Repeat PROT P after EPSV

[axelniedenhoff]

First, thank you for this great library!
In my setup, the server is a FileZilla server 0.9.41 behind a firewall. I have found that this server needs the PROT P command repeated after an EPSV. I have patched your library locally to issue such a PROT P in persistentConn.requestPassive() right before the function returns from the EPSV path, which works for my use case. I am sure that this needs to be done in a better way, as most use cases seem not to require this extra PROT P (possibly it even breaks some use cases). So maybe it should be an option in goftp.Config.

[BobCashStory]

@axelniedenhoff got the same problem on my side could you share your fix ?

[BobCashStory]

@axelniedenhoff could you check if #40 help you

[muirdm]

It seems like some servers might need "PROT" sent at different times. Can you include the debug log of the failure? I want to see what error response the server sends back.

[BobCashStory]

@muirdm we use a tool (filestash ) who use yyour lib so it's difficult to give you the logs but the Pr i have share #40 fix the issue for our side, could you have a look ?

[muirdm]

I'm worried that change will break other servers not expecting those commands at that time. The RFC says servers should return a particular error code if they don't get "PROT P" when they expect, so I want to confirm that first. If we do get the expected error, we can send "PROT P" conditionally based on the error code from the server.

[BobCashStory]

I find a solution with https://ftptest.net/ to give you a full log, this exemple work !

i can send you by email ( [email protected] ) an access to this ftp if you need to test, i hope it will help you, it's blocking us to use the official Filestash since 8 months, we had to do our fork.
It's working well on many server (more than 30 tested) with 0 fails with our PR #40 .

I hope it will help you to understand

Status: Resolving address of ftps.toucantoco.com
Status: Connecting to 163.172.107.42
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, performing TLS handshake...
Status: TLS handshake successful, verifying certificate...
Status: Received 3 certificates from server.
Status: cert[0]: subject='CN=*.toucantoco.com' issuer='C=FR,ST=Paris,L=Paris,O=Gandi,CN=Gandi Standard SSL CA 2'
Status: cert[1]: subject='C=FR,ST=Paris,L=Paris,O=Gandi,CN=Gandi Standard SSL CA 2' issuer='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority'
Status: cert[2]: subject='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'
Status: Waiting for welcome message...
Reply: 220 Welcome to Toucan Toco FTP service.
Command: CLNT https://ftptest.net on behalf of 2a01:e0a:37b:79e0:380d:8689:152f:1c0a
Reply: 530 Please login with USER and PASS.
Command: USER eurus
Reply: 331 Please specify the password.
Command: PASS ************************
Reply: 230 Login successful.
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Features:
Reply: AUTH SSL
Reply: AUTH TLS
Reply: EPRT
Reply: EPSV
Reply: MDTM
Reply: PASV
Reply: PBSZ
Reply: PROT
Reply: REST STREAM
Reply: SIZE
Reply: TVFS
Reply: 211 End
Warning: The server does not indicate MLSD support. MLSD uses a well-specified listing format. Without MLSD, directory listings have to be obtained using LIST which uses an unspecified output format.
Command: PBSZ 0
Reply: 200 PBSZ set to 0.
Command: PROT P
Reply: 200 PROT now Private.
Command: PWD
Reply: 257 "/" is the current directory
Status: Current path is /
Command: TYPE I
Reply: 200 Switching to Binary mode.
Command: PASV
Reply: 227 Entering Passive Mode (163,172,107,42,250,127).
Command: LIST
Status: Data connection established, performing TLS handshake...
Reply: 150 Here comes the directory listing.
Status: TLS handshake successful, verifying certificate...
Status: Received 3 certificates from server.
Status: cert[0]: subject='CN=*.toucantoco.com' issuer='C=FR,ST=Paris,L=Paris,O=Gandi,CN=Gandi Standard SSL CA 2'
Status: cert[1]: subject='C=FR,ST=Paris,L=Paris,O=Gandi,CN=Gandi Standard SSL CA 2' issuer='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority'
Status: cert[2]: subject='C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority' issuer='C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root'
Status: TLS session of transfer connection has been resumed.
Listing: drwxrwx--- 2 ftp ftp 4096 Jan 14 15:03 FEC
Listing: drwxrwx--- 2 ftp ftp 4096 Apr 01 2019 FEC_DEMO
Listing: drwxrwx--- 2 ftp ftp 4096 Nov 18 16:12 REFERENTIELS
Listing: drwxrwx--- 2 ftp ftp 4096 Apr 02 2019 SOURCES_MANUELLES
Reply: 226 Directory send OK.
Status: Success

[BobCashStory]

@muirdm ?

[muirdm]

Are you using implicit TLS? It seems like the issue is just that goftp doesn't send "PBSZ 0" and "PROT P" at all in implicit TLS mode. @axelniedenhoff's issue looks different.

[muirdm]

@axelniedenhoff do you happen to remember what error code the server sent back before you patched goftp to send "PROT P" again?

[BobCashStory]

@muirdm yes in my case i use implicit TLS, and you targeted exactly my issue ! that what i fixed in my fork #40 , could you do something for that ?

[BobCashStory]

@muirdm please don't leave me alone on that :/

[muirdm]

Can you update your PR so it only runs those commands if implicit TLS is being used?

[BobCashStory]

@muirdm updated, can you have a check ?

[BobCashStory]

@muirdm any news ?