【发布时间】:2020-12-18 20:55:00
【问题描述】:
我在 Server 2019 上的 IIS 10 上设置了一个 FTP 服务器。获得了 SSL 证书并在我的家用计算机上连接到它。我使用的客户端是我在 VB.NET 中编写的程序,但它使用 C# 中的 FTPS 库(Alex 的 FTPSClient 到 .NET 4.5 的端口)。无论如何,一切都很好,直到我在另一台机器上尝试了相同的程序,这是我的工作。我收到了这个错误:
无法从传输连接读取数据:现有连接被远程主机强行关闭。
奇怪的是,它连接成功,并且能够运行某些命令,但是一旦我尝试列出目录或上传文件,就会出现错误。我缩小了发生错误的代码:
private SslStream CreateSSlStream(Stream s, bool leaveInnerStreamOpen)
{
SslStream sslStream = new SslStream(s, leaveInnerStreamOpen,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
null //new LocalCertificateSelectionCallback(ValidateClientCertificate)
);
sslStream.ReadTimeout = timeout;
sslStream.WriteTimeout = timeout;
X509CertificateCollection clientCertColl = new X509CertificateCollection();
if (sslClientCert != null)
clientCertColl.Add(sslClientCert);
sslStream.AuthenticateAsClient(hostname, clientCertColl, SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false);
CheckSslAlgorithmsStrength(sslStream);
return sslStream;
}
它发生在 AuthenticateAsClient 调用上。当它连接时,我可以更早地通过同一条线。只有当我尝试运行某些命令时,该行才会失败。
然后我在不同网络上的另一台机器上尝试了它,但它甚至没有走那么远。相反,我收到“连接方没有响应 etc/etc”的错误,并且错误列出了服务器的 IP 和端口(这是我为被动 FTP 保留的端口之一)。
但是如果我关闭 SSL,我可以在这两台机器上使用被动 FTP。
所以,FTP 和 FTPS 在一台机器上运行良好,FTP 在另外两台机器上运行良好,但 FTPS 甚至无法在其中一台机器上连接,而 FTPS 连接,但在另一台机器上之后就不能做太多事情了。
这可能是什么原因造成的,我将如何着手解决?我的第一个想法是“防火墙”(它在公司网络上),但如果是防火墙,它根本无法连接,对吧?而且它也无法在没有 SSL 的情况下连接被动,因为它们使用相同的端口。会不会是代理?我只是在黑暗中刺伤,因为我不知所措。
编辑:
我安装了 WinSCP 并打开了详细日志记录。这就是我得到的。我在 WinSCP 中遇到的错误与在客户端中遇到的错误不同,但它在同一步骤中(尝试在 Passive 中执行任何操作:list/upload/etc)。
. 2020-12-19 09:02:29.846 --------------------------------------------------------------------------
. 2020-12-19 09:02:29.846 Session name: myuser@mydomain.com (Ad-Hoc site)
. 2020-12-19 09:02:29.846 Host name: mydomain.com (Port: 21)
. 2020-12-19 09:02:29.846 User name: myuser (Password: Yes, Key file: No, Passphrase: No)
. 2020-12-19 09:02:29.846 Transfer Protocol: FTP
. 2020-12-19 09:02:29.846 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2020-12-19 09:02:29.846 Disable Nagle: No
. 2020-12-19 09:02:29.846 Proxy: None
. 2020-12-19 09:02:29.846 Send buffer: 262144
. 2020-12-19 09:02:29.846 UTF: Auto
. 2020-12-19 09:02:29.846 FTPS: Explicit TLS/SSL [Client certificate: No]
. 2020-12-19 09:02:29.846 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2020-12-19 09:02:29.846 Session reuse: Yes
. 2020-12-19 09:02:29.846 TLS/SSL versions: TLSv1.0-TLSv1.2
. 2020-12-19 09:02:29.846 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2020-12-19 09:02:29.846 Cache directory changes: Yes, Permanent: Yes
. 2020-12-19 09:02:29.846 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2020-12-19 09:02:29.846 Timezone offset: 0h 0m
. 2020-12-19 09:02:29.846 --------------------------------------------------------------------------
. 2020-12-19 09:02:29.846 Session upkeep
. 2020-12-19 09:02:29.861 Connecting to mydomain.com ...
