FluentFTP 和 TLS 与 IIS 的连接失败,出现错误 534
FluentFTP and TLS connection to IIS fails with error 534
我们目前使用 WinSCP C# 库通过 TLS 连接到 FTP 站点。它工作得很好,但我们正在转向 Linux 容器,WinSCP 将无法工作。我一直在尝试使用 FluentFTP 复制功能,但到目前为止没有成功,我似乎从 FluentFTP 得到的唯一回应是
534 Local policy on server does not allow TLS secure connections.
这是 WinSCP 设置:
options = new SessionOptions
{
FtpSecure = FtpSecure.Explicit,
HostName = hostName,
PortNumber = 21,
Protocol = Protocol.Ftp,
TlsClientCertificatePath = certificatePath,
UserName = "anonymous",
PrivateKeyPassphrase = certificatePassword,
TimeoutInMilliseconds = 6000
};
options.AddRawSettings("FtpHost", "0");
options.AddRawSettings("PostLoginCommands", "FEAT");
这是 FluentFTP 设置(可能还有一些我试过的额外位):
using(FtpClient client = new FtpClient(_config.CmosFtpUrl))
{
FtpTrace.EnableTracing = true;
FtpTrace.LogToFile ="log_file.txt";
FtpTrace.LogUserName = false; // hide FTP user names
FtpTrace.LogPassword = false; // hide FTP passwords
FtpTrace.LogIP = false; // hide FTP server IP addresses
client.Credentials = new System.Net.NetworkCredential("anonymous", "");
client.ClientCertificates.Add(cert);
client.Port = 21;
//client.PlainTextEncryption = true;
client.EncryptionMode = FtpEncryptionMode.Explicit;
client.SocketKeepAlive = false;
client.DataConnectionType = FtpDataConnectionType.PASV;
client.DataConnectionEncryption = true;
client.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13 | SslProtocols.Tls11 | SslProtocols.Tls;
client.ValidateCertificate += Client_ValidateCertificate;
client.Host = _config.CmosFtpUrl;
// client.SslProtocols = System.Security.Authentication.SslProtocols.None;
client.ValidateAnyCertificate = true;
await client.AutoConnectAsync();
await client.ExecuteAsync("FEAT", default);
var directory = await client.GetWorkingDirectoryAsync();
logger.LogInformation(directory);
}
这是来自 WinSCP 的日志:
. 2020-01-14 13:45:56.838 Session name: anonymous@automated.cmosservice.co.uk (Ad-Hoc site)
. 2020-01-14 13:45:56.838 Host name: automated.cmosservice.co.uk (Port: 21)
. 2020-01-14 13:45:56.838 User name: anonymous (Password: No, Key file: No, Passphrase: Yes)
. 2020-01-14 13:45:56.838 Transfer Protocol: FTP
. 2020-01-14 13:45:56.838 Ping type: Dummy, Ping interval: 30 sec; Timeout: 6 sec
. 2020-01-14 13:45:56.838 Disable Nagle: No
. 2020-01-14 13:45:56.838 Proxy: None
. 2020-01-14 13:45:56.838 Send buffer: 262144
. 2020-01-14 13:45:56.838 UTF: Auto
. 2020-01-14 13:45:56.838 FTPS: Explicit TLS/SSL [Client certificate: Yes]
. 2020-01-14 13:45:56.838 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: On
. 2020-01-14 13:45:56.838 Session reuse: Yes
. 2020-01-14 13:45:56.839 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-01-14 13:45:56.839 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2020-01-14 13:45:56.839 Cache directory changes: Yes, Permanent: Yes
. 2020-01-14 13:45:56.839 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2020-01-14 13:45:56.839 Timezone offset: 0h 0m
. 2020-01-14 13:45:56.839 --------------------------------------------------------------------------
. 2020-01-14 13:45:56.856 Connecting to xxxxx ...
. 2020-01-14 13:45:56.885 Connected with xxxx, negotiating TLS connection...
< 2020-01-14 13:45:56.904 220 Microsoft FTP Service
> 2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk
< 2020-01-14 13:45:56.922 220 Host accepted.
> 2020-01-14 13:45:56.922 AUTH TLS
< 2020-01-14 13:45:56.940 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-01-14 13:45:57.175 Server asks for authentication with a client certificate.
. 2020-01-14 13:45:57.283 Verifying certificate for "xxxx" with fingerprint 59:51:8b:ec:8e:49:54:7b:24:08:00:47:81:41:4d:20:5f:60:98:24 and 20 failures
. 2020-01-14 13:45:57.284 Certificate subject alternative name "xxxx" matches hostname
. 2020-01-14 13:45:57.345 Certificate verified against Windows certificate store
. 2020-01-14 13:45:57.345 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
. 2020-01-14 13:45:57.346 TLS connection established. Waiting for welcome message...
> 2020-01-14 13:45:57.346 USER anonymous
< 2020-01-14 13:45:57.363 331 Anonymous access allowed, send identity (e-mail name) as password.
