如何解决FTPS 失败,但仅限于某些机器上的某些命令
我在 Server 2019 上的 IIS 10 上设置了一个 FTP 服务器。获得了 SSL 证书并在我的家用机器上连接到它。我使用的客户端是我在 VB.NET 中编写的程序,但它使用 C# 中的 FTPS 库(Alex 的 FTPSClient 到 .NET 4.5 的端口)。无论如何,一切都很好,直到我在另一台机器上尝试了相同的程序,这是我的工作。我收到此错误:
无法从传输连接读取数据:远程主机强行关闭了现有连接。
奇怪的是,它连接成功,并且能够运行某些命令,但是一旦我尝试列出目录或上传文件,就会出现错误。我缩小了发生错误的代码:
private SslStream CreateSSlStream(Stream s,bool leaveInnerStreamOpen)
{
SslStream sslStream = new SslStream(s,leaveInnerStreamOpen,new RemoteCertificateValidationCallback(ValidateServerCertificate),null //new LocalCertificateSelectionCallback(ValidateClientCertificate)
);
sslStream.ReadTimeout = timeout;
sslStream.WriteTimeout = timeout;
X509CertificateCollection clientCertColl = new X509CertificateCollection();
if (sslClientCert != null)
clientCertColl.Add(sslClientCert);
sslStream.AuthenticateAsClient(hostname,clientCertColl,SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls,false);
CheckSslAlgorithmsstrength(sslStream);
return sslStream;
}
它发生在 AuthenticateAsClient 调用上。我可以在连接时更早地通过同一条线路。只有当我尝试运行某些命令时,该行才会失败。
然后我在不同网络上的另一台机器上尝试了它,但它甚至没有走那么远。相反,我收到了“连接方没有响应 etc/etc”的错误,错误列出了服务器的 IP 和端口(这是我为被动 FTP 保留的端口之一)。
但是如果我关闭 SSL,我可以在这两台机器上使用被动 FTP 就好了。
因此,FTP 和 FTPS 在一台机器上运行良好,FTP 在其他两台机器上运行良好,但 FTPS 甚至无法在其中一台机器上连接,FTPS 连接,但在另一台机器上无法执行此操作。
什么可能导致这种情况,我将如何开始解决它?我的第一个想法是“防火墙”(它位于公司网络上),但如果是防火墙,它根本无法连接,对吗?并且它也无法在没有 SSL 的情况下进行被动连接,因为它们使用相同的端口。会不会是代理?我只是在黑暗中刺伤这里,因为我不知所措。
编辑:
我安装了 WinSCP 并打开了详细日志记录。这就是我得到的。我在 WinSCP 中遇到的错误与我在客户端中遇到的错误不同,但它在同一步骤上(尝试在被动中执行任何操作:列表/上传/等)。
. 2020-12-19 09:02:29.846 --------------------------------------------------------------------------
. 2020-12-19 09:02:29.846 Session name: myuser@mydomain.com (Ad-Hoc site)
. 2020-12-19 09:02:29.846 Host name: mydomain.com (Port: 21)
. 2020-12-19 09:02:29.846 User name: myuser (Password: Yes,Key file: No,Passphrase: No)
. 2020-12-19 09:02:29.846 Transfer Protocol: FTP
. 2020-12-19 09:02:29.846 Ping type: Dummy,Ping interval: 30 sec; Timeout: 15 sec
. 2020-12-19 09:02:29.846 disable Nagle: No
. 2020-12-19 09:02:29.846 Proxy: None
. 2020-12-19 09:02:29.846 Send buffer: 262144
. 2020-12-19 09:02:29.846 UTF: Auto
. 2020-12-19 09:02:29.846 FTPS: Explicit TLS/SSL [Client certificate: No]
. 2020-12-19 09:02:29.846 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2020-12-19 09:02:29.846 Session reuse: Yes
. 2020-12-19 09:02:29.846 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-12-19 09:02:29.846 Local directory: default,Remote directory: home,Update: Yes,Cache: Yes
. 2020-12-19 09:02:29.846 Cache directory changes: Yes,Permanent: Yes
. 2020-12-19 09:02:29.846 Recycle bin: Delete to: No,Overwritten to: No,Bin path:
. 2020-12-19 09:02:29.846 Timezone offset: 0h 0m
. 2020-12-19 09:02:29.846 --------------------------------------------------------------------------
. 2020-12-19 09:02:29.846 Session upkeep
. 2020-12-19 09:02:29.861 Connecting to mydomain.com ...
