× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2011

Re: Hanging secure FTP from the i

Hi Dave,

Yes, this is one of the most common problems with secure FTP, and is one of the primary reasons why I recommend the SSH solutions (such as sftp) instead of FTP over SSL.

If the error is what I think it is, you'll have problems with GET, PUT, DIR, LS, LIST, etc. But other commands such as rename, site, ascii, binary will work without issue.

Every time data is transferred (either a file or a directory listing) a new connection is opened to transfer the data. This connection isn't always made to the same port number, so (in passive mode) the client asks the server for the port number, and you get a response. In your log, the response looks like this:

227 Entering Passive Mode (10,48,227,144,133,49)

The stuff in parenthesis are an IP address (10.48.227.144) and a port number (133 is the first byte, 49 is the second byte. So the port number is 34097. (133 = x'85', 49=x'31'. x'8531' = 34097)

Addresses that begin with '10' are private addresses, so the server is probably running behind NAT. NAT changes addresses dynamically from a private address to a public one. In standard (plain text) FTP, the NAT gateway scans the outgoing packets, finds the IP address/port, and changes it to the public address. It can't do that in secure FTP, because the data is encrypted.

The result... you can either stop the encryption before you send/receive any data. (Most secure FTP software lets you drop encryption after the password is sent, if desired.) That will let the NAT gateway change your data appropriately...

Or, you can use a better protocol than FTP over SSL (which is poorly designed, thus your problem) and use something like sftp instead. sftp is both more secure, and works much better across NATs and firewalls.



On 2/18/2011 9:07 AM, daparnin@xxxxxxxxxxxxxx wrote:
I am trying to work with a remote FTP site with a secure connection. They
have specified the address and port that we are to use. I can get
connected but whenever I type a command such as ls it just hangs and I
need to do a SYSREQ-2 to get out of it. Below is what I typed and what I
got. Any ideas?

FTP RMTSYS('ftps-blahgateway.sys.blah.com') PORT(6990) SECCNN(*SSL)


File Transfer
Protocol

Previous FTP subcommands and messages:
Connecting to host wsuser129.user.blah.com at address x.x.x.x using port
6990.
220 BLAH FTPS Server Ready!
234 Security data exchange complete.
Connection is secure.
user-id
331 Password required for user-id
230 BLAH FTPS Server Ready!
UNIX Type: A
200 PBSZ command successful.
200 PROT command successful.
Data protection level set to P.
ls
227 Entering Passive Mode (10,48,227,144,133,49)


Here is where it hangs with input inhibited.


Dave Parnin


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.