通过代理与 TLS/SSL 的 FTPS 数据连接失败,日志条目为 "Replacing PASV mode reply address <PROXY_IP> with <FTPS_IP>"
FTPS data connection with TLS/SSL via proxy fails with log entry "Replacing PASV mode reply address <PROXY_IP> with <FTPS_IP>"
我在使用 TLS/SSL 通过 PROXY 隐式加密连接到 FTPS 服务器时遇到问题。
我正在关注
提供的自定义 Apache FTPS 客户端 (commons-net-3.8.0) 解决方案
我的服务器连接正常,但无法列出或传输文件,出现以下错误:
425 Can't open data connection for transfer of "<REMOVED_FOR_SECURITY>"
Windows WinSCP 和 Linux LFTP 的数据连接/文件传输工作正常。
WinSCP 日志:
2022-02-06 16:25:04.874 --------------------------------------------------------------------------
2022-02-06 16:25:04.876 WinSCP Version 5.15.5 (Build 9925) (OS 10.0.19042 - Windows 10 Enterprise)
2022-02-06 16:25:04.877 Configuration: C:\Users\<LOGIN_SER>\AppData\Roaming\WinSCP.ini
2022-02-06 16:25:04.879 Log level: Normal
2022-02-06 16:25:04.879 Local account: HBEU\<LOGIN_SER>
2022-02-06 16:25:04.879 Working directory: C:\Program Files\WinSCP-5.15.5
2022-02-06 16:25:04.879 Process ID: 16452
2022-02-06 16:25:04.883 Command-line: C:\Program Files\WinSCP-5.15.5\WinSCP.exe
2022-02-06 16:25:04.885 Time zone: Current: GMT+3 (Arab Standard Time), No DST
2022-02-06 16:25:04.885 Login time: Sunday, February 6, 2022 4:25:04 PM
2022-02-06 16:25:04.885 --------------------------------------------------------------------------
2022-02-06 16:25:04.885 Session name: FTPS TEST (Site)
2022-02-06 16:25:04.885 Host name: <FTPS_HOST_NAME> (Port: <FTPS_PORT>)
2022-02-06 16:25:04.885 User name: <FTPS_USER_NAME> (Password: No, Key file: No, Passphrase: No)
2022-02-06 16:25:04.885 Transfer Protocol: FTP
2022-02-06 16:25:04.885 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
2022-02-06 16:25:04.885 Disable Nagle: No
2022-02-06 16:25:04.885 Proxy: HTTP
2022-02-06 16:25:04.885 HostName: <PROXY_HOST_NAME> (Port: <PROXY_PORT>); Username: ; Passwd: No
2022-02-06 16:25:04.885 Send buffer: 262144
2022-02-06 16:25:04.885 UTF: Auto
2022-02-06 16:25:04.885 FTPS: Implicit TLS/SSL [Client certificate: No]
2022-02-06 16:25:04.885 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
2022-02-06 16:25:04.885 Session reuse: Yes
2022-02-06 16:25:04.885 TLS/SSL versions: TLSv1.0-TLSv1.2
2022-02-06 16:25:04.885 Local directory: <LOCAL_DIRECTORY>, Remote directory: <REMOTE_DIRECTORY>, Update: Yes, Cache: Yes
2022-02-06 16:25:04.885 Cache directory changes: Yes, Permanent: Yes
2022-02-06 16:25:04.885 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
2022-02-06 16:25:04.885 Timezone offset: 0h 0m
2022-02-06 16:25:04.885 --------------------------------------------------------------------------
2022-02-06 16:25:04.953 Connecting to <FTPS_HOST_NAME>:<FTPS_PORT> ...
2022-02-06 16:25:04.953 HTTP proxy command: CONNECT <FTPS_HOST_NAME>:<FTPS_PORT HTTP/1.1
2022-02-06 16:25:04.953 Host: <FTPS_HOST_NAME>:<FTPS_PORT>
2022-02-06 16:25:04.989 Connection with proxy established, performing handshake...
2022-02-06 16:25:04.989 HTTP proxy response: HTTP/1.1 200 Connection established
2022-02-06 16:25:04.989 HTTP proxy headers:
2022-02-06 16:25:04.989 Connected with <FTPS_HOST_NAME>:<FTPS_PORT>, negotiating TLS connection...
