Unsecure passive FTP sessions forcing SSL
Posted: Wed Nov 24, 2010 5:37 pm
All of this pertains to passive ftp only.
We have a problem with unsecured ftp sessions. Wing FTP is forcing a SSL connection to the client which is causing a couple of problems for us. First, the site is not usable by a client that is not SSL-capable. Second, our server sits behind a firewall which handles address translation for passive connections, i.e. it will translate our internal IP to the external IP when it passes through, however this is not occuring because Wing is sending encrypted data when it shouldn't be. This can be verified by using a non-ssl enabled FTP client, for example:
# ldd /usr/bin/ftp
linux-vdso.so.1 => (0x00007fffd6279000)
libreadline.so.6 => /lib/libreadline.so.6 (0x00007f25d5e81000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007f25d5c3d000)
libc.so.6 => /lib/libc.so.6 (0x00007f25d58b9000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f25d56b5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f25d60e0000)
As you can see, this client has not been compiled with any ssl/tls libraries. Regardless of what we tell WingFTP to use for our external IP address, this client can not get a passive connection and will hang because Wing is trying to send encrypted data to it:
# ftp -p cc
Connected to cc.
220 Wing FTP Server 3.6.6 ready...
Name (cc:johnb): test
331 Password required for test
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
<HANG>
Using vsftpd, passive works flawlessly. Our firewall is able to translate the passive addresses when it passes through and we have no problems. Can you please address this? Please let me know if you need any more information.
Thank you
We have a problem with unsecured ftp sessions. Wing FTP is forcing a SSL connection to the client which is causing a couple of problems for us. First, the site is not usable by a client that is not SSL-capable. Second, our server sits behind a firewall which handles address translation for passive connections, i.e. it will translate our internal IP to the external IP when it passes through, however this is not occuring because Wing is sending encrypted data when it shouldn't be. This can be verified by using a non-ssl enabled FTP client, for example:
# ldd /usr/bin/ftp
linux-vdso.so.1 => (0x00007fffd6279000)
libreadline.so.6 => /lib/libreadline.so.6 (0x00007f25d5e81000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007f25d5c3d000)
libc.so.6 => /lib/libc.so.6 (0x00007f25d58b9000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f25d56b5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f25d60e0000)
As you can see, this client has not been compiled with any ssl/tls libraries. Regardless of what we tell WingFTP to use for our external IP address, this client can not get a passive connection and will hang because Wing is trying to send encrypted data to it:
# ftp -p cc
Connected to cc.
220 Wing FTP Server 3.6.6 ready...
Name (cc:johnb): test
331 Password required for test
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
<HANG>
Using vsftpd, passive works flawlessly. Our firewall is able to translate the passive addresses when it passes through and we have no problems. Can you please address this? Please let me know if you need any more information.
Thank you