D-Link Forums

The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: mosil on February 26, 2010, 05:25:14 PM

Title: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 26, 2010, 05:25:14 PM
Hello,
                I have read numerous posts on this forum about issues of connecting to the DNS-323 via FTP over explicit TLS/SSL. Apparently, there was a lot of frustrated users and no direct answer to a fix. I am in the same boat with alot of sleepless nights and no success.
              Currently, I am on firmware 1.08 and able to connect to the DNS-323 via TLS/SSL using Filezilla (or so i think). On the log I notice that when the PROT P command is executed the response is 534 Fallback to [C]. From what I understand is that this pretty much mean that [C] means Clear and that that all data is in plain text. Has anyone been able to fix this or even able to login in securely to the server at this time? Many thanks.


Mosil
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 26, 2010, 05:29:08 PM
I gave up on it. :)
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 26, 2010, 05:31:41 PM
gunrunnerjohn> Is dlink aware of this or even acknowledge that this is a problem on the firmware. I did not see it mentioned in the 1.08 known bug forum which is why I am asking.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 26, 2010, 06:04:28 PM
I don't think many people use secure-FTP with this box, at least that's my take.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 26, 2010, 06:20:13 PM
 If the majority of the users don't use it...then why would they implement it on the new firmware? Interesting as it is kinda deceiving to advertise tls/ssl on a product and it doesn't work. I guess its time Dlink go back to the drawing board. Hopefully they can get it fixed in the next release.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: jrak on February 26, 2010, 08:25:59 PM
I thought I was able to connect via ssl/tls with firmware 1.06, but I was wrong.  I updated to 1.08 but still have the same problem (See below).  Has anyone gotten this to work with 1.08?

Connecting to XXXXXXXXXXXXXXX.
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 10 allowed.
Response:   220-Local time is now 23:20. Server port: 21.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 2 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER XXXXXXX
Status:   TLS/SSL connection established.
Response:   331 User XXXXXXXX OK. Password required
Command:   PASS **************
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (192,168,0,191,217,50)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out
Error:   Failed to retrieve directory listing
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 26, 2010, 09:18:11 PM
Jrak,
         Other than not being able to retrieve the directory listing, I would be more concerned that you are falling back on clear text.>>

Command:   PROT P
Response:   534 Fallback to [C]


From what it looks like is that the client may be defaulting to clear text when Prot P fails. Not an expert in this but that would be my 2 cents on that. Maybe someone with more knowledge can explain a bit more.

I really doubt that it is establishing a ssl/tls connection>send  username + passwd> then switching back to clear text to transfer data. Like I said..I am not expert and hopefully someone that reads this can clarify.

Was a this a remote attempt or within your lan network?
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: Buhric on February 27, 2010, 04:55:26 AM
Not really sure why you guys cant make it work....
Heres the settings I have in CuteFTP.. FileZilla must have the equivalent....
(http://img444.imageshack.us/img444/3945/ftpi.jpg)

and HEre are the setting in my DNS-323... I just blacked out my IP address
(http://img696.imageshack.us/img696/6879/dns323ftp.jpg)

And of course I forward Port 21 and 10050 trough 10099 to the DNS-323 IP
in my router

Edit:
My bad just noticed that I was clearing the "data Channel" thus resulting in unencrypted data transfers....
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: jrak on February 27, 2010, 05:39:38 AM
Was a this a remote attempt or within your lan network?

Mosil,

The log was from an attempt within my lan network.  I've been able to connect remotely, but not via ssl/tls.

Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 27, 2010, 07:08:55 AM
The problem is it drops to clear data transfers, the encryption is gone.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 27, 2010, 11:06:05 AM
Ok.....I tried putting the DNS-323 on DMZ (Open to the world with out any firewall or port restrictions) and the results were the same. The FTP server is denying the FTP client request of  PROT P, hence the FTP client is defaulting to [C](This test was done on Filezilla) . It is really interesting to know that there is another thread on this same issue by Mcduarte2000 with over 3860 views to date and that did not raise a red flag for Dlink moderators to intervene. Maybe it did and they are working on a fix to surprise us ;D
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 27, 2010, 12:53:33 PM
I did the same thing here, DMZ didn't make any difference, so I gave up.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 27, 2010, 09:59:03 PM
Just to rule out my DIR-655 router as being a problem, I went ahead and connected  my PC and the DNS-323 to a Dlink switch. DGS2208 switch to be specific. No rules or regulations here like the router. Disabled my windows firewall. It didn't surprise me to see that it made no difference. At this point we can only conclude one thing........
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: Buhric on February 27, 2010, 10:28:11 PM
Was a this a remote attempt or within your lan network?

Mosil,

The log was from an attempt within my lan network.  I've been able to connect remotely, but not via ssl/tls.