. 2020-12-19 09:02:29.861 TLS layer changed state from unconnected to connecting
. 2020-12-19 09:02:29.877 TLS layer changed state from connecting to connected
. 2020-12-19 09:02:29.877 Connected with mydomain.com, negotiating TLS connection...
< 2020-12-19 09:02:29.893 220 Microsoft FTP Service
> 2020-12-19 09:02:29.893 AUTH TLS
< 2020-12-19 09:02:29.924 234 AUTH command ok. Expecting TLS Negotiation.
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS write client hello
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server hello
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server certificate
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server key exchange
. 2020-12-19 09:02:29.955 TLS connect: SSLv3/TLS read server done
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write client key exchange
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write change cipher spec
. 2020-12-19 09:02:29.970 TLS connect: SSLv3/TLS write finished
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS write finished
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS read change cipher spec
. 2020-12-19 09:02:29.986 TLS connect: SSLv3/TLS read finished
. 2020-12-19 09:02:29.986 Verifying certificate for "" with fingerprint xxxxxxx and 20 failures
. 2020-12-19 09:02:29.986 Certificate common name "mydomain.com" matches hostname
. 2020-12-19 09:02:30.283 Certificate verified against Windows certificate store
. 2020-12-19 09:02:30.283 Using TLSv1.2, cipher TLSv1.2: xxxxxxx, 3072 bit RSA, xxxxxxxx TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
. 2020-12-19 09:02:30.314 TLS connection established. Waiting for welcome message...
> 2020-12-19 09:02:30.314 USER myuser
< 2020-12-19 09:02:30.314 331 Password required
> 2020-12-19 09:02:30.314 PASS ********
< 2020-12-19 09:02:30.345 230 User logged in.
> 2020-12-19 09:02:30.345 SYST
. 2020-12-19 09:02:30.361 The server is probably running Windows, assuming that directory listing timestamps are affected by DST.
< 2020-12-19 09:02:30.361 215 Windows_NT
> 2020-12-19 09:02:30.361 FEAT
< 2020-12-19 09:02:30.377 211-Extended features supported:
< 2020-12-19 09:02:30.377 LANG EN*
< 2020-12-19 09:02:30.377 UTF8
< 2020-12-19 09:02:30.377 AUTH TLS;TLS-C;SSL;TLS-P;
< 2020-12-19 09:02:30.377 PBSZ
< 2020-12-19 09:02:30.377 PROT C;P;
< 2020-12-19 09:02:30.377 CCC
< 2020-12-19 09:02:30.377 HOST
< 2020-12-19 09:02:30.377 SIZE
< 2020-12-19 09:02:30.377 MDTM
< 2020-12-19 09:02:30.377 REST STREAM
< 2020-12-19 09:02:30.377 211 END
> 2020-12-19 09:02:30.377 OPTS UTF8 ON
< 2020-12-19 09:02:30.408 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2020-12-19 09:02:30.408 PBSZ 0
< 2020-12-19 09:02:30.424 200 PBSZ command successful.
> 2020-12-19 09:02:30.424 PROT P
< 2020-12-19 09:02:30.439 200 PROT command successful.
. 2020-12-19 09:02:30.439 Session upkeep
. 2020-12-19 09:02:30.502 Connected
. 2020-12-19 09:02:30.502 Got reply 1 to the command 1
. 2020-12-19 09:02:30.502 --------------------------------------------------------------------------
. 2020-12-19 09:02:30.502 Using FTP protocol.
. 2020-12-19 09:02:30.502 Doing startup conversation with host.
> 2020-12-19 09:02:30.517 PWD
< 2020-12-19 09:02:30.549 257 "/" is current directory.
. 2020-12-19 09:02:30.549 Got reply 1 to the command 16
. 2020-12-19 09:02:30.549 Getting current directory name.
. 2020-12-19 09:02:30.596 Retrieving directory listing...
> 2020-12-19 09:02:30.596 TYPE A
< 2020-12-19 09:02:30.611 200 Type set to A.
> 2020-12-19 09:02:30.611 PASV
< 2020-12-19 09:02:30.627 227 Entering Passive Mode (123,123,123,123,123,123).
> 2020-12-19 09:02:30.627 LIST -a
. 2020-12-19 09:02:30.627 Connecting to 123.123.123.123:123 ...
