Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jrak]

Jrak,
                  Another alternative would be to install fun_plug on your system. The encryption is SSH which is by far better than SSL/TLS.  Keep in mind that it would voids any warranty that you have on your box. You can read a little more on it here.....

http://wiki.dns323.info/howto:fun_plug#how_fun_plug_works

Thanks for the advice.  I was holding off on installing the fun_plug until my warranty expired and I had the chance to install the new firmware.  Seeing as the latter does not meet my needs and my warranty has expired, the fun_plug is an option I want to try.

[jrak]

After looking at the fun_plug installation instructions, I've decided that it's a bit more trouble than I care to undertake at this time.  If I need to use FTP, I limit my downloading to files that don't have any confidential information in them.

Like others who have contributed to this thread, I would like to hear from the D-Link moderator on this topic.  Is D-Link planning to fully implement FTP over explicit TLS/SSL for the DNS-323?

[mosil]

Fun_plug is not as hard as it looks as i  did it myself but if you are not comfortable then stay away. The last thing you want to do is brick your system. I am with you on this one......we will have to issue a search warrant for the Moderators...

[Geraner]

FTP over TLS works perfektly for my behind the DIR-655.
Now I'm running a DIR-825 but the configurations are the same as I had on the DIR-655.

My FTP-settings in the DNS-323 with Firmware 1.08 are the following:
-------
Max. User: 10
Idle Time: 10 (minutes)
Port: 21212 (to avoid FTP-hacking attacks)
Passive Mode: Use the following port range: 30000 - 30020
Client Language: Northern European
Flow Control: Unlimited
SSL/TLS:  (marked) Allow SSL/TLS connection only
-------

Now to the settings in the DIR-825.
-------
Advanced -> Port Forwarding:
1. Enabled
Name: FTP-Server
IP-Addres: IP of DNS-323
TCP: 21212
Schedule: Always

2. Enabled
Name: Passive-FTP
IP-Addres: IP of DNS-323
TCP: 30000-30020
Schedule: Always
-------

That's everything. FTP over SSL is working perfectly for me.
Running FileZilla as FTP program. Settings there are:
Port: 21212
Servertype: FTPES - FTP over explicit TLS/SSL.

/Geraner

[jrak]

I made the changes you suggested, but still got the command "534 Fallback to [C]" which indicates that whatever follows is transmitted in clear text.

Perhaps you can post your log from Filezilla.


Connecting to XXX.XXX.XX.XXX:21212...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 10 allowed.
Response:   220-Local time is now 15:42. Server port: 21212.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 2 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER XXXX
Status:   TLS/SSL connection established.
Response:   331 User XXXX OK. Password required
Command:   PASS **************
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (XXX,XXX,XX,XXX,XXX,XX)
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 2 matches total
Status:   Directory listing successful

[Geraner]

Well, now I see that I also get "534 Fallback to [C]". Have never realized this.
Does it really mean that the FTP-traffic is not encrypted then?
The log tells us earlier: "Status:   TLS/SSL connection established." In your case also.
Because FileZilla tells me that the connection is encrypted. (symbol at the right corner) When I click on this a window with the certificate information is opening.

So I'm not sure about the "534 Fallback to [C]" whether this is telling us that there is no encryption. Becuase Filzella tells me it is encrypted.

Here is my FTP log from FileZilla
-----
Status:   Connecting to x.x.x.x:21212...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 10 allowed.
Response:   220-Local time is now 09:43. Server port: 21212.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 10 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER xxxxx
Status:   TLS/SSL connection established.
Response:   331 User xxxxx OK. Password required
Command:   PASS ***********
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (x,x,x,x,117,53)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 1 matches total
Status:   Directory listing successful
------

[Geraner]

You are right. The traffic is not encrypted. Data is been sent in clear text. 

I made a test.
Created a .txt file with the text: geraner is sending a testfile via FTP TSL/SSL to the DNS-323.
This file I transfered from my local computer to the DNS-323 via FTP (TLS/SSL activated).
Before the file transfer via FTP I started Wireshark to log the traffic during the FTP file transfer.
If the traffic would be encrypted, than Wireshark will not be possible to see any datatransfer unencrypted.

See the print screen bellow, which information Wireshark could capture during "encrypted" file transfer to the DNS-323.

D-Link, can you fix this problem please!?

[batteryworm]

Hi, This must be really old news but I am not sure if anyone managed to resolve this FTP over TLS issue.

Here is what works for me. So I just want to share as it was very frustrating when it didn't work and I struggled over a whole weekend (trial and error).

My config is DNS-320 Sharecentre with Firmware Rev 2.00 Firmware date: Dec 17 2010. Yours may be different so I don't know if it will work for you.
My IP address for the DNS-320 is 192.168.1.100.

1. For the DNS-320, after logging in as admin,
Under Management - Application Management - FTP server, use the following settings and selections:
Max Users 10
Idle Time 5
Port 3688 {you can also select anything between 1025 to 3688; just don't select the default 21 - it won't work}
Passive mode - use the default port range (55536~55663)
 - do not need to select Report External IP in PASV mode {optional to select this}*
     External IP: {leave this blank}*
Client language: ISO8859-1 << Western European (ISO8859-1)
Flow Control Unlimited
SSL/TLS Select Allow SSL/TLS connection only
FXP Disable

Note*: These two options Report External IP in PASV mode and the actual external IP address are actually optional. You can unselect these option - it should work fine for most good FTP clients. The only thing is that If you do not select Report External IP in PASV mode, then some client such as Filezilla will complaint that unable to connect to IP indicated by PASV mode and then it will fall back to server external IP and it will continue just fine. However, for each transaction it will have this annoying warning message "server sent passive reply with unrouteable address. Using server address instead". If you have an Internet connection that has permanent static IP address, then you can configure this Report External IP in PASV mode and fill in your external IP address in the next line.


2. On your router, depending on the make and model, you have to find the NAT - virtual server menu or some other routers call it the port-forwarding menu.

Add the following entries:
a) External port 3688; Server IP {enter your internal FTP server IP address eg. 192.168.1.100}; Internet port 3688. Protocol: TCP.
b) External port 55536-55663; Server IP {enter the same FTP server internal IP addr 192.168.1.100}; Internal port 55536-55663 (same as external port); Protocol TCP.

3. On the client end (I use Filezilla on a laptop tethered to my phone with 4G data network), select the following:
Host IP : Public IP address of your router (you can check this by using canyouseeme.org on your browser from your home network); Alternatively if you already have DDNS setup, then just type in your hostname.domain as per your DDNS instead of numeric IP address.
Port: 3688
Protocol: FTP
Encryption: Use Explicit FTP over TLS
Logon type: Normal
Username:{username to the FTP server}
Password: {password to the FTP server}
The rest of the settings should be able to leave it as default or auto.

[FurryNutz]

Thank you for posting. Hope it helps future users.