Ask a Question

Connection to mainframe FTP server gets dropped from windows App using plain text FTP using Rebex FTPS TLS 1.2 tunnel

0 votes
by (120 points)

I have a windows app that uses plain text ftp on windows to transfer files to mainframe. I an using Rebex tls proxy to do this via creating a tunnel between windows App and mainframe. But while making a connection to mainframe it fails with error "An existing connection was forcibly closed by the remote host"

Attached are config files and logs.

Can you please help me resolve the error:

tunnels:
- name: proxytunnel
in:
address: localhost
port: 21
out:
address: usildamd.lvn.broadcom.net
port: 923
protocol: TLS
tlsVersions: SSL30,TLS10,TLS11,TLS12,TLS13
idleTimeout: 120

Logs:
Running: C:\Users\na895278\Downloads\RebexTlsProxy-v1.6.1\x64\tlsproxy.exe on HDVBVT3.
Loading config: C:\Users\na895278\Downloads\RebexTlsProxy-v1.6.1\x64\config\config.yaml.
13:56:22 INF Starting proxy (v1.6.1.0).
13:56:22 INF Tunnel[#0 'proxytunnel']: Listening at 127.0.0.1:21 (forwarding to usildamd.lvn.broadcom.net:923) ...
13:56:22 INF Tunnel[#0 'proxytunnel']: Listening at [::1]:21 (forwarding to usildamd.lvn.broadcom.net:923) ...
13:56:22 INF Proxy started.
Press Ctrl+C to exit ...
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][-]: Connection from [::1]:22164 accepted on [::1]:21.
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][-]: Starting tunnel ([::1]:22164) --'plain'--> (21) --'SSL30,TLS10,TLS11,TLS12,TLS13'--> (usildamd.lvn.broadcom.net:923).
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][O]: Assembly: Rebex.Tls R6.8 for .NET 6.0
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][O]: Platform: Windows 10.0.19045 64-bit; CLR: .NET 6.0.11
13:56:27 DBG Tunnel(1)[#0 'proxytunnel'][O]: Culture: en; windows-1252
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][O]: Resolving 'usildamd.lvn.broadcom.net'.
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][O]: Connecting to 10.175.84.9:923 using TlsClientSocket.
13:56:27 DBG Tunnel(1)[#0 'proxytunnel'][O]: Connection established (socket #5818D1).
13:56:27 INF Tunnel(1)[#0 'proxytunnel'][O]: Starting TLS negotiation.
13:56:27 DBG Tunnel(1)[#0 'proxytunnel'][O]: Using TLS 1.3 core.
13:56:27 DBG Tunnel(1)[#0 'proxytunnel'][O]: Generating key shares.
13:56:27 DBG Tunnel(1)[#0 'proxytunnel'][O]: Key shares generated (secp256r1, secp384r1, secp521r1, x25519).
13:56:28 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sending TLS packet (Handshake):

13:56:28 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sending ClientHello<
legacyversion=TLS1.2
random=byte[32]
legacysessionid=byte[32]
ciphersuites=<0xC023, 0xC024, 0xC02B, 0xC02C, 0xC02F, 0xC030, 0xC027, 0xC028, 0xC009, 0xC00A, 0xC013, 0xC014, 0x009F, 0x009E, 0x006B, 0x0067, 0x009D, 0x009C, 0x003D, 0x003C, 0x0033, 0x0039, 0x002F, 0x0035, 0xC008, 0xC012, 0x0016, 0x000A, 0x00FF, TLSAES128GCMSHA256, TLSAES256GCMSHA384>
legacycompressionmethods=
extensions=<
ECPointFormats<data=byte[4]>
0x0017<data=byte[2]>
PskKeyExchangeModes<
kemodes=<gan, gao>
>
SupportedVersions<
versions=<TLS1.3, TLS1.2, TLS1.1, TLS1.0>
selectedversion={NULL}
>
SupportedGroups<
namedgroups=<>
>
SignatureAlgorithms<
signaturealgorithms=<>
>
KeyShare<
clientshare<
group=
keyexchange=byte[65]
>
clientshare<
group=
keyexchange=byte[97]
>
clientshare<
group=
keyexchange=byte[133]
>
clientshare<
group=
keyexchange=byte[32]
>
>
ServerName<
hostnames=<>
>
PostHandshakeAuth<data=byte[2]>
>