. 2020-12-19 09:02:30.658 Data connection opened
. 2020-12-19 09:02:30.658 Trying reuse main TLS session ID
< 2020-12-19 09:02:30.658 150 Opening ASCII mode data connection.
. 2020-12-19 09:02:30.658 TLS layer changed state from none to connected
. 2020-12-19 09:02:30.658 TLS layer changed state from connected to aborted
. 2020-12-19 09:02:30.658 Data connection closed
. 2020-12-19 09:02:30.658 <Empty directory listing>
< 2020-12-19 09:02:30.674 550 The specified network name is no longer available.
. 2020-12-19 09:02:30.674 Could not retrieve directory listing
. 2020-12-19 09:02:30.674 Got reply 4 to the command 2
. 2020-12-19 09:02:30.689 LIST with -a failed, will try pure LIST
. 2020-12-19 09:02:30.689 Retrieving directory listing...
> 2020-12-19 09:02:30.689 TYPE A
< 2020-12-19 09:02:30.705 200 Type set to A.
> 2020-12-19 09:02:30.705 PASV
< 2020-12-19 09:02:30.736 227 Entering Passive Mode (123,123,123,123,123,123).
> 2020-12-19 09:02:30.736 LIST
. 2020-12-19 09:02:30.736 Connecting to 123.123.123.123:123 ...
< 2020-12-19 09:02:30.752 150 Opening ASCII mode data connection.
. 2020-12-19 09:02:30.752 Data connection opened
. 2020-12-19 09:02:30.752 Trying reuse main TLS session ID
. 2020-12-19 09:02:30.752 TLS layer changed state from none to connected
. 2020-12-19 09:02:30.752 TLS layer changed state from connected to aborted
. 2020-12-19 09:02:30.752 Data connection closed
. 2020-12-19 09:02:30.752 <Empty directory listing>
< 2020-12-19 09:02:30.783 550 The specified network name is no longer available.
. 2020-12-19 09:02:30.783 Could not retrieve directory listing
. 2020-12-19 09:02:30.783 Got reply 4 to the command 2
* 2020-12-19 09:02:30.861 (ECommand) Error listing directory '/'.
* 2020-12-19 09:02:30.861 Could not retrieve directory listing
* 2020-12-19 09:02:30.861 The specified network name is no longer available.
. 2020-12-19 09:04:30.099 Dummy directory read to keep session alive.
. 2020-12-19 09:04:30.099 Retrieving directory listing...
> 2020-12-19 09:04:30.099 TYPE A
< 2020-12-19 09:04:30.115 200 Type set to A.
> 2020-12-19 09:04:30.115 PASV
< 2020-12-19 09:04:30.146 227 Entering Passive Mode (123,123,123,123,123,123).
> 2020-12-19 09:04:30.146 LIST
. 2020-12-19 09:04:30.146 Connecting to 123.123.123.123:123 ...
. 2020-12-19 09:04:30.162 Data connection opened
. 2020-12-19 09:04:30.162 Trying reuse main TLS session ID
< 2020-12-19 09:04:30.162 150 Opening ASCII mode data connection.
. 2020-12-19 09:04:30.162 TLS layer changed state from none to connected
. 2020-12-19 09:04:30.162 TLS layer changed state from connected to aborted
. 2020-12-19 09:04:30.162 Data connection closed
. 2020-12-19 09:04:30.162 <Empty directory listing>
< 2020-12-19 09:04:30.193 550 The specified network name is no longer available.
. 2020-12-19 09:04:30.193 Could not retrieve directory listing
. 2020-12-19 09:04:30.193 Got reply 4 to the command 2
【问题讨论】:
-
这确实很可能是防火墙或 NAT 问题。您可以使用任何命令行/GUI FTPS 客户端列出您的程序无法运行的机器上的目录吗?如果可以,请发布其详细的日志文件。
-
@MartinPrikryl 好的,我从 WinSCP 添加了日志。
-
好的,这是防火墙或 NAT 或其他网络或通信问题。不是编程问题。请将其移至Super User 或Server Fault。或者更好的是,与您的网络管理员联系。
-
@MartinPrikryl 好吧,这很糟糕。我必须跳过公司防火墙的障碍是不值得的。我将尝试使用 SFTP。感谢您的帮助。