Hey,
I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry:
ftps:21:s
but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response?"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing?
thanks
=G=
"ftps" with STARTTLS isn't natively supported by xymonnet, so it's not going to be seen as intended. Only the SSL-wrapped version of any of the simple TCP services are.
Regards, -jc
On 12/17/2015 1:02 PM, Galen Johnson wrote:
Hey,
I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry:
ftps:21:s
but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing?
thanks
=G=
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
thanks
=G=
From: Japheth Cleaver <cleaver at terabithia.org> Sent: Thursday, December 17, 2015 4:32 PM To: Galen Johnson; xymon at xymon.com Subject: Re: [Xymon] ftps tests
"ftps" with STARTTLS isn't natively supported by xymonnet, so it's not going to be seen as intended. Only the SSL-wrapped version of any of the simple TCP services are.
Regards, -jc
On 12/17/2015 1:02 PM, Galen Johnson wrote:
Hey,
I need to test FTPS on a server but the test keeps complaining that it isn't getting the expected response. The vsftpd server is NOT running implicit ftps so there is nothing listening on port 990. I've tested using curl so I know STARTTLS is working over port 21. I've tried adding the following to my host entry:
ftps:21:s
but it still comes up yellow (log is less than helpful "Service ftps on ftphost1 is not OK : Unexpected service response?"). Has anyone else been able to test ftps with tls over port 21 using xymon? What am I missing?
thanks
=G=
Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <Galen.Johnson at sas.com> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.")
=G=
From: Jeremy Laidman <jlaidman at rebel-it.com.au> Sent: Thursday, December 17, 2015 10:16 PM To: Galen Johnson; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <Galen.Johnson at sas.com<mailto:Galen.Johnson at sas.com>> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
Well, I was able to get it to connect using
openssl s_client -starttls ftp -crlf -connect remote.host:21
This dumps the cert as expected...
It should work the same as ftp/ftpd only using implicit ftps. That said, I would have thought ftps would have worked but I expect under the covers xymonnet is just doing something different. I doubt adding the following stanza would help:
[ftpstls] send "quit\r\n" expect "220" options ssl,banner port 21
Any thoughts on how we might be able to integrate this?
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <Galen.Johnson at sas.com> Sent: Friday, December 18, 2015 1:03 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.")
=G=
From: Jeremy Laidman <jlaidman at rebel-it.com.au> Sent: Thursday, December 17, 2015 10:16 PM To: Galen Johnson; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <Galen.Johnson at sas.com<mailto:Galen.Johnson at sas.com>> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
Actually, this would make more sense:
[ftps-implicit] send "quit\r\n" expect "220" options ssl,banner port 21
[ftps|ftps-explicit] send "quit\r\n" expect "220" options ssl,banner port 990
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <Galen.Johnson at sas.com> Sent: Friday, December 18, 2015 1:19 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
Well, I was able to get it to connect using
openssl s_client -starttls ftp -crlf -connect remote.host:21
This dumps the cert as expected...
It should work the same as ftp/ftpd only using implicit ftps. That said, I would have thought ftps would have worked but I expect under the covers xymonnet is just doing something different. I doubt adding the following stanza would help:
[ftpstls] send "quit\r\n" expect "220" options ssl,banner port 21
Any thoughts on how we might be able to integrate this?
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <Galen.Johnson at sas.com> Sent: Friday, December 18, 2015 1:03 PM To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.")
=G=
From: Jeremy Laidman <jlaidman at rebel-it.com.au> Sent: Thursday, December 17, 2015 10:16 PM To: Galen Johnson; Japheth Cleaver; xymon at xymon.com Subject: Re: [Xymon] ftps tests
On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <Galen.Johnson at sas.com<mailto:Galen.Johnson at sas.com>> wrote:
oh...well I guess that would explain it :-). It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).
I agree that this would be useful. However it's probably not trivial to implement. Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative. These protocols don't even use the same command (POP uses "STLS", for example).
On 12/18/2015 9:19 AM, Galen Johnson wrote:
- snip -
Any thoughts on how we might be able to integrate this?
Well, I was able to get it to connect using
/openssl s_client -starttls ftp -crlf -connect remote.host:21/
We pull the cert from our ftps servers with an EXT script we created back in Big Brother days (before cert expiration checking was native in bb/xymonnet). Our script uses openssl s_client and option-in "-starttls ftp" when we ask for certs from a predefined list of ports.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska
It would be easy to write a script to capture this but it would be better if Xymon were able to do this since it already manages these basic services through explicit ssl. I poked a bit in the code but I don't see where it's really trying to manage this. While I am not strong in the ways of C, I'd be willing to see if it's within my limited capabilities to extend what is already there. It's essentially the same test just with different options since xymonnet is already using the openssl libs (I'm sure I'm oversimplifying).
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of John Thurston <john.thurston at alaska.gov> Sent: Friday, December 18, 2015 1:27 PM To: xymon at xymon.com Subject: Re: [Xymon] ftps tests
On 12/18/2015 9:19 AM, Galen Johnson wrote:
- snip -
Any thoughts on how we might be able to integrate this?
Well, I was able to get it to connect using
/openssl s_client -starttls ftp -crlf -connect remote.host:21/
We pull the cert from our ftps servers with an EXT script we created back in Big Brother days (before cert expiration checking was native in bb/xymonnet). Our script uses openssl s_client and option-in "-starttls ftp" when we ask for certs from a predefined list of ports.
-- Do things because you should, not just because you can.
John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi,
Den 18-12-2015 kl. 19:03 skrev Galen Johnson:
Actually, it may not be as bad as all that. openssl already supports this. Not 100% sure but I thought Xymon leveraged that for the ssl connections. I'm looking at https://www.madboa.com/geek/openssl/. The syntax is not exactly correct there but I'm currently trying to amend it. Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (/Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc."/)
the various starttls methods in openssl are implemented in the s_client application, not as part of the openssl library. So it isn't something that can be pulled into Xymon easily.
The xymonnet program really does not allow for the multiple exchanges of commands/responses that are required for supporting starttls-mechanisms (in ftp, it is actually an "AUTH TLS" command that xymonnet must send after seeing the server banner). Xymonnet really only supports sending one command and the listening for a simple reponse.
You can do it with the new net-code which is in the Xymon source-tree right now. The protocols2.cfg stanza would look like this:
[ftps] port 21 expect:220 send:AUTH TLS\r\n expect:234 starttls send:PBSZ 0\r\n expect:200 send:PROT P\r\n expect:200 close
Regards, Henrik
participants (5)
-
cleaver@terabithia.org
-
Galen.Johnson@sas.com
-
henrik@hswn.dk
-
jlaidman@rebel-it.com.au
-
john.thurston@alaska.gov