2022-02-06 16:25:05.038 Verifying certificate for "" with fingerprint <REMOVED_FOR_SECURITY> and 20 failures
2022-02-06 16:25:05.038 Certificate common name "*.<FTPS_DOMAIN_NAME>" matches hostname
2022-02-06 16:25:05.138 Certificate verified against Windows certificate store
2022-02-06 16:25:05.138 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2022-02-06 16:25:05.191 TLS connection established. Waiting for welcome message...
2022-02-06 16:25:05.191 220 SIJIL FTP
2022-02-06 16:25:05.191 USER <FTPS_USER_NAME>
2022-02-06 16:25:05.191 331 Password required for <FTPS_USER_NAME>
2022-02-06 16:25:06.977 PASS *************
2022-02-06 16:25:07.013 230 Logged on
2022-02-06 16:25:07.013 SYST
2022-02-06 16:25:07.049 215 UNIX emulated by FileZilla
2022-02-06 16:25:07.049 FEAT
2022-02-06 16:25:07.085 211-Features:
2022-02-06 16:25:07.085 MDTM
2022-02-06 16:25:07.086 REST STREAM
2022-02-06 16:25:07.086 SIZE
2022-02-06 16:25:07.086 MLST type*;size*;modify*;
2022-02-06 16:25:07.086 MLSD
2022-02-06 16:25:07.086 AUTH SSL
2022-02-06 16:25:07.086 AUTH TLS
2022-02-06 16:25:07.086 PROT
2022-02-06 16:25:07.088 PBSZ
2022-02-06 16:25:07.088 UTF8
2022-02-06 16:25:07.088 CLNT
2022-02-06 16:25:07.088 MFMT
2022-02-06 16:25:07.088 EPSV
2022-02-06 16:25:07.088 EPRT
2022-02-06 16:25:07.088 211 End
2022-02-06 16:25:07.088 CLNT WinSCP-release-5.15.5
2022-02-06 16:25:07.122 200 Don't care
2022-02-06 16:25:07.123 OPTS UTF8 ON
2022-02-06 16:25:07.159 202 UTF8 mode is always enabled. No need to send this command.
2022-02-06 16:25:07.160 PBSZ 0
2022-02-06 16:25:07.198 200 PBSZ=0
2022-02-06 16:25:07.199 PROT P
2022-02-06 16:25:07.235 200 Protection level set to P
2022-02-06 16:25:07.248 Connected
2022-02-06 16:25:07.248 --------------------------------------------------------------------------
2022-02-06 16:25:07.248 Using FTP protocol.
2022-02-06 16:25:07.250 Doing startup conversation with host.
2022-02-06 16:25:07.264 PWD
2022-02-06 16:25:07.303 257 "/" is current directory.
2022-02-06 16:25:07.303 Changing directory to "<REMOTE_DIRECTORY>".
2022-02-06 16:25:07.303 CWD <REMOTE_DIRECTORY>
2022-02-06 16:25:07.340 250 CWD successful. "<REMOTE_DIRECTORY>" is current directory.
2022-02-06 16:25:07.340 Getting current directory name.
2022-02-06 16:25:07.341 PWD
2022-02-06 16:25:07.384 257 "<REMOTE_DIRECTORY>" is current directory.
2022-02-06 16:25:07.458 Retrieving directory listing...
2022-02-06 16:25:07.458 TYPE A
2022-02-06 16:25:07.493 200 Type set to A
2022-02-06 16:25:07.493 PASV
2022-02-06 16:25:07.530 227 Entering Passive Mode (<REMOVED_FOR_SECURITY>)
2022-02-06 16:25:07.530 Error retrieving server address, cannot test if address is routable
2022-02-06 16:25:07.530 MLSD
2022-02-06 16:25:07.530 Connecting to <PROXY_IP>:<PROXY_DYNAMIC_PORT> ...
2022-02-06 16:25:07.534 HTTP proxy command: CONNECT <PROXY_IP>:<PROXY_DYNAMIC_PORT> HTTP/1.1
2022-02-06 16:25:07.534 Host: <PROXY_IP>:<PROXY_DYNAMIC_PORT>
2022-02-06 16:25:07.534 Connection with proxy established, performing handshake...