In my case it happens on both within my LAN and outside... same behaviour....
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 28, 2010, 07:35:04 AM
FWIW, secure FTP works fine on my local network, I could just never get it to work through the router, even configured as DMZ.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 28, 2010, 08:46:49 AM
Gunrunnerjohn,
                         That is very interesting that you said that. Just out of curiousity what FTP client are you using? I don't think that it has anything to do with client end but I would sure like to rule it out.

P.S I am on Filezilla (latest version). I tried to manually send the commands to the server and below are the results.


Command:   PROT E
Response:   534 Fallback to [C]
Command:   PROT P
Response:   534 Fallback to [C]
Command:   PROT C
Response:   200 OK

Only Clear text works.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 28, 2010, 08:49:43 AM
I'm using FileZilla, and I just did the update that prompted me this morning. :)
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: fordem on February 28, 2010, 11:10:09 AM
FWIW, secure FTP works fine on my local network, I could just never get it to work through the router, even configured as DMZ.


Assuming that the default gateway on the DNS-323 is properly set, this points to a "client side" issue - is the client also behind a NAT router?
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 28, 2010, 11:42:51 AM
Well, the default gateway is correct, it's the same as for all the other devices, the base address of the router.

We tried it on the other end also in the DMZ of his router, which should eliminate the NAT layer issue.

The other guy got tired of screwing around with it, so we gave up. :)
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: Wastedfreak on February 28, 2010, 12:20:25 PM
Try assigning a primary and secondary dns address on the NAS.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: gunrunnerjohn on February 28, 2010, 12:21:40 PM
A secondary DNS is somewhat pointless here, since my primary points to the router which is what my whole network uses.  This is not a DNS issue anyway.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on February 28, 2010, 03:49:18 PM
Gunrunnerjohn,
                      That is really good that you are able to get FTP over explicit SSL/TSL on your home network to work. You are one step ahead of me. I really don't need to have that sort of security while within my network but i still tried it while troubleshooting and I was unsuccessful. Did you have to do anything special to get this to work?

:Other thoughts
I am a little concerned that Filezilla is falling back on clear text without a pop up warning or disconnecting all together. I was unable to find the any option on the software for it not to fall back to this mode and disconnect but was unable to find one. It could be built in to the software to default to [C]. If one is not paying attention to the log, they will not know.

Has anyone tried any other FTP client and what are the results?
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: jolley on March 01, 2010, 05:11:57 AM
mosil,

It works fine once you reset to defaults using the button on the back of the unit and reconfigure manually.

I had the same problem until I did that (you can also do a quick fix by ticking 'TLS/SSL only' and applying, then unticking and applying which avoids resetting the box).

Maybe worth reading http://forums.dlink.com/index.php?topic=9957.30 (http://forums.dlink.com/index.php?topic=9957.30)

Cheers
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on March 01, 2010, 07:10:26 PM
Jolley,
                 I have already carried out restore to default and manually doing a hard reset but with no luck. I do get the RSA 2048 bit certificate like you mention in the other thread but if you follow the log beyond that you will see that the encryption drops and falls back to plain text. I did some research on Filezilla forum and found that the  the username/passwd is encrypted but data transfer is not once it falls back to [C]...
>>
>>
PROT P refers to the data transfers. Communication with the server is always encrypted if you use SSL/TLS.
Communication encrypted: PROT C, Communication+Data encrypted: PROT P.

If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected.

This is obviously for a filezilla server and not the DNS..

Here is the link if you would like to read some more...

http://wiki.filezilla-project.org/SSL/TLS
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: jolley on March 02, 2010, 04:41:35 AM
Interesting, cheers for the info.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on March 02, 2010, 09:45:45 PM
Final Status:

Able to connect to DNS-323 server both locally and remotely via FTP over explicit SSL/TSL. *Appears* that my username and password is masked on both connections. Data transfer is what I am not sure about. Seems that the connection switches back to Clear text afterwards. I would have to assume at this point that the server does not support PROT P. I am able to retrieve directory listing successfully both remotely and locally by configuring the ports.

LOCALLY


Status:   Resolving address of unknown.com
Status:   Connecting to xxx.xxx.xxx.xxx:0000...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 5 allowed.
Response:   220-Local time is now 00:29. Server port: 0000.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER ME
Status:   TLS/SSL connection established.
Response:   331 User ME OK. Password required
Command:   PASS ******
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   CWD /mnt/HD_b2/unknown
Response:   550 Can't change directory to /mnt/HD_b2/unknown: No such file or directory
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (xxx,xxx,xxx,xxx,x,xxx)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 1 matches total
Status:   Directory listing successful

REMOTELY

Status:   Resolving address of unknown.com
Status:   Connecting to xxx.xxx.xxx.xxx:0000...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 5 allowed.
Response:   220-Local time is now 00:37. Server port: 0000.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER ME
Status:   TLS/SSL connection established.
Response:   331 User ME OK. Password required
Command:   PASS *************
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PORT xx,xxx,xxx,xxx,x,xxx
Response:   200 PORT command successful
Command:   MLSD
Response:   150 Connecting to port xxxx
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 4 matches total
Status:   Directory listing successful
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: tfiveash on March 02, 2010, 10:03:07 PM
I wish that Dlink would respond to this issue.  Are we doing something wrong or is it a bug in the firmware?  It would save a lot of time if they would help.