. 2020-01-14 13:45:57.364 Server asked for password, but we are using certificate, and no password was specified upfront, using fake password
> 2020-01-14 13:45:57.364 PASS *********
< 2020-01-14 13:45:57.383 230 User logged in.
> 2020-01-14 13:45:57.383 SYST
. 2020-01-14 13:45:57.402 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-01-14 13:45:57.402 215 Windows_NT
> 2020-01-14 13:45:57.402 FEAT
< 2020-01-14 13:45:57.421 211-Extended features supported:
< 2020-01-14 13:45:57.421 LANG EN*
< 2020-01-14 13:45:57.421 UTF8
< 2020-01-14 13:45:57.422 AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-01-14 13:45:57.422 PBSZ
< 2020-01-14 13:45:57.422 PROT C;P;
< 2020-01-14 13:45:57.422 CCC
< 2020-01-14 13:45:57.424 HOST
< 2020-01-14 13:45:57.424 SIZE
< 2020-01-14 13:45:57.424 MDTM
< 2020-01-14 13:45:57.424 REST STREAM
< 2020-01-14 13:45:57.424 211 END
> 2020-01-14 13:45:57.424 OPTS UTF8 ON
< 2020-01-14 13:45:57.444 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2020-01-14 13:45:57.444 PBSZ 0
< 2020-01-14 13:45:57.465 200 PBSZ command successful.
> 2020-01-14 13:45:57.465 PROT P
< 2020-01-14 13:45:57.485 200 PROT command successful.
. 2020-01-14 13:45:57.487 Connected
. 2020-01-14 13:45:57.487 --------------------------------------------------------------------------
. 2020-01-14 13:45:57.487 Using FTP protocol.
FluentFTP 日志是这样的:
# ConnectAsync()
Status: Connecting to ***:21
Response: 220 Microsoft FTP Service
Status: Detected FTP server: WindowsServerIIS
Command: AUTH TLS
Response: 534 Local policy on server does not allow TLS secure connections.
# Dispose()
Status: Disposing FtpClient object...
Command: QUIT
Response: 221 Goodbye.
Status: Disposing FtpSocketStream...
Status: Disposing FtpSocketStream...
我不确定为什么 winSCP 可以连接,而 FluentFTP 却出现 534 错误。我是运行这些在IIS Express下本地测试的
差异很可能是由 WinSCP 发送的 HOST
命令引起的。
2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk
2020-01-14 13:45:56.922 220 Host accepted.
看起来 FluentFTP 不支持它。
如果您在 IIS 上启用整个服务器范围的 TLS,这可能会有所帮助。您可能只针对每个站点启用了它。 但这不是编程问题。
我们目前使用 WinSCP C# 库通过 TLS 连接到 FTP 站点。它工作得很好,但我们正在转向 Linux 容器,WinSCP 将无法工作。我一直在尝试使用 FluentFTP 复制功能,但到目前为止没有成功,我似乎从 FluentFTP 得到的唯一回应是
534 Local policy on server does not allow TLS secure connections.
这是 WinSCP 设置:
options = new SessionOptions
{
FtpSecure = FtpSecure.Explicit,
HostName = hostName,
PortNumber = 21,
Protocol = Protocol.Ftp,
TlsClientCertificatePath = certificatePath,
UserName = "anonymous",
PrivateKeyPassphrase = certificatePassword,
TimeoutInMilliseconds = 6000
};
options.AddRawSettings("FtpHost", "0");
options.AddRawSettings("PostLoginCommands", "FEAT");
这是 FluentFTP 设置(可能还有一些我试过的额外位):
using(FtpClient client = new FtpClient(_config.CmosFtpUrl))
{
FtpTrace.EnableTracing = true;
FtpTrace.LogToFile ="log_file.txt";
FtpTrace.LogUserName = false; // hide FTP user names
FtpTrace.LogPassword = false; // hide FTP passwords
FtpTrace.LogIP = false; // hide FTP server IP addresses
client.Credentials = new System.Net.NetworkCredential("anonymous", "");
client.ClientCertificates.Add(cert);
client.Port = 21;
//client.PlainTextEncryption = true;
client.EncryptionMode = FtpEncryptionMode.Explicit;
client.SocketKeepAlive = false;
client.DataConnectionType = FtpDataConnectionType.PASV;
client.DataConnectionEncryption = true;
client.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13 | SslProtocols.Tls11 | SslProtocols.Tls;
client.ValidateCertificate += Client_ValidateCertificate;
client.Host = _config.CmosFtpUrl;
// client.SslProtocols = System.Security.Authentication.SslProtocols.None;
client.ValidateAnyCertificate = true;
await client.AutoConnectAsync();
await client.ExecuteAsync("FEAT", default);
var directory = await client.GetWorkingDirectoryAsync();
logger.LogInformation(directory);
}
这是来自 WinSCP 的日志:
. 2020-01-14 13:45:56.838 Session name: anonymous@automated.cmosservice.co.uk (Ad-Hoc site)
. 2020-01-14 13:45:56.838 Host name: automated.cmosservice.co.uk (Port: 21)
. 2020-01-14 13:45:56.838 User name: anonymous (Password: No, Key file: No, Passphrase: Yes)
. 2020-01-14 13:45:56.838 Transfer Protocol: FTP
. 2020-01-14 13:45:56.838 Ping type: Dummy, Ping interval: 30 sec; Timeout: 6 sec
. 2020-01-14 13:45:56.838 Disable Nagle: No
. 2020-01-14 13:45:56.838 Proxy: None
. 2020-01-14 13:45:56.838 Send buffer: 262144
. 2020-01-14 13:45:56.838 UTF: Auto
. 2020-01-14 13:45:56.838 FTPS: Explicit TLS/SSL [Client certificate: Yes]
. 2020-01-14 13:45:56.838 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: On
. 2020-01-14 13:45:56.838 Session reuse: Yes
. 2020-01-14 13:45:56.839 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-01-14 13:45:56.839 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2020-01-14 13:45:56.839 Cache directory changes: Yes, Permanent: Yes
. 2020-01-14 13:45:56.839 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2020-01-14 13:45:56.839 Timezone offset: 0h 0m
. 2020-01-14 13:45:56.839 --------------------------------------------------------------------------
. 2020-01-14 13:45:56.856 Connecting to xxxxx ...
