FluentFTP 和 TLS 与 IIS 的连接失败,出现错误 534

FluentFTP and TLS connection to IIS fails with error 534

我们目前使用 WinSCP C# 库通过 TLS 连接到 FTP 站点。它工作得很好,但我们正在转向 Linux 容器,WinSCP 将无法工作。我一直在尝试使用 FluentFTP 复制功能,但到目前为止没有成功,我似乎从 FluentFTP 得到的唯一回应是

534 Local policy on server does not allow TLS secure connections.

这是 WinSCP 设置:

options = new SessionOptions
{
    FtpSecure = FtpSecure.Explicit,

    HostName = hostName, 
    PortNumber = 21,
    Protocol = Protocol.Ftp,
    TlsClientCertificatePath = certificatePath, 
    UserName = "anonymous",
    PrivateKeyPassphrase = certificatePassword,
    TimeoutInMilliseconds = 6000

};
options.AddRawSettings("FtpHost", "0");
options.AddRawSettings("PostLoginCommands", "FEAT");

这是 FluentFTP 设置(可能还有一些我试过的额外位):

using(FtpClient client = new FtpClient(_config.CmosFtpUrl))
{
    FtpTrace.EnableTracing = true; 
    FtpTrace.LogToFile ="log_file.txt";
    FtpTrace.LogUserName = false;   // hide FTP user names
    FtpTrace.LogPassword = false;   // hide FTP passwords
    FtpTrace.LogIP = false;     // hide FTP server IP addresses
    client.Credentials = new System.Net.NetworkCredential("anonymous", "");
    client.ClientCertificates.Add(cert);
    client.Port = 21;
    //client.PlainTextEncryption = true;
    client.EncryptionMode = FtpEncryptionMode.Explicit;
    client.SocketKeepAlive = false;
    client.DataConnectionType = FtpDataConnectionType.PASV;
    client.DataConnectionEncryption = true;
    client.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13 | SslProtocols.Tls11 | SslProtocols.Tls;
    client.ValidateCertificate += Client_ValidateCertificate;
    client.Host = _config.CmosFtpUrl;
    // client.SslProtocols = System.Security.Authentication.SslProtocols.None;
    client.ValidateAnyCertificate = true;
    await client.AutoConnectAsync();
    await client.ExecuteAsync("FEAT", default);

    var directory = await client.GetWorkingDirectoryAsync();
    logger.LogInformation(directory);
}

这是来自 WinSCP 的日志:

