Bug #69327 for Net-FTPSSL: Problem with client certificate SSL connections

Thu Jul 07 00:31:12 2011 zeta [...] tcscs.com - Ticket created

Subject:

Problem with client certificate SSL connections

There seems to be a problem with the data connection when using SSH_Advanced hash to create connections using client certificates. Sanitized debug output: .. SKT >>> AUTH SSL SKT <<< 234 AUTH SSL OK. .. Show quoted text

>>> USER anonymous

<<< 331 Password required for anonymous. Show quoted text

>>> PASS *******

<<< 230 User ..user.. logged in. Show quoted text

>>> CWD /users/username/incoming/

<<< 250 CWD command successful. Show quoted text

>>> CWD //users/username/ougoing/

<<< 250 CWD command successful. Show quoted text

>>> PBSZ 0

<<< 200 PBSZ Command successful. (PBSZ=0) Show quoted text

>>> PROT P

<<< 200 PROT set to P. Show quoted text

>>> PASV

<<< 227 Entering Passive Mode (...) Show quoted text

>>> LIST

<<< 150 ASCII mode SSL data connection for /bin/ls (...). <<< 550 Client certificate rejected by ChainVerifier. Can't list outbound dir (SSL wants a read first) at test-net-ftpssl.pl line 29. The client SSL certificate appears to work once I got the hash correct and once the connection is established the server recognizes the client user correctly. Changing directories works but getting a list of files fails. Here's the relevant code: #!/usr/bin/perl use strict; use warnings; use Data::Dumper; use Net::FTPSSL; my $ftps = new Net::FTPSSL( 'ssl.ftp.server.com', Port => 21, Encryption => 'E', Debug => 1, SSL_Advanced => { 'SSL_version' => 'SSLv3', 'SSL_use_cert' => 1, 'SSL_server' => 0, 'SSL_key_file' => 'private.pem', 'SSL_cert_file' => 'pubkey.pem', 'SSL_passwd_cb' => sub { return 'password_for_key' }, }, ) or die "Unable to connect to remote host"; $ftps->login('anonymous', 'test@domain.com') or die "Can't login"; $ftps->cwd('/users/username/incoming/') or die "Can't change to inbound dir"; $ftps->cwd('/users/username/outbound/') or die "Can't change to outbound dir"; my @x = $ftps->list() or die "Can't list outbound dir (" . $ftps->errstr() . ")"; print Dumper(\@x); $ftps->quit() or die "Error closing connection; " . $ftps->errstr() . "\n"; In an email exchange you mentioned you suspected the open connection method for data channel is not using the SSL_Advanced hash.

Thu Jul 07 14:36:20 2011 CLEACH [...] cpan.org - Correspondence added

Greg, Just to collect a few more peices of info & I'll try to look more into this over the weekend. What OS are you running the client on? What version of Perl are you using? You cut off that info when you modified the trace below. Curtis On Thu Jul 07 00:31:12 2011, ZETA wrote: Show quoted text

> There seems to be a problem with the data connection when using > SSH_Advanced hash to > create connections using client certificates. > > Sanitized debug output: > .. > SKT >>> AUTH SSL > SKT <<< 234 AUTH SSL OK. > ..

> >>> USER anonymous

> <<< 331 Password required for anonymous.

> >>> PASS *******

> <<< 230 User ..user.. logged in.

> >>> CWD /users/username/incoming/

> <<< 250 CWD command successful.

> >>> CWD //users/username/ougoing/

> <<< 250 CWD command successful.

> >>> PBSZ 0

> <<< 200 PBSZ Command successful. (PBSZ=0)

> >>> PROT P

> <<< 200 PROT set to P.

> >>> PASV

> <<< 227 Entering Passive Mode (...)