2022-02-06 16:25:07.586 HTTP proxy response: HTTP/1.1 200 Connection established
2022-02-06 16:25:07.587 HTTP proxy headers:
2022-02-06 16:25:07.608 Session ID reused
2022-02-06 16:25:07.610 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2022-02-06 16:25:07.610 TLS connection established
2022-02-06 16:25:07.619 150 Opening data channel for directory listing of "<REMOTE_DIRECTORY>"
2022-02-06 16:25:07.620 226 Successfully transferred "<REMOTE_DIRECTORY>"
2022-02-06 16:25:07.630 Data connection closed
2022-02-06 16:25:07.631 type=file;modify=20220203072851;size=21; test.txt
2022-02-06 16:25:07.631 type=file;modify=20220203072851;size=21; test_1.txt
2022-02-06 16:25:07.631 Directory listing successful
2022-02-06 16:25:07.632 ..;D;0;1899-12-30T03:00:00.000Z;0;"" [0];"" [0];---------;0
2022-02-06 16:25:07.632 test.txt;-;21;2022-02-03T07:28:51.000Z;3;"" [0];"" [0];---------;0
2022-02-06 16:25:07.632 test_1.txt;-;21;2022-02-03T07:28:51.000Z;3;"" [0];"" [0];---------;0
2022-02-06 16:25:07.659 Startup conversation with host finished.
Apache 日志:
220 SIJIL FTP
USER *******
331 Password required for <FTPS_USER_NAME>
PASS *******
230 Logged on
PBSZ 0
200 PBSZ=0
PROT P
200 Protection level set to P
PWD
257 "/" is current directory.
/
CWD <REMOTE_DIRECTORY>
250 CWD successful. "<REMOTE_DIRECTORY>" is current directory.
PWD
257 "<REMOTE_DIRECTORY>" is current directory.
<REMOTE_DIRECTORY>
PASV
227 Entering Passive Mode (<REMOVED_FOR_SECURITY>)
[Replacing PASV mode reply address <PROXY_IP> with <FTPS_IP>]
MLSD
425 Can't open data connection for transfer of "<REMOTE_DIRECTORY>"
List size: 0
QUIT
221 Goodbye
我不知道你的 network/proxy 设置,所以我无法真正解释 FTPClient
的行为。您的服务器似乎 return PASV
响应中代理的 IP 地址。 FTPClient
的默认 NAT 解析器确定地址错误(它是本地网络主机地址吗?)并选择使用原始 FTP 服务器的地址。
虽然 WinSCP 不这样做并连接到服务器 returned 的 IP。
为避免 NAT 解析器弄乱地址,请使用 FTPClient.setPassiveNatWorkaround
(尽管已弃用):
ftpClient.setPassiveNatWorkaround(false);
或等价物FTPClient.setPassiveNatWorkaroundStrategy
:
ftpClient.setPassiveNatWorkaroundStrategy(null);
我在使用 TLS/SSL 通过 PROXY 隐式加密连接到 FTPS 服务器时遇到问题。
我正在关注
我的服务器连接正常,但无法列出或传输文件,出现以下错误:
425 Can't open data connection for transfer of "<REMOVED_FOR_SECURITY>"
Windows WinSCP 和 Linux LFTP 的数据连接/文件传输工作正常。
WinSCP 日志:
2022-02-06 16:25:04.874 --------------------------------------------------------------------------
2022-02-06 16:25:04.876 WinSCP Version 5.15.5 (Build 9925) (OS 10.0.19042 - Windows 10 Enterprise)
2022-02-06 16:25:04.877 Configuration: C:\Users\<LOGIN_SER>\AppData\Roaming\WinSCP.ini
2022-02-06 16:25:04.879 Log level: Normal
2022-02-06 16:25:04.879 Local account: HBEU\<LOGIN_SER>
2022-02-06 16:25:04.879 Working directory: C:\Program Files\WinSCP-5.15.5
2022-02-06 16:25:04.879 Process ID: 16452
2022-02-06 16:25:04.883 Command-line: C:\Program Files\WinSCP-5.15.5\WinSCP.exe
2022-02-06 16:25:04.885 Time zone: Current: GMT+3 (Arab Standard Time), No DST
2022-02-06 16:25:04.885 Login time: Sunday, February 6, 2022 4:25:04 PM
2022-02-06 16:25:04.885 --------------------------------------------------------------------------
2022-02-06 16:25:04.885 Session name: FTPS TEST (Site)
2022-02-06 16:25:04.885 Host name: <FTPS_HOST_NAME> (Port: <FTPS_PORT>)
2022-02-06 16:25:04.885 User name: <FTPS_USER_NAME> (Password: No, Key file: No, Passphrase: No)
2022-02-06 16:25:04.885 Transfer Protocol: FTP
2022-02-06 16:25:04.885 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
2022-02-06 16:25:04.885 Disable Nagle: No
2022-02-06 16:25:04.885 Proxy: HTTP
2022-02-06 16:25:04.885 HostName: <PROXY_HOST_NAME> (Port: <PROXY_PORT>); Username: ; Passwd: No
2022-02-06 16:25:04.885 Send buffer: 262144
2022-02-06 16:25:04.885 UTF: Auto
2022-02-06 16:25:04.885 FTPS: Implicit TLS/SSL [Client certificate: No]
2022-02-06 16:25:04.885 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
2022-02-06 16:25:04.885 Session reuse: Yes
2022-02-06 16:25:04.885 TLS/SSL versions: TLSv1.0-TLSv1.2
2022-02-06 16:25:04.885 Local directory: <LOCAL_DIRECTORY>, Remote directory: <REMOTE_DIRECTORY>, Update: Yes, Cache: Yes
2022-02-06 16:25:04.885 Cache directory changes: Yes, Permanent: Yes
2022-02-06 16:25:04.885 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
2022-02-06 16:25:04.885 Timezone offset: 0h 0m
2022-02-06 16:25:04.885 --------------------------------------------------------------------------
2022-02-06 16:25:04.953 Connecting to <FTPS_HOST_NAME>:<FTPS_PORT> ...
