point it is supposed to open a socket to *.*.*.* on port 46781, but it does'nt. I think it accidentally tries to open the socket on the actual proxy server on that port, insead of using the real server's ip from the pasv command. I have tested with this various ftps and executed the session manually over a socket with tcl and have come to the conclusion it is not the ftpd or proxy that doesn't support it, but that flash is simply not opening the session to the right ip. I do suspect though the same problem probably exists with download/upload transfer but I have not confirmed that.

Please advise... I have read over ftp://ftp.isi.edu/internet-drafts/draft-murray-auth-ftp-ssl-11.txt thoroughly and have no other explanation as to why it is not working other than flash is initiating the tls negotation on the wrong ip address.

i did netstat while it was trying to negotiate the tls/ssl session ... it does use the correct servers ip and port, so there must be something else wrong that I cant guess what is...I have tested it without the proxy and it flashfxp can list find over ssl with the ftp im testing it with, but over a proxy it has trouble listing, which should not make a difference since the client connects to the server with the given pasv response and not the other away around -- please advise! =\

i have issued the commands manually over the proxy up to the list -al and have opened up the socket on my computer locally for the list and initiate the handshake myself manully and it works fine ... so I can come up with no reason why it does not work in flash =\

yet another update, this shows that it is using the wrong ip for when connected to the proxy, in this example im running the proxy locally... il post the entire session... tho in this case however it used the wrong ip because it didnt issue PBSZ before the PROT command and so it used the proxy ip...

[06:16:38] Connecting to ftp.runestig.com via Proxy (127.0.0.1:49999)
[06:16:38] Ident Server: Unable to listen on port 113
[06:16:38] 220 440 880 1760 3520 7040 14080 28160 56320 112640 225280 450560 901120 1802240
[06:16:38] USER phrek
[06:16:38] 331 662 1324 2648 5296 10592 21184 42368 84736 169472 338944 677888 1355776
[06:16:38] PASS (hidden)
[06:16:38] 230 460 920 1840 3680 7360 14720 29440 58880 117760 235520 471040 942080 1884160
[06:16:38] USER anonymous@ftp.runestig.com
[06:16:45] 331 Guest login ok, send your email address as password.
[06:16:45] PASS (hidden)
[06:16:45] 240 Proxy Login Successful
[06:16:45] SYST
[06:16:45] 230 Guest login ok, access restrictions apply.
[06:16:45] REST 100
[06:16:46] 215 UNIX Type: L8
[06:16:46] This site may not allow file resuming
[06:16:46] PWD
[06:16:46] 350 Restarting at 579844224459997284.
[06:16:46] TYPE A
[06:16:46] 257 "/" is current directory.
[06:16:46] PROT P
[06:16:47] 200 Type set to A.
[06:16:47] PASV
[06:16:47] 503 You must issue the PBSZ command prior to PROT
[06:16:47] PORT 127,0,0,1,10,50
[06:16:47] 227 Entering Passive Mode (62,108,199,166,233,51)
[06:16:48] 500 Illegal PORT rejected (address wrong).
[06:17:20] QUIT
[06:17:20] Logged off: ftp.runestig.com

anyways to demonstrate what i was saying before that it doesnt work over proxy ... even if you issue the pbsz command first ... i manually entered it first and then listed and it hung just like on the other sites through the proxy.... ie this..

[06:40:40] Logged off: ftp.runestig.com
[06:40:47] Connecting to ftp.runestig.com via Proxy (127.0.0.1:49999)
[06:40:47] Ident Server: Unable to listen on port 113
[06:40:47] 220 440 880 1760 3520 7040 14080 28160 56320 112640 225280 450560 901120 1802240
[06:40:47] USER phrek
[06:40:47] 331 662 1324 2648 5296 10592 21184 42368 84736 169472 338944 677888 1355776
[06:40:47] PASS (hidden)
[06:40:47] 230 460 920 1840 3680 7360 14720 29440 58880 117760 235520 471040 942080 1884160
[06:40:47] USER anonymous@ftp.runestig.com
[06:40:51] 331 Guest login ok, send your email address as password.
[06:40:51] PASS (hidden)
[06:40:51] 240 Proxy Login Successful
[06:40:51] SYST
[06:40:52] 230 Guest login ok, access restrictions apply.
[06:40:52] REST 100
[06:40:52] 215 UNIX Type: L8
[06:40:52] This site may not allow file resuming
[06:40:52] CWD /
[06:40:52] 350 Restarting at 579844224459997284.
[06:40:52] PWD
[06:40:53] 250 CWD command successful.
[06:40:53] 257 "/" is current directory.
[06:40:53] PWD
[06:40:54] 257 "/" is current directory.
[06:40:54] List (cached)
[06:40:54] List Complete.
[06:40:57] PBSZ 1
[06:40:58] 200 PBSZ=0 successful
[06:40:58] TYPE A
[06:40:59] 200 Type set to A.
[06:40:59] PROT P
[06:41:00] 200 Protection set to Private
[06:41:00] PASV
[06:41:01] 227 Entering Passive Mode (62,108,199,166,233,144)
[06:41:01] LIST -al
[06:41:01] Negotiating SSL/TLS session...
[06:41:02] 150 Opening ASCII mode data connection for '/bin/ls'.
[06:43:21] QUIT
[06:43:21] Logged off: ftp.runestig.com