. 2020-12-19 09:02:29.861 TLS layer changed state from unconnected to connecting
. 2020-12-19 09:02:29.877 TLS layer changed state from connecting to connected
. 2020-12-19 09:02:29.877 Connected with mydomain.com,negotiating TLS connection...
< 2020-12-19 09:02:29.893 220 Microsoft FTP Service
> 2020-12-19 09:02:29.893 AUTH TLS
< 2020-12-19 09:02:29.924 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS write client hello
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server hello
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server certificate
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server key exchange
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server done
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write client key exchange
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write change cipher spec
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write finished
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS write finished
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS read change cipher spec
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS read finished
. 2020-12-19 09:02:29.986 Verifying certificate for "" with fingerprint xxxxxxx and 20 failures
. 2020-12-19 09:02:29.986 Certificate common name "mydomain.com" matches hostname
. 2020-12-19 09:02:30.283 Certificate verified against Windows certificate store
. 2020-12-19 09:02:30.283 Using TLSv1.2,cipher TLSv1.2: xxxxxxx,3072 bit RSA,xxxxxxxx TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
. 2020-12-19 09:02:30.314 TLS connection established. Waiting for welcome message...
> 2020-12-19 09:02:30.314 USER myuser
< 2020-12-19 09:02:30.314 331 Password required
> 2020-12-19 09:02:30.314 PASS ********
< 2020-12-19 09:02:30.345 230 User logged in.
> 2020-12-19 09:02:30.345 SYST
. 2020-12-19 09:02:30.361 The server is probably running Windows,assuming that directory listing timestamps are affected by DST.
< 2020-12-19 09:02:30.361 215 Windows_NT
> 2020-12-19 09:02:30.361 FEAT
< 2020-12-19 09:02:30.377 211-Extended features supported:
< 2020-12-19 09:02:30.377 LANG EN*
< 2020-12-19 09:02:30.377 UTF8
< 2020-12-19 09:02:30.377 AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-12-19 09:02:30.377 PBSZ
< 2020-12-19 09:02:30.377 PROT C;P;
< 2020-12-19 09:02:30.377 CCC
< 2020-12-19 09:02:30.377 HOST
< 2020-12-19 09:02:30.377 SIZE
< 2020-12-19 09:02:30.377 MDTM
< 2020-12-19 09:02:30.377 REST STREAM
< 2020-12-19 09:02:30.377 211 END
> 2020-12-19 09:02:30.377 OPTS UTF8 ON
< 2020-12-19 09:02:30.408 200 OPTS UTF8 command successful - UTF8 encoding Now ON.
> 2020-12-19 09:02:30.408 PBSZ 0
< 2020-12-19 09:02:30.424 200 PBSZ command successful.
> 2020-12-19 09:02:30.424 PROT P
< 2020-12-19 09:02:30.439 200 PROT command successful.
. 2020-12-19 09:02:30.439 Session upkeep
. 2020-12-19 09:02:30.502 Connected
. 2020-12-19 09:02:30.502 Got reply 1 to the command 1
. 2020-12-19 09:02:30.502 --------------------------------------------------------------------------
. 2020-12-19 09:02:30.502 Using FTP protocol.
. 2020-12-19 09:02:30.502 Doing startup conversation with host.
> 2020-12-19 09:02:30.517 PWD
< 2020-12-19 09:02:30.549 257 "/" is current directory.
. 2020-12-19 09:02:30.549 Got reply 1 to the command 16
. 2020-12-19 09:02:30.549 Getting current directory name.
. 2020-12-19 09:02:30.596 Retrieving directory listing...
> 2020-12-19 09:02:30.596 TYPE A
< 2020-12-19 09:02:30.611 200 Type set to A.
> 2020-12-19 09:02:30.611 PASV
< 2020-12-19 09:02:30.627 227 Entering Passive Mode (123,123,123).
> 2020-12-19 09:02:30.627 LIST -a
. 2020-12-19 09:02:30.627 Connecting to 123.123.123.123:123 ...
. 2020-12-19 09:02:30.658 Data connection opened
. 2020-12-19 09:02:30.658 Trying reuse main TLS session ID
< 2020-12-19 09:02:30.658 150 opening ASCII mode data connection.