> >>> LIST

> <<< 150 ASCII mode SSL data connection for /bin/ls (...). > <<< 550 Client certificate rejected by ChainVerifier. > Can't list outbound dir (SSL wants a read first) at test-net-

ftpssl.pl Show quoted text

> line 29. > > The client SSL certificate appears to work once I got the hash

correct Show quoted text

> and once the connection > is established the server recognizes the client user correctly. > Changing directories works but > getting a list of files fails. > > > Here's the relevant code: > #!/usr/bin/perl > > use strict; > use warnings; > use Data::Dumper; > > use Net::FTPSSL; > > my $ftps = new Net::FTPSSL( > 'ssl.ftp.server.com', > Port => 21, > Encryption => 'E', > Debug => 1, > SSL_Advanced => { > 'SSL_version' => 'SSLv3', > 'SSL_use_cert' => 1, > 'SSL_server' => 0, > 'SSL_key_file' => 'private.pem', > 'SSL_cert_file' => 'pubkey.pem', > 'SSL_passwd_cb' => sub { return 'password_for_key' }, > }, > ) or die "Unable to connect to remote host"; > > $ftps->login('anonymous', 'test@domain.com') or die "Can't login"; > > $ftps->cwd('/users/username/incoming/') or die "Can't change to > inbound dir"; > $ftps->cwd('/users/username/outbound/') or die "Can't change to > outbound dir"; > > my @x = $ftps->list() or die "Can't list outbound dir (" . $ftps-

> >errstr() . ")";

> print Dumper(\@x); > > $ftps->quit() or die "Error closing connection; " . $ftps->errstr() . > "\n"; > > In an email exchange you mentioned you suspected the open connection > method for data > channel is not using the SSL_Advanced hash. >

Thu Jul 07 14:36:22 2011 The RT System itself - Status changed from 'new' to 'open'

Thu Jul 07 22:11:22 2011 zeta [...] tcscs.com - Correspondence added

Sure. OS: Mac OS X 10.6.8 Perl:5.10.0 (full details below) Summary of my perl5 (revision 5 version 10 subversion 0) configuration: Platform: osname=darwin, osvers=10.0, archname=darwin-thread-multi-2level uname='darwin neige.apple.com 10.0 darwin kernel version 10.0.0d8: tue may 5 19:29:59 pdt 2009; root:xnu-1437.2~2release_i386 i386 ' config_args='-ds -e -Dprefix=/usr -Dccflags=-g -pipe -Dldflags= -Dman3ext=3pm - Duseithreads -Duseshrplib -Dinc_version_list=none -Dcc=gcc-4.2' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc-4.2', ccflags ='-arch x86_64 -arch i386 -arch ppc -g -pipe -fno-common - DPERL_DARWIN -fno-strict-aliasing -I/usr/local/include', optimize='-Os', cppflags='-g -pipe -fno-common -DPERL_DARWIN -fno-strict-aliasing - I/usr/local/include' ccversion='', gccversion='4.2.1 (Apple Inc. build 5646)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='gcc-4.2 -mmacosx-version-min=10.6', ldflags ='-arch x86_64 -arch i386 -arch ppc -L/usr/local/lib' libpth=/usr/local/lib /usr/lib libs=-ldbm -ldl -lm -lutil -lc perllibs=-ldl -lm -lutil -lc libc=/usr/lib/libc.dylib, so=dylib, useshrplib=true, libperl=libperl.dylib gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' ' cccdlflags=' ', lddlflags='-arch x86_64 -arch i386 -arch ppc -bundle -undefined dynamic_lookup -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_REENTRANT_API Locally applied patches: /Library/Perl/Updates/<version> comes before system perl directories installprivlib and installarchlib points to the Updates directory Built under darwin Compiled at Jun 24 2009 00:35:27

Thu Jul 14 12:55:35 2011 CLEACH [...] cpan.org - Correspondence added

Greg, Sorry about taking so long to get back to you on your problem. I've been researching this issue & finally tracked down the person I added the SSL_Advanced option for and he confirmed that Client Certificates only affect the command channel. He said he got Client Certificates working in an earlier release of Net::FTPSSL without much problem. So I don't think it's necessarily a problem with my code. More than likely it's a missing or incorrect setting for SSL_Advanced which is passed to the IO::Socket::SSL->start_SSL() call. Let me know if you are still having issues. If so, I'll need the full unedited Net::FTPSSL logs & the IO::Socket::SSL logs to move on this further. You can send them to my cpan address if you don't want to post them here in public. So add to your code: (ex: test.pl) use IO::Socket::SSL qw(debug3); use Net::FTPSSL; ... my $ftps = Net::FTPSSL->new('server', SSL_Advanced=>%myOpts, Debug=>1, Croak=>1); ... To run: "test.pl 2> log.txt" Adding the use IO::Socket::SSL command before using my class will turn on additional debug information written to STDERR that might give us a clue on what's happening. Which is why I'm not recommending DebugLogFile as an option. I want to see IO::Socket::SSL's logs merged in with my logs. If you want, I can forward to you my v0.18 beta that I'm in the process of preparing as an official release. I had tweaked it a bit during my research on this. But I don't think the changes are that significant to the problems you are encountering. I look forward to hearing back from you soon. Curtis

