From 710ee3b0e0858a3ee8283fd1de1bc35f24c2bb5b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 19 Aug 2005 14:41:09 +0000 Subject: [PATCH] Norbert Novotny had problems with FTPS and he helped me work out a patch that made curl run fine in his end. The key was to make sure we do the SSL/TLS negotiation immediately after the TCP connect is done and not after a few other commands have been sent like we did previously. I don't consider this change necessary to obey the standards, I think this server is pickier than what the specs allow it to be, but I can't see how this modified libcurl code can add any problems to those who are interpreting the standards more liberally. --- CHANGES | 10 ++++++++++ RELEASE-NOTES | 6 ++++-- lib/ftp.c | 46 +++++++++++++++++++++++++++------------------- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index cd1a3448e..548fbc6a9 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,16 @@ Changelog +Daniel (19 August 2005) +- Norbert Novotny had problems with FTPS and he helped me work out a patch + that made curl run fine in his end. The key was to make sure we do the + SSL/TLS negotiation immediately after the TCP connect is done and not after + a few other commands have been sent like we did previously. I don't consider + this change necessary to obey the standards, I think this server is pickier + than what the specs allow it to be, but I can't see how this modified + libcurl code can add any problems to those who are interpreting the + standards more liberally. + Daniel (17 August 2005) - Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to diff --git a/RELEASE-NOTES b/RELEASE-NOTES index adad93014..7ff1fbb58 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -7,10 +7,11 @@ Curl and libcurl 7.14.1 Number of public functions in libcurl: 46 Amount of public web site mirrors: 25 Number of known libcurl bindings: 31 - Number of contributors: 437 + Number of contributors: 447 This release includes the following changes: + o negotiates data connection SSL earlier when doing FTPS with PASV o CURLOPT_COOKIELIST and CURLINFO_COOKIELIST o trailer support for chunked encoded data streams o -x/CURL_PROXY strings may now contain user+password @@ -60,6 +61,7 @@ advice from friends like these: John McGowan, Georg Wicherski, Andres Garcia, Eric Cooper, Todd Kulesza, Tupone Alfredo, Gisle Vanem, David Shaw, Andrew Bushnell, Dan Fandrich, Adrian Schuur, Diego Casorran, Peteris Krumins, Jon Grubbs, Christopher - R. Palmer, Mario Schroeder, Richard Clayton, James Bursa, Jeff Pohlmeyer + R. Palmer, Mario Schroeder, Richard Clayton, James Bursa, Jeff Pohlmeyer, + Norbert Novotny Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/ftp.c b/lib/ftp.c index 6ed0fa79b..bc30e2258 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -174,9 +174,13 @@ static bool isBadFtpString(const char *string) * to us. This function will sit and wait here until the server has * connected. * + * If FTP-SSL is used and SSL is requested for the data connection, this + * function will do that transport layer handshake too. + * */ static CURLcode AllowServerConnect(struct connectdata *conn) { + CURLcode result; int timeout_ms; struct SessionHandle *data = conn->data; curl_socket_t sock = conn->sock[SECONDARYSOCKET]; @@ -231,6 +235,17 @@ static CURLcode AllowServerConnect(struct connectdata *conn) break; } + /* If PASV is used, this is is made elsewhere */ + if(conn->ssl[SECONDARYSOCKET].use) { + /* since we only have a plaintext TCP connection here, we must now + do the TLS stuff */ + infof(data, "Doing the SSL/TLS handshake on the data stream\n"); + /* BLOCKING */ + result = Curl_ssl_connect(conn, SECONDARYSOCKET); + if(result) + return result; + } + return CURLE_OK; } @@ -2017,16 +2032,6 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn, return result; } - if(conn->ssl[SECONDARYSOCKET].use) { - /* since we only have a plaintext TCP connection here, we must now - do the TLS stuff */ - infof(data, "Doing the SSL/TLS handshake on the data stream\n"); - /* BLOCKING */ - result = Curl_ssl_connect(conn, SECONDARYSOCKET); - if(result) - return result; - } - *(ftp->bytecountp)=0; /* When we know we're uploading a specified file, we can get the file @@ -2126,15 +2131,6 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn, return result; } - if(conn->ssl[SECONDARYSOCKET].use) { - /* since we only have a plaintext TCP connection here, we must now - do the TLS stuff */ - infof(data, "Doing the SSL/TLS handshake on the data stream\n"); - result = Curl_ssl_connect(conn, SECONDARYSOCKET); - if(result) - return result; - } - if(size > conn->maxdownload && conn->maxdownload > 0) size = conn->size = conn->maxdownload; @@ -3096,6 +3092,18 @@ CURLcode Curl_ftp_nextconnect(struct connectdata *conn) if(!ftp->no_transfer && !conn->bits.no_body) { /* a transfer is about to take place */ + if(conn->ssl[SECONDARYSOCKET].use && + !data->set.ftp_use_port) { + /* PASV is used and we just got the data connection connected, then + it is time to handshake the secure stuff. */ + + infof(data, "Doing the SSL/TLS handshake on the data stream\n"); + /* BLOCKING */ + result = Curl_ssl_connect(conn, SECONDARYSOCKET); + if(result) + return result; + } + if(data->set.upload) { NBFTPSENDF(conn, "TYPE %c", data->set.ftp_ascii?'A':'I'); state(conn, FTP_STOR_TYPE);