FTPS: missing PBSZ 0 | Thales IoT Developer Community
June 28, 2018 - 11:02am, 4590 views
Hello,
when trying to transmit data via FTP with TLS, I have the following problem (EHS6, ELS61 Rel 2):
^SIS: 0,0,2100,"Ftp open(websrv7.linznet.at:990)"
^SIS: 0,0,2100,"SSL-Info: TLS, 3.3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
^SIS: 0,0,2100,"SSL-Cert: C=US;O=Let's Encrypt;CN=Let's Encrypt Authority X3"
^SIS: 0,0,2100,"220 ProFTPD 1.3.5d Server (ProFTPD) [80.66.32.17]"
^SIS: 0,0,2100,"FTP Login OK"
^SIS: 0,0,2100,"S:503 You must issue the PBSZ command prior to PROT"
^SIS: 0,0,100,"FTP-ERR: 503 You must issue the PBSZ command prior to PROT"
I know, that FTP via TLS only supports implicit and PROT C.
But according to <https://tools.ietf.org/html/rfc4217#section-9> the PROT command MUST be preceded by a "PBSZ 0" command.
When I test FTPS connection with the test server <test.rebex.net/>, connection is possible. Maybe this server is more tolerant regarding the RFC.
Does anyone know a workaround?
-----ATI1-----
ELS61-E:
REVISION 02.000
A-REVISION 01.000.00
JRC-1.62.01.jad
EHS6:
REVISION 03.001
A-REVISION 00.000.51
JRC-1.56.54-CDG-00006.01.jad
Thanks and best regards
Klaus
Hello,
Is that a public server that you test with? Is it possible that I also test with this server?
Workaround would probably be to reconfigure the server but it's probably not always possible.
Regards,
Bartłomiej
Hello Bartłomiej,
Its our company server. But I will try to set up a test access for you.
I now tested same scenario with EHS6, A-REV 55:
The PBSZ problem seems to be fixed, but it now fails when trying to send data:
at^siso=0
OK
^SIS: 0,0,2100,"Ftp open(websrv7.linznet.at:990)"
^SIS: 0,0,2100,"SSL-Info: TLS, 3.3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
^SIS: 0,0,2100,"SSL-Cert: C=US;O=Let's Encrypt;CN=Let's Encrypt Authority X3"
^SIS: 0,0,2100,"220 ProFTPD 1.3.5d Server (ProFTPD) [80.66.32.17]"
^SIS: 0,0,2100,"FTP Login OK"
^SIS: 0,0,2100,"put FTPTestEHS6-55-New.csv"
^SISW: 0,1
at^sisw=0,10
^SISW: 0,10,0
0123456789
OK
^SISW: 0,1
at^sisw=0,10
^SISW: 0,10,0
0123456789
^SISW: 0,1
^SIS: 0,0,15,"Remote host has reset the connection"
^SISR: 0,2
An empty file is the result.
As mentioned, I will try to give you a test access.
But what you can try to test:
when using the test server from rebex, reading a file works fine with A-Rev 51, but not anymore with 55:
at^siss=0,"srvType","Ftp"
OK
at^siss=0,"cmd","get"
OK
at^siss=0,"files","readme.txt"
OK
at^siss=0,"address","ftps://demo:password@test.rebex.net:990"
OK
at^siss=0,"conId",1
OK
at^siso=0
OK
^SIS: 0,0,2100,"Ftp open(test.rebex.net:990)"
^SIS: 0,0,2100,"SSL-Info: TLS, 3.3, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
^SIS: 0,0,2100,"SSL-Cert: C=US;O=thawte, Inc.;OU=Domain Validated SSL;CN=thawte
DV SSL CA - G2"
^SIS: 0,0,2100,"220 Microsoft FTP Service"
^SIS: 0,0,2100,"FTP Login OK"
^SIS: 0,0,2100,"get readme.txt"
here it hangs up in A-Rev 55.
In 51 it continues with:
^SISR: 0,1
at^sisr=0,1500
^SISR: 0,403
Welcome,
you are connected to an FTP or SFTP server used for testing purposes by Rebex FT
P/SSL or Rebex SFTP sample code.
Only read access is allowed and the FTP download speed is limited to 16KBps.
For infomation about Rebex FTP/SSL, Rebex SFTP and other Rebex .NET components,
please visit our website at http://www.rebex.net/
For feedback and support, contact support@rebex.net
Thanks!