when it got to [06:41:02] 150 Opening ASCII mode data connection for '/bin/ls'. it just hung there.. i checked net stat and it was trying to connect to the right ip and port for list but it just wasn't working .... please advise =\

in case you dont think it works on that site (it does) i did it in tcl with sockets using the tls1.4 package:

(bin) 145 % set sock [tls::socket arthur.runestig.com 21]
sock556
(bin) 146 % proc bahga {sock} {
> if {[eof $sock] || [catch {gets $sock line}]} {
> close $sock
> } else {
> puts $line
> }
> }
(bin) 147 % fconfigure $sock -buffering line
(bin) 148 % fileevent $sock readable [list bahga $sock]
(bin) 149 % set sock [socket arthur.runestig.com 21]
sock608
(bin) 150 % proc bahga {sock} {
> if {[eof $sock] || [catch {gets $sock line}]} {
> close $sock
> } else {
> puts $line
> }
> }
(bin) 151 % fconfigure $sock -buffering line
(bin) 152 % fileevent $sock readable [list bahga $sock]
220 arthur.runestig.com FTP server (Version 6.5/OpenBSD TLS) ready.
(bin) 153 % puts $sock "AUTH TLS"
234 AUTH TLS successful
(bin) 154 % tls::import $sock -require false -tls1 true
sock608
(bin) 155 % tls::handshake $sock
1
(bin) 156 % puts $sock "USER anonymous"
331 Guest login ok, send your email address as password.

(bin) 157 % puts $sock "PASS anonymous"
230 Guest login ok, access restrictions apply.

(bin) 159 % puts "PBSZ 1"
PBSZ 1
(bin) 160 % puts $sock "PBSZ 1"
200 PBSZ=0 successful

(bin) 161 % puts $sock "PROT P"
200 Protection set to Private

(bin) 162 % puts $sock "PASV"
(bin) 163 % 227 Entering Passive Mode (62,108,199,166,233,155)


(bin) 163 % 8216 233,155
59803
(bin) 164 % set sock2 [socket 62.108.199.166 59803]
sock612
(bin) 165 % fconfigure $sock2 -buffering line
(bin) 166 %
(bin) 166 % proc bahg2 {sock} {
> if {[eof $sock] || [catch {gets $sock line}]} {
> close $sock
> } else {
> puts stdout $line
> }
> }
(bin) 167 %
(bin) 167 % fileevent $sock2 readable [list bahg2 $sock2]
(bin) 168 % puts $sock "LIST"
(bin) 169 % 150 Opening ASCII mode data connection for '/bin/ls'.


(bin) 169 % tls::import $sock2 -require false -tls1 true
sock612
(bin) 170 % tls::handshake $sock2
1
226 Transfer complete.

total 8

dr-xr-xr-x 2 root root 40 Aug 6 1999 bin

dr-xr-xr-x 2 root root 31 Jan 9 2002 etc

dr-xr-xr-x 2 root root 132 Nov 24 2001 lib

dr-xrwxr-x 15 ftp 669 4096 May 16 13:04 pub

phrek where did you get build 924 from or is it another shareware only rls?

Originally posted by Chrysalis
phrek where did you get build 924 from or is it another shareware only rls? difference in builds 922-924 affect only unregistred users, that's why it's not posted on liveupdate.

Where is it posted then?

Originally posted by Chrysalis
Where is it posted then? main download page

I am aware of this bug, i have prefixed this thread with {?} to denote this. I will post to the thread when I have new information or have resolved the problem.

I believe I have isolated the problem.

I'll be publishing a public beta release in a week or two here on the message board. (This release will contain other changes/fixes as well)