FTPS (SChannel) - eats greeting, never sends password

grawity · Post by *grawity » 2018-06-02, 10:11 UTC

I am trying to connect a server which uses implicit TLS (ftps) and has a multi-line initial greeting. With OpenSSL this works properly, but with SChannel I see in the ftp log that

1) first half of the greeting is not displayed;
2) the USER command is sent before the rest of the greeting arrives;
3) there's no "331 Password required";
4) the PASS command is never sent.

(In other words, looks like SChannel eats the 1st incoming and outgoing packets...)

Total Commander 9.12 [amd64]
Windows 10.1803 (build 17134.48) [amd64]

grawity · Post by *grawity » 2018-06-02, 10:13 UTC

With OpenSSL:

Code: Select all

Method: TLSv1
Cert subject: foo
Cert issuer: foo
220-## Hello and welcome to the FTP Server!
 ## The uploading of copyright or illegal material is forbidden
 ## Auto banning is enabled - 20 wrong logins = 1 hour AUTO ban
 ## Server hammering will result in an auto ban
 ## 20 bad connections in 120 seconds = 1 hour AUTO ban
 ## Downloading from the upload account is not allowed, 3KB/s max
 ## Maximum connections per IP: See the FTP page
 ## SSL required. See the FTP page for information.
 ## Please keep all account login credentials to yourself.
 ## =================================
 ## Note!
 ## =================================
 ## Directory listing can take up to 15 seconds, sometimes
 ## a little longer. Please be patient and wait. You may
 ## need to increase your client time-out settings.
220 ## =================================
USER foo
331 Password required for foo.
PASS ***********
230 User foo logged in.
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
...

With SChannel:

Code: Select all

Method: TLSv1
Cert subject: foo
Cert issuer: foo
USER foo
## =================================
 ## Note!
 ## =================================
 ## Directory listing can take up to 15 seconds, sometimes
 ## a little longer. Please be patient and wait. You may
 ## need to increase your client time-out settings.
220 ## =================================
SYST
530 Please login with USER and PASS first.
FEAT
211-Extensions supported:
...

Post by *ghisler(Author) » 2018-06-03, 10:30 UTC

It seems to be hanging in the FEAT command. Try disabling it:
wcx_ftp.ini
[General]
PreventFEAT=1

grawity · Post by *grawity » 2018-06-10, 16:58 UTC

ghisler(Author) wrote:It seems to be hanging in the FEAT command. Try disabling it:
wcx_ftp.ini
[General]
PreventFEAT=1

Tested this, unfortunately it doesn't help.

Sorry, my post was unclear -- the logs don't stop at FEAT; they go on to try a dozen different commands which all fail because Total Commander hasn't sent PASS.

Here's the untrimmed log (and it has the same problem whether FEAT is enabled or disabled):

Code: Select all

----------
Using sChannel (Secur32.dll) for SSL/TLS connection.
Connect to: (2018-06-10 19:55:34)
hostname=foo
username=grawity
startdir=
foo=x.y.z.t
Method: TLSv1
Cert subject: L=foo
Cert issuer: L=foo
USER grawity
## =================================
 ## Note!
 ## =================================
 ## Directory listing can take up to 15 seconds, sometimes
 ## a little longer. Please be patient and wait. You may
 ## need to increase your client time-out settings.
220 ## =================================
SYST
530 Please login with USER and PASS first.
FEAT
211-Extensions supported:
 AUTH TLS
 CCC
 CLNT
 CPSV
 EPRT
 EPSV
 MDTM
 MFCT
 MFMT
 MLST type*;size*;create;modify*;
 MODE Z
 PASV
 PBSZ
 PROT
 REST STREAM
 SIZE
 SSCN
 TVFS
 UTF8
 XCRC "filename" SP EP
 XMD5 "filename" SP EP
 XSHA1 "filename" SP EP
211 End.
PBSZ 0
200 PBSZ=0
PROT P
200 PROT command successful.
CLNT Total Commander (UTF-8)
530 Please login with USER and PASS first.
OPTS UTF8 ON
530 Please login with USER and PASS first.
Connect ok!
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
PWD
530 Please login with USER and PASS first.
XPWD
530 Please login with USER and PASS first.
Get directory
TYPE A
530 Please login with USER and PASS first.
MODE Z
530 Please login with USER and PASS first.
PASV
530 Please login with USER and PASS first.
PORT 192,168,1,70,195,135
530 Please login with USER and PASS first.

Post by *ghisler(Author) » 2018-06-11, 14:02 UTC

It's very strange, the server should send
331 User ghisler OK. Password required
after receiving the USER command. But instead, it seems to send the banner after receiving the USER command.

I cannot say remotely what's wrong. Can you either provide a test account for the server via e-mail (support at ghisler dot com), or send me detailed instructions on how to setup your exact FTP server?

Post by *ghisler(Author) » 2018-06-12, 14:14 UTC

I found the problem! TC was ignoring the banner and just skipping it in this special case (implicit SSL via sChannel). This doesn't work with long multi-line banners. I will fix it.

Post by *ghisler(Author) » 2018-06-13, 17:59 UTC

This should be fixed in TC 9.20 release candidate 1, please test it!

grawity · Post by *grawity » 2018-06-16, 11:57 UTC

ghisler(Author) wrote:This should be fixed in TC 9.20 release candidate 1, please test it!

Thanks; I've tested 9.20rc1 and it is able to connect now.

Post by *ghisler(Author) » 2018-06-17, 07:12 UTC

Great, thanks for reporting the error!