none
FtpWebRequest - ssl disbaled works, ssl enabled times out RRS feed

  • Question

  • I'm in control of the ftp server.  It is IIS 7.5 and we have the certificate installed and SSL enabled.

    Filezilla can connect over ssl and ftp properly so I believe the server setup is correct.

    I'm using FtpWebRequest - if ssl is disabled everything works properly.

    With SSL enabled I get a timeout.  Searching the internet I find that there are lots of causes potentially but none fit my situation.  What could be causing this simple program to timeout - where filezilla works just fine.

    ClientCertificates are ignored.

    My code:

    using System;

    using System.Collections.Generic;

    using System.Linq;

    using System.Text;

    using System.Net;

    using System.IO;

    namespace FTPSTest

    {

        class Program

        {

            static void Main(string[] args)

            {

                // Get the object used to communicate with the server.

                FtpWebRequest request = (FtpWebRequest)WebRequest.Create("ftp://www.obfuscated.com/thane.dat");

                request.Method = WebRequestMethods.Ftp.UploadFile;

                request.UseBinary = true;

                request.EnableSsl = true;

                

                // Copy the contents of the file to the request stream.

                StreamReader sourceStream = new StreamReader(@"z:\documents\work\wam\testfile.txt");

                byte[] fileContents = Encoding.UTF8.GetBytes(sourceStream.ReadToEnd());

                sourceStream.Close();

                request.ContentLength = fileContents.Length;

                try

                {

                    Stream requestStream = request.GetRequestStream(); // exception here

                    requestStream.Write(fileContents, 0, fileContents.Length);

                    requestStream.Close();

                }

                catch (Exception ex)

                {

                    Console.WriteLine(ex.InnerException.Message.ToString());

                }

                try

                {

                    FtpWebResponse response = (FtpWebResponse)request.GetResponse();

                    Console.WriteLine("Upload File Complete, status {0}", response.StatusDescription);

                    response.Close();

                }

                catch (Exception ex)

                {

                    Console.WriteLine(ex.InnerException.ToString());

                }

        

            }

        }

    }


    What do I need to make this work?

    The timeout exception is in the request.GetRequestStream().

    It is

    InnerException = {"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"}

    "Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." is the message.


    • Edited by ThaneHubbell Tuesday, May 7, 2013 7:59 PM typo
    • Moved by Mike Feng Thursday, May 9, 2013 4:56 AM
    Tuesday, May 7, 2013 7:58 PM

Answers

  • OK - None of this matters.  The server is properly setup and the connections work now that the NAT problem on the client side is solved.

    • Marked as answer by ThaneHubbell Friday, May 17, 2013 1:56 PM
    Wednesday, May 8, 2013 7:37 PM

All replies

  • Does the FTP site accept TLS?  According to the documentation the method will send an "AUTH TLS" command when you set the EnableSsl property to true.

    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Tuesday, May 7, 2013 8:18 PM
    Moderator
  • I'm going to revise the facts.

    Connecting with FileZilla works from my mac.

    Connecting from Windows with FileZilla fails - Initializing TLS - then it craps out.

    The mac popped up a window asking to trust the certificate.  Window's I can't recall if it did or not but it's timing out.

    Explict TLS is specified.  

    So I'm kind of thinking this is a certificate issue - what do I do within the client to handle that?

    Tuesday, May 7, 2013 9:02 PM
  • I put the URL into my webbrowser and traced the connection using wireshark.  The IE ARP for the URL 3 times and finally the server sent back an encrypted message.  The IE then responded an nothing happened.  I would try to do the same thing on your PC.  before trying with the IE delete cookies from your IE history.

    I think you need to obtain a certifiocate from the website before you can start using fTP.


    jdweng

    Tuesday, May 7, 2013 9:13 PM
  • That was the next question... where did the cert come from and what kind is it?  Does the client know the issuer?  If you are using your own certificate provider you will need to add it to the client's list of trusted providers.

    It does indeed sound like this is related to the certificate being used.  You may need to read up more on how to use security certificates and/or setup a certification store (or bite the bullet and buy a cert from a known provider).


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Tuesday, May 7, 2013 9:14 PM
    Moderator
  • I'm going to revise the facts.

    Connecting with FileZilla works from my mac.

    Connecting from Windows with FileZilla fails - Initializing TLS - then it craps out.

    The mac popped up a window asking to trust the certificate.  Window's I can't recall if it did or not but it's timing out.

    Explict TLS is specified.  

    So I'm kind of thinking this is a certificate issue - what do I do within the client to handle that?

     static void Main(string[] args)
            {
    ServicePointManager.ServerCertificateValidationCallback +=
    
                    delegate(
                        Object sender1,
                        X509Certificate certificate,
                        X509Chain chain,
                        SslPolicyErrors sslPolicyErrors)
                    {
                        return true;
                    };
                // Get the object used to communicate with the server.
                FtpWebRequest request = (FtpWebRequest)WebRequest.Create("ftp://www.obfuscated.com/thane.dat");
    …
    

    Wednesday, May 8, 2013 2:00 AM
  • The URL wasn't real - I didn't want to reveal my clients site.