Thu Jul 14 17:05:17 2011 CLEACH [...] cpan.org - Correspondence added

Drat, Just heard back from my contact & found out that my assumption about the data channel my not be 100% correct. So it's back to the drawing board for me. But I still need your traces if you can provide them please. Curtis On Thu Jul 14 12:55:35 2011, CLEACH wrote: Show quoted text

> Greg, > > Sorry about taking so long to get back to you on your problem. I've > been researching this issue & finally tracked down the person I

added Show quoted text

> the SSL_Advanced option for and he confirmed that Client

Certificates Show quoted text

> only affect the command channel. He said he got Client Certificates > working in an earlier release of Net::FTPSSL without much problem. > > So I don't think it's necessarily a problem with my code. More than > likely it's a missing or incorrect setting for SSL_Advanced which is > passed to the IO::Socket::SSL->start_SSL() call. > > Let me know if you are still having issues. If so, I'll need the

full Show quoted text

> unedited Net::FTPSSL logs & the IO::Socket::SSL logs to move on this > further. You can send them to my cpan address if you don't want to > post them here in public. > > So add to your code: (ex: test.pl) > > use IO::Socket::SSL qw(debug3); > use Net::FTPSSL; > ... > > my $ftps = Net::FTPSSL->new('server', SSL_Advanced=>%myOpts,

Debug=>1, Show quoted text

> Croak=>1); > ... > > To run: "test.pl 2> log.txt" > > Adding the use IO::Socket::SSL command before using my class will

turn Show quoted text

> on additional debug information written to STDERR that might give us

a Show quoted text

> clue on what's happening. Which is why I'm not recommending > DebugLogFile as an option. I want to see IO::Socket::SSL's logs > merged in with my logs. > > If you want, I can forward to you my v0.18 beta that I'm in the > process of preparing as an official release. I had tweaked it a bit > during my research on this. But I don't think the changes are that > significant to the problems you are encountering. > > I look forward to hearing back from you soon. > > Curtis >

Thu Jul 14 17:36:05 2011 zeta [...] tcscs.com - Correspondence added

Yeah, I was going to say that didn't sound right. I'm attaching the output as requested. I had to scrub certain data out of it, but I did so in such a way that none of the logging would be materially changed (i.e. only changed host name, ip address, everything else is in tact). On Thu Jul 14 17:05:17 2011, CLEACH wrote: Show quoted text

> Drat, > > Just heard back from my contact & found out that my assumption about > the data channel my not be 100% correct. So it's back to the drawing > board for me. > > But I still need your traces if you can provide them please.

Subject:

test-net-ftpssl.log

Download test-net-ftpssl.log
application/octet-stream 4.9k

Message body not shown because it is not plain text.

Thu Jul 21 11:41:54 2011 CLEACH [...] cpan.org - Correspondence added

Greg, Just an update. I'm still working on this issue. I finally had to break down and install a new FTPS server (vsftpd) and I'm in the midst of trying to configure it properly. Once that's done I'll be back to figuring out how to use Client Certificates. Since I don't share this new FTPS server, it will make it easier to fool around with the various settings and hopefully make finding a solution easier. Curtis On Thu Jul 14 17:36:05 2011, ZETA wrote: Show quoted text

> Yeah, I was going to say that didn't sound right. > > I'm attaching the output as requested. I had to scrub certain data out > of it, but I did so in such a > way that none of the logging would be materially changed (i.e. only > changed host name, ip > address, everything else is in tact).