2022-02-06 16:25:04.953 HTTP proxy command: CONNECT <FTPS_HOST_NAME>:<FTPS_PORT HTTP/1.1
2022-02-06 16:25:04.953 Host: <FTPS_HOST_NAME>:<FTPS_PORT>
2022-02-06 16:25:04.989 Connection with proxy established, performing handshake...
2022-02-06 16:25:04.989 HTTP proxy response: HTTP/1.1 200 Connection established
2022-02-06 16:25:04.989 HTTP proxy headers:
2022-02-06 16:25:04.989 Connected with <FTPS_HOST_NAME>:<FTPS_PORT>, negotiating TLS connection...
2022-02-06 16:25:05.038 Verifying certificate for "" with fingerprint <REMOVED_FOR_SECURITY> and 20 failures
2022-02-06 16:25:05.038 Certificate common name "*.<FTPS_DOMAIN_NAME>" matches hostname
2022-02-06 16:25:05.138 Certificate verified against Windows certificate store
2022-02-06 16:25:05.138 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2022-02-06 16:25:05.191 TLS connection established. Waiting for welcome message...
2022-02-06 16:25:05.191 220 SIJIL FTP
2022-02-06 16:25:05.191 USER <FTPS_USER_NAME>
2022-02-06 16:25:05.191 331 Password required for <FTPS_USER_NAME>
2022-02-06 16:25:06.977 PASS *************
2022-02-06 16:25:07.013 230 Logged on
2022-02-06 16:25:07.013 SYST
2022-02-06 16:25:07.049 215 UNIX emulated by FileZilla
2022-02-06 16:25:07.049 FEAT
2022-02-06 16:25:07.085 211-Features:
2022-02-06 16:25:07.085 MDTM
2022-02-06 16:25:07.086 REST STREAM
2022-02-06 16:25:07.086 SIZE
2022-02-06 16:25:07.086 MLST type*;size*;modify*;
2022-02-06 16:25:07.086 MLSD
2022-02-06 16:25:07.086 AUTH SSL
2022-02-06 16:25:07.086 AUTH TLS
2022-02-06 16:25:07.086 PROT
2022-02-06 16:25:07.088 PBSZ
2022-02-06 16:25:07.088 UTF8
2022-02-06 16:25:07.088 CLNT
2022-02-06 16:25:07.088 MFMT
2022-02-06 16:25:07.088 EPSV
2022-02-06 16:25:07.088 EPRT
2022-02-06 16:25:07.088 211 End
2022-02-06 16:25:07.088 CLNT WinSCP-release-5.15.5
2022-02-06 16:25:07.122 200 Don't care
2022-02-06 16:25:07.123 OPTS UTF8 ON
2022-02-06 16:25:07.159 202 UTF8 mode is always enabled. No need to send this command.
2022-02-06 16:25:07.160 PBSZ 0
2022-02-06 16:25:07.198 200 PBSZ=0
2022-02-06 16:25:07.199 PROT P
2022-02-06 16:25:07.235 200 Protection level set to P
2022-02-06 16:25:07.248 Connected
2022-02-06 16:25:07.248 --------------------------------------------------------------------------
2022-02-06 16:25:07.248 Using FTP protocol.
2022-02-06 16:25:07.250 Doing startup conversation with host.