. 2020-01-14 13:45:56.885 Connected with xxxx, negotiating TLS connection...
< 2020-01-14 13:45:56.904 220 Microsoft FTP Service
> 2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk
< 2020-01-14 13:45:56.922 220 Host accepted.
> 2020-01-14 13:45:56.922 AUTH TLS
< 2020-01-14 13:45:56.940 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-01-14 13:45:57.175 Server asks for authentication with a client certificate.
. 2020-01-14 13:45:57.283 Verifying certificate for "xxxx" with fingerprint 59:51:8b:ec:8e:49:54:7b:24:08:00:47:81:41:4d:20:5f:60:98:24 and 20 failures
. 2020-01-14 13:45:57.284 Certificate subject alternative name "xxxx" matches hostname
. 2020-01-14 13:45:57.345 Certificate verified against Windows certificate store
. 2020-01-14 13:45:57.345 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
. 2020-01-14 13:45:57.346 TLS connection established. Waiting for welcome message...
> 2020-01-14 13:45:57.346 USER anonymous
< 2020-01-14 13:45:57.363 331 Anonymous access allowed, send identity (e-mail name) as password.
. 2020-01-14 13:45:57.364 Server asked for password, but we are using certificate, and no password was specified upfront, using fake password
> 2020-01-14 13:45:57.364 PASS *********
< 2020-01-14 13:45:57.383 230 User logged in.
> 2020-01-14 13:45:57.383 SYST
. 2020-01-14 13:45:57.402 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-01-14 13:45:57.402 215 Windows_NT
> 2020-01-14 13:45:57.402 FEAT
< 2020-01-14 13:45:57.421 211-Extended features supported:
< 2020-01-14 13:45:57.421 LANG EN*
< 2020-01-14 13:45:57.421 UTF8
< 2020-01-14 13:45:57.422 AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-01-14 13:45:57.422 PBSZ
< 2020-01-14 13:45:57.422 PROT C;P;
< 2020-01-14 13:45:57.422 CCC
< 2020-01-14 13:45:57.424 HOST
< 2020-01-14 13:45:57.424 SIZE
< 2020-01-14 13:45:57.424 MDTM
< 2020-01-14 13:45:57.424 REST STREAM
< 2020-01-14 13:45:57.424 211 END
> 2020-01-14 13:45:57.424 OPTS UTF8 ON
< 2020-01-14 13:45:57.444 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2020-01-14 13:45:57.444 PBSZ 0
< 2020-01-14 13:45:57.465 200 PBSZ command successful.
> 2020-01-14 13:45:57.465 PROT P
< 2020-01-14 13:45:57.485 200 PROT command successful.
. 2020-01-14 13:45:57.487 Connected
. 2020-01-14 13:45:57.487 --------------------------------------------------------------------------
. 2020-01-14 13:45:57.487 Using FTP protocol.
FluentFTP 日志是这样的:
# ConnectAsync()
Status: Connecting to ***:21
Response: 220 Microsoft FTP Service
Status: Detected FTP server: WindowsServerIIS
Command: AUTH TLS
Response: 534 Local policy on server does not allow TLS secure connections.
# Dispose()
Status: Disposing FtpClient object...
Command: QUIT
Response: 221 Goodbye.
Status: Disposing FtpSocketStream...
Status: Disposing FtpSocketStream...
我不确定为什么 winSCP 可以连接,而 FluentFTP 却出现 534 错误。我是运行这些在IIS Express下本地测试的
差异很可能是由 WinSCP 发送的 HOST
命令引起的。
2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk
2020-01-14 13:45:56.922 220 Host accepted.
看起来 FluentFTP 不支持它。
如果您在 IIS 上启用整个服务器范围的 TLS,这可能会有所帮助。您可能只针对每个站点启用了它。 但这不是编程问题。