[Info-vax] FTP/SSL from OpenVMS (client) to Unix Filezilla (server) failure
Richard Whalen
rvwhalen at gmail.com
Tue Aug 7 15:50:41 EDT 2012
On Aug 7, 8:37 am, Dirk Munk <m... at home.nl> wrote:
> gopalakrishnan wrote:
> > Hi Ken
>
> > I submitted a reply to Hoff's message and repeated when I did not find my reply here. And still it is not here (I did not get the usual response "message will be reviewd and posted" in those two instances). Hope this gets loaded.
>
> > The server truly is FTP over SSL service (the very first line in the SP's documentation). They use "SFTP" to describe the service as being "secure". The service uses port 22 which is not FTP/SSL standard port but SFTP's. Even the server is named "sftp.xxxx.co.nz"
>
> > Moreover I can connect to the sevice, view folders and download files using a Windows FilZilla client connecting to "FTPES://sftp.xxx.co.nz", port 22 (and user-id / password)
>
> > I have tried SFTP and it does not work
>
> > My infrastructure team is now investigating if this has anything to do with our firewall/isa configuration
>
> > Regards -tk
>
> > --http://compgroups.net/comp.os.vms/ftp-ssl-from-openvms-client-to-unix...
>
> With the windows version you are using explicit FTPS, or FTPES, and that
> may point to the problem. From Wikipedia:
>
> Explicit
>
> In explicit mode (also known as FTPES), an FTPS client must "explicitly
> request" security from an FTPS server and then step-up to a mutually
> agreed encryption method. If a client does not request security, the
> FTPS server can either allow the client to continue in unsecure mode or
> refuse/limit the connection.
>
> The mechanism for negotiating authentication and security with FTP was
> added under RFC 2228, which included the new FTP command AUTH. While
> this RFC does not explicitly define any required security mechanisms,
> e.g. SSL or TLS, it does require the FTPS client to challenge the FTPS
> server with a mutually known mechanism. If the FTPS client challenges
> the FTPS server with an unknown security mechanism, the FTPS server will
> respond to the AUTH command with error code 504 (not supported). Clients
> may determine which mechanisms are supported by querying the FTPS server
> with the FEAT command, although servers are not necessarily required to
> be honest in disclosing what levels of security they support. Common
> methods of invoking FTPS security included AUTH TLS and AUTH SSL.
>
> In the later RFC 4217, FTPS compliance required that clients always
> negotiate using the AUTH TLS method. The RFC also recommended FTPS
> servers to accept the draft mechanism AUTH TLS-C.
>
> Th use of port 22 is wrong. For FTPS the normal port numbers are 989 and
> 990. However some implications use the standard FTP port 21 for FTP and
> FTPS.
>
> SFTP uses port 22, but as you know SFTP is something very different from
> FTP or FTPS.
I suspect that the problem is a firewall that isn't able to interpret
the response to
the PASV or PORT command and allow the port to be opened. The firewall
can't
interpret the response because the command stream is encrypted. You
need to
cause the FTPS client to send the CCC command to the FTPS server. See
http://h71000.www7.hp.com/doc/84final/tcprn/tcp_rnpro_001.html#ftp_ssl
More information about the Info-vax
mailing list