Terry
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on March 03, 2010, 06:03:47 AM
Terry,
                I could not agree more. Hope Dlink is reading this. >:(
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: mosil on March 13, 2010, 03:48:57 PM
Hellooooooooooooooooooooooooooooooooooooooo........... Does not have to be a fix....Just an answer to shed some light.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: davss on July 22, 2010, 09:23:02 AM
Same issue on my side, Did some tests which are here:
http://forums.dlink.com/index.php?topic=8643.msg82653#msg82653

D-Link don't seem to care about users that are unable to use such basic features as secure FTP. I may have to sell this device and get some other brand that have them working properly... it's a shame because used to think D-link wasn't that bad but over the past few years gradually getting worse and worse.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: tfiveash on July 22, 2010, 10:49:31 PM
Davss,

I could not agree more.  We have asked over and over for help from D-Link and have heard nothing from them.  Even this thread dates back 5 months and how many D-Link responses do you see.  The sad thing is that they are still selling this product and not supporting it.  We are not asking for the impossible. All we are asking for is for D-Link to fix the laundry list of problems.  The only consolation is that the DNS-321 and DNS-343 are not being helped either.

I am not sure D-Link even has anyone working on our problems.  I have seen no evidence of it. Nor have I seen D-Link even address this issue.  I am about to agree with Gunrunnerjohn and buy a Synology even  though I do not need all that capability.  But at least they support their product and it works.  It has been over a year since we have had a new firmware, even a beta, and I am not including V1.09 which is a joke.

Terry
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: nullpointerninja on July 23, 2010, 04:13:32 PM
Hello.

Has anyone used Wireshark (or something similar) to really see whether the connection is encrypted or not?

I've sent an e-mail to d-link support and they sent me back a wireshark screenshot showing that the packets are encrypted (they said that the DNS-323 connects via TLS automatically from version 1.06 onwards). I don't know if the packets were captured during the authentication process (which is indeed encrypted) or during file transfer (which FileZilla says is not encrypted).

If no one has tried that, I might give it a shot later tonight.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: liammaps2010 on July 26, 2010, 04:08:48 PM
Final Status:

Able to connect to DNS-323 server both locally and remotely via FTP over explicit SSL/TSL. *Appears* that my username and password is masked on both connections. Data transfer is what I am not sure about. Seems that the connection switches back to Clear text afterwards. I would have to assume at this point that the server does not support PROT P. I am able to retrieve directory listing successfully both remotely and locally by configuring the ports.

LOCALLY


Status:   Resolving address of unknown.com
Status:   Connecting to xxx.xxx.xxx.xxx:0000...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 5 allowed.
Response:   220-Local time is now 00:29. Server port: 0000.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER ME
Status:   TLS/SSL connection established.
Response:   331 User ME OK. Password required
Command:   PASS ******
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   CWD /mnt/HD_b2/unknown
Response:   550 Can't change directory to /mnt/HD_b2/unknown: No such file or directory
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (xxx,xxx,xxx,xxx,x,xxx)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 1 matches total
Status:   Directory listing successful

REMOTELY

Status:   Resolving address of unknown.com
Status:   Connecting to xxx.xxx.xxx.xxx:0000...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 5 allowed.
Response:   220-Local time is now 00:37. Server port: 0000.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER ME
Status:   TLS/SSL connection established.
Response:   331 User ME OK. Password required
Command:   PASS *************
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PORT xx,xxx,xxx,xxx,x,xxx
Response:   200 PORT command successful
Command:   MLSD
Response:   150 Connecting to port xxxx
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 4 matches total
Status:   Directory listing successful

Can you get a remote ssl/tls connection on firmware 1.09? I can't. I am using filezilla. I can only get an encrypted connection on the local network.
Title: Re: DNS-323 Firmware 1.08 Unable to connect via ssl/tls
Post by: nullpointerninja on July 27, 2010, 10:12:45 AM
I have a question about filezilla. I checked with wireshark and the packets are indeed encrypted (on a local network, haven't tried a remote connection) but filezilla says 534 Fallback to [C] anyway  ??? Why is that? Maybe the connection is encrypted and filezilla thinks it's not  ??? (don't know how that would be possible...)