OK
Hello Bartłomiej,
I now set up a test access to our ftps server. Please find below the whole logs for EHS6 A-Rev 51 and 55 with the access data of the test server
--------------------- EHS6 A-Rev51 (same as ELS61 Rel.2 ----------
^SYSLOADING
^SYSSTART
+PBREADY
ati1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.51
OK
AT+cmee=2
OK
AT^SICS=1,"conType","GPRS0"
OK
AT^SICS=1,"user","ppp@A1plus.at"
OK
AT^SICS=1,"passwd","ppp"
OK
AT^SICS=1,"apn","A1.net"
OK
AT^SICS=1,"inactTO",120
OK
at^scfg="Tcp/WithURCs"
^SCFG: "Tcp/WithURCs","on"
OK
at^siss=0,"srvType","Ftp"
OK
at^siss=0,"cmd","put"
OK
at^siss=0,"files","FTPTestEHS6-55-New.csv"
OK
at^siss=0,"address","ftps://ftp0512:jv3PPk63@websrv7.linznet.at/httpdocs/"
OK
at^siss=0,"conId",1
OK
at^siso=0
OK
^SIS: 0,0,2100,"Ftp open(websrv7.linznet.at:990)"
^SIS: 0,0,2100,"SSL-Info: TLS, 3.3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
^SIS: 0,0,2100,"SSL-Cert: C=US;O=Let's Encrypt;CN=Let's Encrypt Authority X3"
^SIS: 0,0,2100,"220 ProFTPD 1.3.5d Server (ProFTPD) [80.66.32.17]"
^SIS: 0,0,2100,"FTP Login OK"
^SIS: 0,0,2100,"S:503 You must issue the PBSZ command prior to PROT"
^SIS: 0,0,100,"FTP-ERR: 503 You must issue the PBSZ command prior to PROT"
--------------------- EHS6 A-Rev55 ----------
^SYSLOADING
^SYSSTART
+PBREADY
ATI1
Cinterion
EHS6
REVISION 03.001
A-REVISION 00.000.55
OK
AT+cmee=2
OK
AT^SICS=1,"conType","GPRS0"
OK
AT^SICS=1,"user","ppp@A1plus.at"
OK
AT^SICS=1,"passwd","ppp"
OK
AT^SICS=1,"apn","A1.net"
OK
AT^SICS=1,"inactTO",120
OK
at^scfg="Tcp/WithURCs"
^SCFG: "Tcp/WithURCs","on"
OK
at^siss=0,"srvType","Ftp"
OK
at^siss=0,"cmd","put"
OK
at^siss=0,"files","FTPTestEHS6-55-New.csv"
OK
at^siss=0,"address","ftps://ftp0512:jv3PPk63@websrv7.linznet.at/httpdocs/"
OK
at^siss=0,"conId",1
OK
at^siso=0
OK
^SIS: 0,0,2100,"Ftp open(websrv7.linznet.at:990)"
^SIS: 0,0,2100,"SSL-Info: TLS, 3.3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
^SIS: 0,0,2100,"SSL-Cert: C=US;O=Let's Encrypt;CN=Let's Encrypt Authority X3"
^SIS: 0,0,2100,"220 ProFTPD 1.3.5d Server (ProFTPD) [80.66.32.17]"
^SIS: 0,0,2100,"FTP Login OK"
^SIS: 0,0,2100,"put FTPTestEHS6-55-New.csv"
^SISW: 0,1
at^sisw=0,10
^SISW: 0,10,0
0123456789
OK
^SISW: 0,1
at^sisw=0,10
^SISW: 0,10,0
0123456789
OK
^SISW: 0,1
^SIS: 0,0,15,"Remote host has reset the connection"
^SISR: 0,2
at^SISC=0
OK
--------------------
strange is here also the "^SISR: 0,2" URC. Why "R" and not "W"
Thanks
Klaus
Thank you.
I will test your scenarios and write back.
Best regards,
Bartłomiej
Hello,
I have tested with EHS6 REVISION 03.001 A-REVISION 00.000.55 and EHS6 REVISION 03.001 A-REVISION 00.000.51 with JRC-1.56.54-CDG-00006.01.
My results are the same - A-REVISION 00.000.55 seems to have problems with FTPS - it is possible to login and communicate over control channel but it fails when it comes to data transfer over data channel (download or upload).
As for A-REVISION 00.000.51 it is the older version then A-REVISION 00.000.55 but you have the customized JRC MIDlet JRC-1.56.54-CDG-00006.01 and FTPS is working with rebex server but still not with your server.
A fix for FTPS problems should be included in some future firmware revisions.
But for now I think that you need to contact the person who has provided you with the customized firmware and ask for improvement.
Best regards,
Bartłomiej
Hello Bartłomiej,
this is no good news.
Are the problems I wrote to you automatically reported to Gemaltos developers?
The "customized" version we have is not really designed to fulfill our special wishes, but is a special version, Gemalto made to fix some bugs in SMTPS sending procedures. No one knows, why they didn't fix these bugs in the main version too. with this "special" version they also told us, that the have improved implementation of FTPS. This may be the reason, why the PBSZ problem seems to be solved only in this version.
When we ask them to implement these fixes into the current version, they tell us, that our use case is so exotic (FTPS+SMTPS???) that they have not the time to do this.
What I don't understand: are we really the only ones in the whole world of Gemalto who use the modules to send data via FTPS or SMTPS?
Or is there any other possibility to do that? I don't think that someone has implementedFTP via TLS in JAVA?
Best regards
Klaus
Hello Klaus,
The problems are not reported automatically. But I have found in our error tracking system that such problem with FTPS was already reported. So the fix will be provided and integrated into a future firmware release. But this is a process which takes time. So probably this is the reason why you got the special version. And if this version still doesn't solve all the problems and in particular FTPS is not yet working as expected, I suggest and encourage you to contact your local/dedicated Gemalto technical sales with this regard. Maybe it will be possible to improve it. We will not be able to solve this problem via forum especially that we are talking about the dedicated FW version.
As for FTP implementation in Java I think that it should also be also possible to implement an implicit FTPS.
Best regards,
Bartłomiej
Hello,
I have done some tests with FTPS implementation in Java. I have used FTP implementation from this demo project:
https://iot-developer.thalesgroup.com/showcase/uart-ftp-pipe-example-jav...
And I have modified FTP code a little bit - replaced SocketConnection with SecureConnection for control channel, added PBSZ0 and PROT commands, added 2 variants for data channel: SecureConnection in case of sending PROT P and SocketConnection while sending PROT C. Then I was able to download a file from rebex and your server with both PROT C and PROT P variants.
Regards,
Bartłomiej
Hello Bartłomiej,
Read your message now.
Thank you very much, this will be helpful
Best regards
Klaus
Hello,
Please also see this FTPS showcase that I have just created:
https://iot-developer.thalesgroup.com/showcase/java-explicit-ftps-implem...
Best regards,
Bartłomiej