. 2020-12-19 09:02:30.658 TLS layer changed state from none to connected
. 2020-12-19 09:02:30.658 TLS layer changed state from connected to aborted
. 2020-12-19 09:02:30.658 Data connection closed
. 2020-12-19 09:02:30.658 <Empty directory listing>
< 2020-12-19 09:02:30.674 550 The specified network name is no longer available.
. 2020-12-19 09:02:30.674 Could not retrieve directory listing
. 2020-12-19 09:02:30.674 Got reply 4 to the command 2
. 2020-12-19 09:02:30.689 LIST with -a Failed,will try pure LIST
. 2020-12-19 09:02:30.689 Retrieving directory listing...
> 2020-12-19 09:02:30.689 TYPE A
< 2020-12-19 09:02:30.705 200 Type set to A.
> 2020-12-19 09:02:30.705 PASV
< 2020-12-19 09:02:30.736 227 Entering Passive Mode (123,123).
> 2020-12-19 09:02:30.736 LIST
. 2020-12-19 09:02:30.736 Connecting to 123.123.123.123:123 ...
< 2020-12-19 09:02:30.752 150 opening ASCII mode data connection.
. 2020-12-19 09:02:30.752 Data connection opened
. 2020-12-19 09:02:30.752 Trying reuse main TLS session ID
. 2020-12-19 09:02:30.752 TLS layer changed state from none to connected
. 2020-12-19 09:02:30.752 TLS layer changed state from connected to aborted
. 2020-12-19 09:02:30.752 Data connection closed
. 2020-12-19 09:02:30.752 <Empty directory listing>
< 2020-12-19 09:02:30.783 550 The specified network name is no longer available.
. 2020-12-19 09:02:30.783 Could not retrieve directory listing
. 2020-12-19 09:02:30.783 Got reply 4 to the command 2
* 2020-12-19 09:02:30.861 (ECommand) Error listing directory '/'.
* 2020-12-19 09:02:30.861 Could not retrieve directory listing
* 2020-12-19 09:02:30.861 The specified network name is no longer available.
. 2020-12-19 09:04:30.099 Dummy directory read to keep session alive.
. 2020-12-19 09:04:30.099 Retrieving directory listing...
> 2020-12-19 09:04:30.099 TYPE A
< 2020-12-19 09:04:30.115 200 Type set to A.
> 2020-12-19 09:04:30.115 PASV
< 2020-12-19 09:04:30.146 227 Entering Passive Mode (123,123).
> 2020-12-19 09:04:30.146 LIST
. 2020-12-19 09:04:30.146 Connecting to 123.123.123.123:123 ...
. 2020-12-19 09:04:30.162 Data connection opened
. 2020-12-19 09:04:30.162 Trying reuse main TLS session ID
< 2020-12-19 09:04:30.162 150 opening ASCII mode data connection.
. 2020-12-19 09:04:30.162 TLS layer changed state from none to connected
. 2020-12-19 09:04:30.162 TLS layer changed state from connected to aborted
. 2020-12-19 09:04:30.162 Data connection closed
. 2020-12-19 09:04:30.162 <Empty directory listing>
< 2020-12-19 09:04:30.193 550 The specified network name is no longer available.
. 2020-12-19 09:04:30.193 Could not retrieve directory listing
. 2020-12-19 09:04:30.193 Got reply 4 to the command 2
解决方法
检查每台机器上的 TLS 协议设置(请参阅下文)。它们可能因操作系统、版本、.NET 更新等而异。
或者,可能更好,尝试在您的类类型初始值设定项中设置以下内容(运行一次):
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
这会将 TLS1.2 和 SSL3 附加到每台机器当前具有的任何设置。
检查您当前的设置
-
在 Windows 搜索栏中,输入 Internet 选项。
-
打开应用程序并转到高级标签。
-
在安全部分,您将看到您的 SSL/TLS 设置(取决于操作系统等):
使用 SSL 3.0
使用 TLS 1.0
使用 TLS 1.1
使用 TLS 1.2
使用 TLS 1.3(实验性)
更新
我刚刚看到您的代码中有这一行:
sslStream.AuthenticateAsClient(hostname,clientCertColl,SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls,false);
我不确定,但我认为您应该删除 SslProtocols.Tls11 和 SslProtocols.Tls,并可能添加 SslProtocols.Ssl3(如果可用)。无论如何,我仍然会尝试上面的提示,看看会发生什么。很抱歉错过了。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
