EnableSsl property

mentalhard

Well-known member
Joined
Aug 7, 2006
Messages
123
Programming Experience
Beginner
Hi,

Using an appliaction i have produced self-signed certificate.
Currently i have three files there:

cert.crt
cert.csr
cert.key

So my question is; how do i implement this certificate in the code in order to use an encrypted channel for transfering passwords and file contents.

The code i have works flawless with disabled FtpWebRequest's EnableSsl property.

VB.NET:
FtpWebRequest request = (FtpWebRequest)WebRequest.Create(serverUri);
request.Credentials = new NetworkCredential("xxxxxl", "xxxxxx");
request.UsePassive = true;
request.EnableSsl = false;
request.Method = WebRequestMethods.Ftp.ListDirectory;

// normally the exception is always thrown on this line
FtpWebResponse response =  (FtpWebResponse)request.GetResponse();

If i enable the EnableSsl i am getting the next exception:

The remote certificate is invalid according to the validation procedure.

which is exception that is thrown when authentication fails for an authentication stream.

Ok then i tried to create new certificate from File:

VB.NET:
X509Certificate cert = X509Certificate.CreateFromCertFile(@"C:\TestTLS\CERTS\cert.crt");
request.ClientCertificates.Add(cert);

But i still get the same message/exception.


Now if i understand well this Wikipedia statement:

Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication.

I can go for the typical way of authentication only the server that means i do not need even self signed one.

However, i cannot find solution for my problem. I have noticed that actually many people are strugglling with the same problem but, it seems like there is not any good tutorial on how to properly either implement self-signed cert or use EnableSsl property along FtpWebRequest class without having cert on client side.

Thank you

_______________________________________________________
I was wondering if this can be of help; namely, I tested it from this FTP test web site http://www.g6ftpserver.com/en/ftptest and it returns following:

* About to connect() to domain.elementfx.com port 21
* Trying 70.86.238.xxx... connected
* Connected to domain.elementfx.com (xx.86.238.xxx) port 21
< 220---------- Welcome to Pure-FTPd [TLS] ----------
< 220-You are user number 2 of 50 allowed.
< 220-Local time is now 03:56. Server port: 21.
< 220-This is a private system - No anonymous login
< 220-IPv6 connections are also welcome on this server.
< 220 You will be disconnected after 15 minutes of inactivity.


> AUTH SSL
< 500 This security scheme is not implemented

> AUTH TLS
< 234 AUTH TLS OK.
* successfully set certificate verify locations:
* CAfile: d:\www-bin\curl\curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
* subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=cossacks.x10hosting.com/emailAddress=ssl@cpanel.net
* start date: 2007-09-21 14:51:55 GMT
* expire date: 2035-02-05 14:51:55 GMT
* common name: cossacks.x10hosting.com (does not match 'domain.elementfx.com')
* issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=cossacks.x10hosting.com/emailAddress=ssl@cpanel.net
* SSL certificate verify result: error number 1 (18), continuing anyway.

> USER trial
< 331 User trial OK. Password required

> PASS *****
< 230-User trial has group access to: trial
< 230 OK. Current restricted directory is /


> PBSZ 0
< 200 PBSZ=0

> PROT P
< 534 Fallback to [C]

> PWD
< 257 "/" is your current location
* Entry path is '/'

> CLNT Testing from http://www.g6ftpserver.com/ftptest from IP xx.205.28.xxx

< 500 Unknown command
* QUOT command failed with 500
* Connection #0 to host domain.elementfx.com left intact

* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Thanks ones agains
 
Well, as described FtpWebRequest throws 534 for any SSL enabled command on that server, so it must be sending PROT P and assuming an SSL server support secure transmission. Since you can't change this there isn't any other option for using FtpWebRequest. You can probably find/buy other implementations of FTP clients or write your own (not easy). FtpWebRequest is also not intended as a FTP client (in the meaning an open connection you can interact with multiple commands), but a light-weight single-request class.

Don't you think it's strange your server is flagging SSL and authenticating itself with a certificate, but don't support secure transmission?
 
FtpWebRequest is also not intended as a FTP client (in the meaning an open connection you can interact with multiple commands), but a light-weight single-request class.

yeah but don't you think that M$ is not serious if the class supports/exposes certain method/property and it doesn't work as it's explained in documentation?

Don't you think it's strange your server is flagging SSL and authenticating itself with a certificate, but don't support secure transmission?

Yeah it is strange indeed. But, then how the 3rd party products have solved this particular problem? I contacted them for teh source-code which is more than expensive btw, and they all told me that the source code is pure C# .NET code. Means there must be solution for that.

I tried to connect with the TCP connection directly but what i found is that all servers actually offer only few commands (very basic).

It seems like i have to digg up a bit deeper to find the solution.

Thanks :)
 
yeah but don't you think that M$ is not serious if the class supports/exposes certain method/property and it doesn't work as it's explained in documentation?
What do you mean?
Yeah it is strange indeed. But, then how the 3rd party products have solved this particular problem? I contacted them for teh source-code which is more than expensive btw, and they all told me that the source code is pure C# .NET code. Means there must be solution for that.
The solution is both very easy and comprehensive enough to be difficult. With a plain socket you can connect to server, then start interacting with it in accordance to the FTP protocol, you can implement a full FTP client that sends multiple commands and only hang up when you tell it to. Any negative response to any command you issue can be handled and a new command can be sent during the connection time.

You can of course see how this differs from a plain request sequence where you connect, send command, get reply, hang up. When the command fails in such a case you won't get the reply you wanted, and you can only start a new request.
 
Back
Top