    Wednesday, May 8, 2013 4:38 PM
  • The certificate is a real certificate issued by a trusted authority and used for ssl (for years) on this web server.  We associated it with FTP and it is one of the choices in the drop down.  So it's not like some unknown home grown certificate.  

    Wednesday, May 8, 2013 4:39 PM
  • Wait it is a preexisting certificate but he FTP site is new?  Then how do the URLs match?  Or is it a wildcard certificate?


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Wednesday, May 8, 2013 4:41 PM
    Moderator
  • This is the most encouraging response thought I expect we are going down the wrong path with the certificate being the issue - but I would like to eliminate it so I tried your code.  

    The syntax isn't supported - I get:

    Error 3 Operator '+=' cannot be applied to operands of type 'System.Net.Security.RemoteCertificateValidationCallback' and 'anonymous method' z:\documents\work\wam\FTPSTest\FTPSTest\Program.cs 15 13 FTPSTest

    Also what assembly do I need to include for the X509 stuff?

    How to fix it?  Thanks for your suggestions.

    Wednesday, May 8, 2013 4:41 PM
  • PS - something is close to right because when I try this connection to a server without FTPS setup I get

    The underlying connection was closed: The server committed a protocol violation.

    On the server with it setup I receive:

    Unable to read data from the transport connection: A connection attempt failed b
    ecause the connected party did not properly respond after a period of time, or e
    stablished connection failed because connected host has failed to respond.

    But it works from FileZilla from my mac.  Odd.

    Wednesday, May 8, 2013 4:51 PM
  • Reed,

    Pre-exesting - but the urls match because the only thing different is ftp:// at the front instead of http:// - we are not using ftp.domain.com - using www.domain.com.

    Wednesday, May 8, 2013 5:45 PM
  • PS - if I can figure out the right code for the certificate validation call back - then perhaps we can eliminate this as the cause.

    Wednesday, May 8, 2013 5:48 PM
  • I inserted this code and it never reaches it in the debugger so this is failing before that point.  What do I put in to trace?

    Also since it never gets here it sounds almost like firewall on the server  - so I disabled the firewalls (client and server) - no difference.  It also doesn't make sense that the filezilla from the mac works - but nothing from Windows does.  

            new RemoteCertificateValidationCallback(MyCertValidationCb);

    public static bool MyCertValidationCb(

            object sender, 

            X509Certificate certificate, 

            X509Chain chain, 

            SslPolicyErrors sslPolicyErrors)

      {

        if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors)

                  == SslPolicyErrors.RemoteCertificateChainErrors)

        {

          return false;

        }

        else if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch)

                        == SslPolicyErrors.RemoteCertificateNameMismatch)

        {

          Zone z;

          z = Zone.CreateFromUrl(((HttpWebRequest)sender).RequestUri.ToString());

          if (z.SecurityZone == System.Security.SecurityZone.Intranet

            || z.SecurityZone == System.Security.SecurityZone.MyComputer)

          {

            return true;

          }

          return false;

        }

        return false;

      } 

    Wednesday, May 8, 2013 6:12 PM
  • This is looking more and more like NAT/Firewall - since it works outside that but within a vwmare guest it fails.  I tried FTPS to this server on a non vm windows machine and it works.  Still not sure about MY code but an ftps test I found works.

    Wednesday, May 8, 2013 6:36 PM
  • OK - None of this matters.  The server is properly setup and the connections work now that the NAT problem on the client side is solved.

    • Marked as answer by ThaneHubbell Friday, May 17, 2013 1:56 PM
    Wednesday, May 8, 2013 7:37 PM
  • Can you open a Telnet session from a command prompt to the server on port 990?


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"

    Wednesday, May 8, 2013 7:41 PM
    Moderator
  • I always check this wiki well known port number webpage when checking port numbers

    http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

    It says port 990 is FTPS Protocol (control): FTP over TLS/SSL.

    The answer is obviously NO!  You can't open Telnet on a FTP port number.  You can use port 992 which is Telnet over TLS/SSL.


    jdweng

    Wednesday, May 8, 2013 9:12 PM
  • You can open a telnet connection to ANY port.

    It is a very handy tool for verifying at a low level that a service is listening.  SMTP commands are often checked manually using a telnet connection.

    -EDIT-

    Just in case you won't take my word for it:

    http://technet.microsoft.com/en-us/library/aa995718(v=EXCHG.65).aspx

    Same goes for any TCP service which accepts plain-text commands.


    Reed Kimble - "When you do things right, people won't be sure you've done anything at all"



    Wednesday, May 8, 2013 9:50 PM
    Moderator