2022-02-06 16:25:07.264 PWD
2022-02-06 16:25:07.303 257 "/" is current directory.
2022-02-06 16:25:07.303 Changing directory to "<REMOTE_DIRECTORY>".
2022-02-06 16:25:07.303 CWD <REMOTE_DIRECTORY>
2022-02-06 16:25:07.340 250 CWD successful. "<REMOTE_DIRECTORY>" is current directory.
2022-02-06 16:25:07.340 Getting current directory name.
2022-02-06 16:25:07.341 PWD
2022-02-06 16:25:07.384 257 "<REMOTE_DIRECTORY>" is current directory.
2022-02-06 16:25:07.458 Retrieving directory listing...
2022-02-06 16:25:07.458 TYPE A
2022-02-06 16:25:07.493 200 Type set to A
2022-02-06 16:25:07.493 PASV
2022-02-06 16:25:07.530 227 Entering Passive Mode (<REMOVED_FOR_SECURITY>)
2022-02-06 16:25:07.530 Error retrieving server address, cannot test if address is routable
2022-02-06 16:25:07.530 MLSD
2022-02-06 16:25:07.530 Connecting to <PROXY_IP>:<PROXY_DYNAMIC_PORT> ...
2022-02-06 16:25:07.534 HTTP proxy command: CONNECT <PROXY_IP>:<PROXY_DYNAMIC_PORT> HTTP/1.1
2022-02-06 16:25:07.534 Host: <PROXY_IP>:<PROXY_DYNAMIC_PORT>
2022-02-06 16:25:07.534 Connection with proxy established, performing handshake...
2022-02-06 16:25:07.586 HTTP proxy response: HTTP/1.1 200 Connection established
2022-02-06 16:25:07.587 HTTP proxy headers:
2022-02-06 16:25:07.608 Session ID reused
2022-02-06 16:25:07.610 Using TLSv1.2, cipher TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
2022-02-06 16:25:07.610 TLS connection established
2022-02-06 16:25:07.619 150 Opening data channel for directory listing of "<REMOTE_DIRECTORY>"
2022-02-06 16:25:07.620 226 Successfully transferred "<REMOTE_DIRECTORY>"
2022-02-06 16:25:07.630 Data connection closed
2022-02-06 16:25:07.631 type=file;modify=20220203072851;size=21; test.txt
2022-02-06 16:25:07.631 type=file;modify=20220203072851;size=21; test_1.txt
2022-02-06 16:25:07.631 Directory listing successful
2022-02-06 16:25:07.632 ..;D;0;1899-12-30T03:00:00.000Z;0;"" [0];"" [0];---------;0
2022-02-06 16:25:07.632 test.txt;-;21;2022-02-03T07:28:51.000Z;3;"" [0];"" [0];---------;0
2022-02-06 16:25:07.632 test_1.txt;-;21;2022-02-03T07:28:51.000Z;3;"" [0];"" [0];---------;0
2022-02-06 16:25:07.659 Startup conversation with host finished.
Apache 日志:
220 SIJIL FTP
USER *******
331 Password required for <FTPS_USER_NAME>
PASS *******
230 Logged on
PBSZ 0
200 PBSZ=0
PROT P
200 Protection level set to P
PWD
257 "/" is current directory.
/
CWD <REMOTE_DIRECTORY>
250 CWD successful. "<REMOTE_DIRECTORY>" is current directory.
PWD
257 "<REMOTE_DIRECTORY>" is current directory.
<REMOTE_DIRECTORY>
PASV
227 Entering Passive Mode (<REMOVED_FOR_SECURITY>)
[Replacing PASV mode reply address <PROXY_IP> with <FTPS_IP>]
MLSD
425 Can't open data connection for transfer of "<REMOTE_DIRECTORY>"
List size: 0
QUIT
221 Goodbye
我不知道你的 network/proxy 设置,所以我无法真正解释 FTPClient
的行为。您的服务器似乎 return PASV
响应中代理的 IP 地址。 FTPClient
的默认 NAT 解析器确定地址错误(它是本地网络主机地址吗?)并选择使用原始 FTP 服务器的地址。
虽然 WinSCP 不这样做并连接到服务器 returned 的 IP。
为避免 NAT 解析器弄乱地址,请使用 FTPClient.setPassiveNatWorkaround
(尽管已弃用):
ftpClient.setPassiveNatWorkaround(false);
或等价物FTPClient.setPassiveNatWorkaroundStrategy
:
ftpClient.setPassiveNatWorkaroundStrategy(null);