Sat Jul 23 01:40:18 2011 zeta [...] tcscs.com - Correspondence added

Sounds good. Thanks for the update. If you get something you want me to test let me know and I'll try it out here. Sorry I couldn't give you more information or access to an ftps server. Greg Show quoted text

> Just an update. I'm still working on this issue. I finally had to > break down and install a new FTPS server (vsftpd) and I'm in the midst > of trying to configure it properly. Once that's done I'll be back to > figuring out how to use Client Certificates. > > Since I don't share this new FTPS server, it will make it easier to fool > around with the various settings and hopefully make finding a solution > easier.

Sun Jul 24 01:54:42 2011 CLEACH [...] cpan.org - Correspondence added

Greg, Some good news. The new FTPS server I'm using has much better logging and it gave me the vital clues I needed to figure out how to get the data channel to accept using client certificates. I have some clean up to do and have figure out a couple of minor gotcha's, but I should have a beta of v0.18 available to you by Wed or so to try out. Curtis On Sat Jul 23 01:40:18 2011, ZETA wrote: Show quoted text

> Sounds good. Thanks for the update. If you get something you want me > to test let me know and > I'll try it out here. Sorry I couldn't give you more information or > access to an ftps server. > > Greg >

> > Just an update. I'm still working on this issue. I finally had to > > break down and install a new FTPS server (vsftpd) and I'm in the

> midst

> > of trying to configure it properly. Once that's done I'll be back

> to

> > figuring out how to use Client Certificates. > > > > Since I don't share this new FTPS server, it will make it easier to

> fool

> > around with the various settings and hopefully make finding a

> solution

> > easier.

Mon Jul 25 16:58:47 2011 CLEACH [...] cpan.org - Correspondence added

Greg, Here's my beta for certificates. I still have a bit more work to go before v0.18 comes out. But I'd appriate it if you could tell me if it helps you or not. Turns out there are a lot of server options tied to client certificate checking & I wouldn't be surprised if you hit one those once you get past the certificate check. The other new features in this beta shouldn't affect you one way or the other. Curtis On Sun Jul 24 01:54:42 2011, CLEACH wrote: Show quoted text

> Greg, > > Some good news. The new FTPS server I'm using has much better

logging Show quoted text

> and it gave me the vital clues I needed to figure out how to get the > data channel to accept using client certificates. > > I have some clean up to do and have figure out a couple of minor > gotcha's, but I should have a beta of v0.18 available to you by Wed

or Show quoted text

> so to try out. > > Curtis > > On Sat Jul 23 01:40:18 2011, ZETA wrote:

> > Sounds good. Thanks for the update. If you get something you want

me Show quoted text

> > to test let me know and > > I'll try it out here. Sorry I couldn't give you more information or > > access to an ftps server. > > > > Greg > >

> > > Just an update. I'm still working on this issue. I finally had

to Show quoted text

> > > break down and install a new FTPS server (vsftpd) and I'm in the

> > midst

> > > of trying to configure it properly. Once that's done I'll be

back Show quoted text

> > to

> > > figuring out how to use Client Certificates. > > > > > > Since I don't share this new FTPS server, it will make it easier

to Show quoted text

> > fool

> > > around with the various settings and hopefully make finding a

> > solution

> > > easier.

> >

Subject:

FTPSSL.pm

Message body is not shown because it is too large.

Mon Jul 25 17:19:36 2011 zeta [...] tcscs.com - Correspondence added

will test it today. thanks.

Mon Jul 25 18:54:45 2011 zeta [...] tcscs.com - Correspondence added

Great job. It mostly works!! I can confirm the following works with test version of v0.18: - list - put - get - cwd and that the following does not work: - nlst (Error: SSL wants a read first) haven't tested other methods. Thanks, Greg

Tue Jul 26 18:38:43 2011 CLEACH [...] cpan.org - Correspondence added

Greg, I'm glad the beta works for you. But I'm a bit surprised at the nlst issue, since that function calls list() in my code. Can you send me a trace with the failure? So that I have a chance to figure out what's going on. If it's not showing much, then you'll have to do the following in your test program. use IO::Socket::SSL (debug3); That will cause it to write lower level errors to STDERR as well. Curtis On Mon Jul 25 18:54:45 2011, ZETA wrote: Show quoted text

> Great job. It mostly works!! > > I can confirm the following works with test version of v0.18: > - list > - put > - get > - cwd > > and that the following does not work: > - nlst (Error: SSL wants a read first) > > haven't tested other methods. > > Thanks, > Greg

