Go Back   FlashFXP Forums > >

General Discussion Need help? Have a problem? Let us help you. Bug reports and feature requests should be made using the Bug Tracker or Feature Tracker

Closed Thread
 
Thread Tools Rate Thread Display Modes
Old 12-04-2004, 11:43 PM   #1
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default proxys and SSL

I've build some kind of advanced proxy.
I'd like to allow users to connect to some SSL server trough this proxy.
FlashFxp logs in the proxy with SSL, then send a SITE command to get on the remote server, etc
But when the data transfert starts, there's a problem.
Flash is printing a warning cause the "Data Channel FingerPrint Doesn't match control Connection."
Well, it seems normal to me since the control connection is on proxy and the data comes from the remote server.

Can anyone help me to find a way to get that works?
A log of a successful connection trough a proxy and with SSL would be helpful too.

Thanks


Here's the log:



[R] Logged off: <XXXREMOVED AT POSTERS REQUESTXXX>
[R] Connecting to RemoteServer.com via Proxy -> IP=myproxy.com PORT=12345
[R] Connected to RemoteServer.com via Proxy
[R] 220 Authentify Yourself
[R] USER proxy
[R] 331 Enter your password
[R] PASS (hidden)
[R] 230 User test logged in.
[R] USER test@remoteserver.com 4321
[R] 230 User logged in proxy
[R] AUTH TLS
[R] 234 AUTH SSL successful
[R] Connected. Negotiating TLSv1 session..
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
[R] PBSZ 0
[R] 200 PBSZ successfull
[R] PASS (hidden)
[R] 230- Successfully logged in proxy server
[R] 230- Trying to connect to Dundee's FTP...
[R] 230 User Test logged in.
[R] SYST
[R] 215 UNIX Type: L8
[R] CWD /
[R] 250 CWD command successful.
[R] PWD
[R] 257 "/" is current directory.
[R] PROT P
[R] 227 Entering Passive Mode (144,37,96,43,186,133)
[R] Opening data connection IP: 144.37.96.43 PORT: 47749
[R] LIST -al
[R] Connected. Negotiating TLSv1 session..
[R] 150 Opening ASCII mode data connection for directory listing.
[R] Warning: Data Channel FingerPrint Doesn't match control Connection.
[R] Failed TLSv1 negotiation, disconnected

Last edited by Seome; 02-12-2007 at 12:41 AM.
Dundee is offline  
Old 12-05-2004, 08:30 AM   #2
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

This brings up an interesting point. Perhaps a fingerprint mismatch should be ignored for proxy types that don't proxy the data connection.
bigstar is offline  
Old 12-05-2004, 08:44 AM   #3
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

I did some tests with a couple ftp proxies and I was unable to reproduce this problem.

Does the ftp proxy establish it's own ssl/tls connection to the ftp server? Perhaps that's why I can't reproduce it.

Would it be possible to give me a copy of the proxy you're using or allow me to test with it directly?
bigstar is offline  
Old 12-05-2004, 06:14 PM   #4
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

Could u copy me a log of a successful connection with SSL trough a proxy?
Cause i have no real proxy to test, and im not sure how this is supposed to be done.
Gimme that, and i'll put a version available for tests that does the same thing than in your log
Dundee is offline  
Old 12-05-2004, 06:49 PM   #5
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

Mmm...
Here's a lil precision. I dont want data to go trough the proxy.
Maybe that's why u dont get any prob bigstar?
Dundee is offline  
Old 12-06-2004, 12:41 AM   #6
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Here's the proxy server I used for testing.
http://www.analogx.com/contents/down...work/proxy.htm

When using this ftp proxy the data connection doesn't go through the ftp proxy.
bigstar is offline  
Old 12-07-2004, 06:26 PM   #7
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

Cant someone copy me a log of a successfull conection trough a proxy, using SSL?
Dundee is offline  
Old 12-08-2004, 07:11 PM   #8
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

Haaaaaa
I think i know the problem.
The first SSL negociation was done between the proxy and the client. Not between client and remote server, trough the proxy.
Dundee is offline  
Old 12-11-2004, 12:22 PM   #9
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

If anyone is willing to test my proxy:

It doesnt seems to work with SSL.
Make a few tests and gimme news.

<< EDITED BY BIGSTAR >>

Sorry I don't think this is a good idea, It's a security risk to users who try your proxy since their ftp user/pass is sent through your proxy.
Dundee is offline  
Old 12-11-2004, 12:35 PM   #10
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

lol
I mean. Try with some public ftps, or something like that.
Dundee is offline  
Old 12-11-2004, 12:40 PM   #11
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

and anyway

[R] 230 User PROXY logged in.
[R] SITE BillMurray@random.ip.org:6270
[R] 331 Enter your password
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
[R] Connection failed (Connection closed by client)


The problem is before the pass.
So u guys can try with some sites u know and put a fake pass, anyway u shouldnt reach the point to send the pass....lol

I know it will reveal me some ip/ports.....
Dundee is offline  
Old 12-11-2004, 01:24 PM   #12
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Do you happen to know of any public ssl/tls sites?


Also based on the error it looks like your using TLS and you should be using SSL.
bigstar is offline  
Old 12-11-2004, 01:50 PM   #13
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

TLS is ok.

thats's without the proxy:


[R] Connecting to random.ip.org -> IP=1.2.3.4 PORT=2760
[R] Connected to random.ip.org
[R] 220 Welcome
[R] AUTH TLS
[R] 234 AUTH TLS successful
[R] Connected. Negotiating TLSv1 session..
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits)


Im working on a version i'll put available for u bigstar
Dundee is offline  
Old 12-11-2004, 02:07 PM   #14
Dundee
Junior Member
 
Join Date: Dec 2004
Posts: 14
Default

Test version rdy.
Where can i send it to u bigstar? Or anyone else...

Btw, the prog is in java. Hope u have jdk installed.
Dundee is offline  
Old 12-12-2004, 01:11 PM   #15
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Sorry I don't have jdk installed.

I understand that the ftp server is using TLS but is your proxy using TSL as well? I don't think it is.
bigstar is offline  
Closed Thread

Tags
connection, flashfxp, ftp, proxy, [r]

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:11 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)