. 2020-01-14 13:45:56.838 Session name: anonymous@automated.cmosservice.co.uk (Ad-Hoc site)
. 2020-01-14 13:45:56.838 Host name: automated.cmosservice.co.uk (Port: 21)
. 2020-01-14 13:45:56.838 User name: anonymous (Password: No, Key file: No, Passphrase: Yes)
. 2020-01-14 13:45:56.838 Transfer Protocol: FTP
. 2020-01-14 13:45:56.838 Ping type: Dummy, Ping interval: 30 sec; Timeout: 6 sec
. 2020-01-14 13:45:56.838 Disable Nagle: No
. 2020-01-14 13:45:56.838 Proxy: None
. 2020-01-14 13:45:56.838 Send buffer: 262144
. 2020-01-14 13:45:56.838 UTF: Auto
. 2020-01-14 13:45:56.838 FTPS: Explicit TLS/SSL [Client certificate: Yes]
. 2020-01-14 13:45:56.838 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: On
. 2020-01-14 13:45:56.838 Session reuse: Yes
. 2020-01-14 13:45:56.839 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-01-14 13:45:56.839 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2020-01-14 13:45:56.839 Cache directory changes: Yes, Permanent: Yes
. 2020-01-14 13:45:56.839 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2020-01-14 13:45:56.839 Timezone offset: 0h 0m
. 2020-01-14 13:45:56.839 --------------------------------------------------------------------------
. 2020-01-14 13:45:56.856 Connecting to xxxxx ...
. 2020-01-14 13:45:56.885 Connected with xxxx, negotiating TLS connection...
< 2020-01-14 13:45:56.904 220 Microsoft FTP Service
> 2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk
< 2020-01-14 13:45:56.922 220 Host accepted.
> 2020-01-14 13:45:56.922 AUTH TLS
< 2020-01-14 13:45:56.940 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-01-14 13:45:57.175 Server asks for authentication with a client certificate.
. 2020-01-14 13:45:57.283 Verifying certificate for "xxxx" with fingerprint 59:51:8b:ec:8e:49:54:7b:24:08:00:47:81:41:4d:20:5f:60:98:24 and 20 failures
. 2020-01-14 13:45:57.284 Certificate subject alternative name "xxxx" matches hostname
. 2020-01-14 13:45:57.345 Certificate verified against Windows certificate store
. 2020-01-14 13:45:57.345 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
. 2020-01-14 13:45:57.346 TLS connection established. Waiting for welcome message...
> 2020-01-14 13:45:57.346 USER anonymous
< 2020-01-14 13:45:57.363 331 Anonymous access allowed, send identity (e-mail name) as password.
. 2020-01-14 13:45:57.364 Server asked for password, but we are using certificate, and no password was specified upfront, using fake password
> 2020-01-14 13:45:57.364 PASS *********
< 2020-01-14 13:45:57.383 230 User logged in.
> 2020-01-14 13:45:57.383 SYST
. 2020-01-14 13:45:57.402 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-01-14 13:45:57.402 215 Windows_NT
> 2020-01-14 13:45:57.402 FEAT
< 2020-01-14 13:45:57.421 211-Extended features supported:
< 2020-01-14 13:45:57.421  LANG EN*
< 2020-01-14 13:45:57.421  UTF8
< 2020-01-14 13:45:57.422  AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-01-14 13:45:57.422  PBSZ
< 2020-01-14 13:45:57.422  PROT C;P;
< 2020-01-14 13:45:57.422  CCC
< 2020-01-14 13:45:57.424  HOST
< 2020-01-14 13:45:57.424  SIZE
< 2020-01-14 13:45:57.424  MDTM
< 2020-01-14 13:45:57.424  REST STREAM
< 2020-01-14 13:45:57.424 211 END
> 2020-01-14 13:45:57.424 OPTS UTF8 ON
< 2020-01-14 13:45:57.444 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2020-01-14 13:45:57.444 PBSZ 0
< 2020-01-14 13:45:57.465 200 PBSZ command successful.
> 2020-01-14 13:45:57.465 PROT P
< 2020-01-14 13:45:57.485 200 PROT command successful.
. 2020-01-14 13:45:57.487 Connected
. 2020-01-14 13:45:57.487 --------------------------------------------------------------------------
. 2020-01-14 13:45:57.487 Using FTP protocol.

FluentFTP 日志是这样的:

# ConnectAsync()
Status:   Connecting to ***:21
Response: 220 Microsoft FTP Service
Status:   Detected FTP server: WindowsServerIIS
Command:  AUTH TLS
Response: 534 Local policy on server does not allow TLS secure connections.

# Dispose()
Status:   Disposing FtpClient object...
Command:  QUIT
Response: 221 Goodbye.
Status:   Disposing FtpSocketStream...
Status:   Disposing FtpSocketStream...

我不确定为什么 winSCP 可以连接,而 FluentFTP 却出现 534 错误。我是运行这些在IIS Express下本地测试的

差异很可能是由 WinSCP 发送的 HOST 命令引起的。

2020-01-14 13:45:56.904 HOST automated.cmosservice.co.uk  
2020-01-14 13:45:56.922 220 Host accepted.

看起来 FluentFTP 不支持它。

如果您在 IIS 上启用整个服务器范围的 TLS,这可能会有所帮助。您可能只针对每个站点启用了它。 但这不是编程问题。