Tue Jul 26 18:42:10 2011 CLEACH [...] cpan.org - Severity Important changed to Wishlist

Tue Jul 26 19:20:45 2011 zeta [...] tcscs.com - Correspondence added

On Tue Jul 26 18:38:43 2011, CLEACH wrote: Show quoted text

> Greg, > > I'm glad the beta works for you. But I'm a bit surprised at the nlst > issue, since that function calls list() in my code. >

*sigh* sorry about that. As I was tweaking the test code to capture the output for this I realized that the failure wasn't really a failure, it was a bad test. List was passing the simple test because of "." and ".." in the list of files. So, nlst works (when PEBKAC doesn't get in the way). :) Thanks again. Appreciate the time and effort you put in here. Greg

Wed Jul 27 11:32:23 2011 CLEACH [...] cpan.org - Correspondence added

Thanks for the update Greg. I'm going to assume at this point that you're happy with the beta. I'll release the official v0.18 sometime next month once I've had a chance to update the SSL_Advanced documentation. At this point, I can't consider this option completely unsupported any more. Curtis On Tue Jul 26 19:20:45 2011, ZETA wrote: Show quoted text

> On Tue Jul 26 18:38:43 2011, CLEACH wrote:

> > Greg, > > > > I'm glad the beta works for you. But I'm a bit surprised at the

> nlst

> > issue, since that function calls list() in my code. > >

> > *sigh* sorry about that. > > As I was tweaking the test code to capture the output for this I > realized that the failure wasn't > really a failure, it was a bad test. List was passing the simple test > because of "." and ".." in the > list of files. > > So, nlst works (when PEBKAC doesn't get in the way). :) > > Thanks again. Appreciate the time and effort you put in here. > > Greg

Tue Aug 02 17:48:13 2011 CLEACH [...] cpan.org - Correspondence added

Greg, I just released v0.18 this morning. Please feel free to download it and get onto an official release. I made some significant changes since the beta I gave you as I was working with all the various IO::Socket::SSL options and fine tuning things during my testing. I've depreciated SSL_Advanced in favor of SSL_Client_Certificate now that I'm supporing the option. It made documenting the option a whole lot clearer. The other major changes were behind the sceens dealing with how the data channel uses the client certificate. I'll give you a week or so to check out the release before I close this ticket. Enjoy Curtis On Wed Jul 27 11:32:23 2011, CLEACH wrote: Show quoted text

> Thanks for the update Greg. > > I'm going to assume at this point that you're happy with the beta. > I'll release the official v0.18 sometime next month once I've had a > chance to update the SSL_Advanced documentation. At this point, I > can't consider this option completely unsupported any more. > > Curtis

Wed Aug 10 21:58:17 2011 CLEACH [...] cpan.org - Correspondence added

Greg, I'm closing the ticket since you were basically happy with the beta and I haven't heard back from you on the final release. Good luck using this module with certificates! Curtis On Tue Aug 02 17:48:13 2011, CLEACH wrote: Show quoted text

> Greg, > > I just released v0.18 this morning. Please feel free to download it > and get onto an official release. > > I made some significant changes since the beta I gave you as I was > working with all the various IO::Socket::SSL options and fine tuning > things during my testing. > > I've depreciated SSL_Advanced in favor of SSL_Client_Certificate now > that I'm supporing the option. It made documenting the option a whole > lot clearer. The other major changes were behind the sceens dealing > with how the data channel uses the client certificate. > > I'll give you a week or so to check out the release before I close > this ticket. > > Enjoy > > Curtis > > On Wed Jul 27 11:32:23 2011, CLEACH wrote:

> > Thanks for the update Greg. > > > > I'm going to assume at this point that you're happy with the beta. > > I'll release the official v0.18 sometime next month once I've had a > > chance to update the SSL_Advanced documentation. At this point, I > > can't consider this option completely unsupported any more. > > > > Curtis

Wed Aug 10 21:58:37 2011 CLEACH [...] cpan.org - Status changed from 'open' to 'resolved'

Wed Aug 10 21:58:37 2011 CLEACH [...] cpan.org - Fixed in 0.18 added