ftp-explicit-TSL logins for DC server; why does only filezilla work well?

[superboyac]

I know I should probably put this in the ftp settings thread, but I wanted to use the public forum in case someone had good advice or suggestions...

For the past few years, those of us who use the DC server probably rely on our trusty Filezilla settings to get in.  What I don't understand is why just about all the other ftp clients don't seem to work.  I really would like to get the logins to work with DOpus (which I paid extra to get the secure ftp features) and cuteftp, which is supposed to be an enterprise level ftp client.  Now, ever since the explicit-tls move a few years back, just about all these clients and probably others have a difficult to impossible time connecting to the DC server.  Can we try to fix this or nail what the issue actually is?  We've privately gone around and around on this before, but no answer seems to come up.  I also don't want to bother mouser and gothic with it until we figure out where the issue is arising, as they are already very busy.

So the question is: what is filezilla doing that the other clients can't do?  And if it is clicking a setting or two, which of the settings is it?  I'll personally be specifically interested in DOpus and Cuteftp.

[edit] just fyi, I used to use the server a lot and stopped the last 3 years preciesly because of this issue.  I went from transferring files back and forth easily to spending most of my time trying to figure out why it doesn't work, and I essentially gave up.  Also, it stopped working at work.  So what happened is that I could only try to use it for a couple of hours in the evening when I was NOT at work and had all my clients and settings to play around with freely.  As a result, I stopped updating my dc website.

[superboyac]

OK, for DOpus settings (go here to see my post in the ftp settings thread):
--it seems like you have to choose the "secure ftp via SSH" rather than the "secure ftp TLS" setting (see below)


and to me, this is a little puzzling since in filezilla you choose the "require explicit ftp over tls" setting...and there's another setting for using sftp/ssh.  So it looks like filezilla uses one way to successfully log in, and dopus works with the other way.

now for cuteftp, if i use the sftp/ssh setting instead of the explicit ftp, interesting things happen.  First, it looks like it's going to work and asks me to add a certificate to my trusted whatever.  So I say yes.  But then the problem occurs...it asks me for a password.  When I put my dc server password, it doesn't work.  So it's weird, it looks like it's going to work, but it doesn't.
If I use the explicit setting, it just says "server is requesting client certificate; create or import one".  So i don't get it.

[ewemoa]

Just some confirming data...

So it looks like filezilla uses one way to successfully log in, and dopus works with the other way.

-superboyac (August 31, 2012, 03:39 PM)

IIRC, when I use FileZilla for dcmembers, I use FTP TLS in Explicit mode.

From the command line, I think I've had success using both SFTP as well as scp (older method in SSH protocol for file transfer).

Note that despite similarities in naming, FTP and SFTP are entirely different protocols.


Perhaps DOpus provides some ability to view diagnostic information regarding network connections (e.g. logs)...

[superboyac]

Just some confirming data...

So it looks like filezilla uses one way to successfully log in, and dopus works with the other way.

-superboyac (August 31, 2012, 03:39 PM)

IIRC, when I use FileZilla for dcmembers, I use FTP TLS in Explicit mode.

From the command line, I think I've had success using both SFTP as well as scp (older method in SSH protocol for file transfer).

Note that despite similarities in naming, FTP and SFTP are entirely different protocols.

-ewemoa (August 31, 2012, 07:16 PM)

I understand what you are saying, and it makes sense.  There seems to be a variety of ways to get into the dcmembers server.  We should figure out the proper settings for each of the common clients.  But the real question is: what is the information we will need in order to figure out how to log in from ANY client?

[ewemoa]

May be mouser or someone with admin access to dcmembers can examine the logs on the server end for the ftp daemon and/or perhaps DOpus has some diagnostic ability (e.g. recording network-related activities via a log) that might be utilized to investigate further as to why its not succeeding with FTP SSL Explicit mode...


Possibly useful things to look for in the logs include error messages and port numbers...I believe for dcmembers, one wants to initially connect to port 21 (not 990).

[ewemoa]

Just tested with WinSCP 4.3.9 (portable mode) with success.

The settings used were:

• Host name: dcmembers.com
• Port number: 21
• User name: <filled-in-appropriately>
• Password: <filled-in-appropriately>
• File protocol: FTP TLS Explicit encryption

Note that for File protocol there are two drop-downs.

[Shades]

@superboyac:
Although unlikely in your case, I still want to point out that depending on the type of certificate, a password for that particular certificate can be required. Public certificates normally do not require a password, private (or personal) certificates do.

You can recognize them by looking at their extension. If it is *.pfx or *.p12 you look at a private certificate.

[superboyac]

@superboyac:
Although unlikely in your case, I still want to point out that depending on the type of certificate, a password for that particular certificate can be required. Public certificates normally do not require a password, private (or personal) certificates do.

You can recognize them by looking at their extension. If it is *.pfx or *.p12 you look at a private certificate.

-Shades (September 01, 2012, 05:09 PM)

Would the password be the same as the one I use to log into the ftp site?

[superboyac]

ewemoa, thanks for that info!  I also use WinSCP occasionally.  It's good to know what settings work with each client.

[Shades]

@superboyac:
Although unlikely in your case, I still want to point out that depending on the type of certificate, a password for that particular certificate can be required. Public certificates normally do not require a password, private (or personal) certificates do.

You can recognize them by looking at their extension. If it is *.pfx or *.p12 you look at a private certificate.

-Shades (September 01, 2012, 05:09 PM)

Would the password be the same as the one I use to log into the ftp site?

-superboyac (September 01, 2012, 09:13 PM)

That could be, but again unlikely (for security reasons). When installing the certificate into your system the password for the certificate has to be filled in. After correctly doing so,  the certificate will install itself. After that (and for as long as the certificate is valid) you should not have to fill in that password again.

Most certificates are valid for a year, but that period can vary between a day and 10 years (for RSA type of certificates generated by OpenSSL at least).

However, all my contributions in this thread are very likely not the cause of your problem.

[superboyac]

^^Thanks for the info, always good to know.  Only Cuteftp asks for a certificate password, filezilla doesn't.  But even in cuteftp, it asks for it when I use a different setting like sftp instead of explicit ftp.  The feedback from the programs are odd.  you would assume if you chose the wrong protocol, nothing would work, just immediate errors.  But what's happening is it looks like it works halfway with different protocols, then you run into a certificate password, or something else.  It's not like these other protocols are completely NOT working.  I find that as weird as an address not mattering whether it started with http or https

[f0dder]

If you can use SFTP, do so - FTPS sucks.

(Whoever decided to name the SSH method SFTP should be publicly flogged )