.
13:56:28 DBG Tunnel(1)[#0 'proxytunnel'][O]: Using modern transport layer.
13:56:28 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:ClientHello was sent.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received TLS packet (Handshake):
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:ServerHello was received.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received ServerHello<
legacyversion=TLS1.2
random=byte[32]
legacysessionidecho=byte[32]
ciphersuite=0x006B
legacycompressionmethod=null
extensions=<
0x0017<data=byte[2]>
RenegotiationInfo<data=byte[3]>

.
13:56:29 INF Tunnel(1)[#0 'proxytunnel'][O]: Preferred TLS version: TLS 1.3, server is asking for TLS 1.2.
13:56:29 INF Tunnel(1)[#0 'proxytunnel'][O]: Warning: SSL 3.0 has been deprecated. According to RFC 7568, it must no longer be used.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Enabled cipher suites: 0x000F3DF7EBE00640.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Applicable cipher suites: 0x000F3DF7EBE00640.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet:

13:56:29 INF Tunnel(1)[#0 'proxytunnel'][O]: Negotiating TLS 1.2, RSA with ephemeral Diffie-Hellman, hjm with 256-bit key in CBC mode, ddf.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: The server supports secure renegotiation.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Extended master secret is enabled.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:Certificate was received.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:ServerKeyExchange was received.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:CertificateRequest was received.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:ServerHelloDone was received.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Verifying server certificate ('CN=*.lvn.broadcom.net, O=Broadcom Inc, L=San Jose, S=California, C=US').
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Certificate verification result: Accept
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Verifying server key exchange signature.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Received ephemeral Diffie-Hellman prime.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Ephemeral Diffie-Hellman prime size is 1024 bits (minimum allowed size is 1024 bits).
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: Client certificate authentication was requested.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: No suitable client certificate is available.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet:

13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:Certificate was sent.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet:
3:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:ClientKeyExchange was sent.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet:

13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: CipherSpec:ChangeCipherSpec was sent.
13:56:29 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:Finished was sent.
13:56:29 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet:

13:56:30 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received TLS packet:

13:56:30 DBG Tunnel(1)[#0 'proxytunnel'][O]: CipherSpec:ChangeCipherSpec was received.
13:56:30 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received TLS packet:

13:56:30 DBG Tunnel(1)[#0 'proxytunnel'][O]: HandshakeMessage:Finished was received.
13:56:30 INF Tunnel(1)[#0 'proxytunnel'][O]: Connection secured using cipher: TLS 1.2, RSA with ephemeral Diffie-Hellman, hjm with 256-bit key in CBC mode, ddf.
13:56:30 VRB Tunnel(1)[#0 'proxytunnel'][O]: Session ID:
0000 |03-00-00-41-00-00-00-00 00-00-00-00-00-00-FF-FF| ...A............
0010 |0A-E6-2D-14-56-95-00-00 64-8A-FC-6C-00-00-06-91| ..-.V...d..l....
13:56:30 INF Tunnel(1)[#0 'proxytunnel'][-]: Established tunnel ([::1]:22164) --'plain'--> (21) --'TLS12'--> (usildamd.lvn.broadcom.net:923).
13:56:30 DBG Tunnel(1)[#0 'proxytunnel'][I]: Using modern transport layer.
13:56:30 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received TLS packet:
0000 |17-03-03-00-03-FF-FD-28 | .......(
13:56:30 DBG Tunnel(1)[#0 'proxytunnel'][-]: Forwarding 3 bytes (IN <== OUT).
13:56:30 VRB Tunnel(1)[#0 'proxytunnel'][-]: IN <== OUT
0000 |FF-FD-28 | ..(
13:57:02 WRN Tunnel(1)[#0 'proxytunnel'][-]: (::1) Error while receiving data (IN ==> OUT): System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host.
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][-]: Error while receiving data (IN ==> OUT): System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
at fet.poh.MoveNext()
--- End of stack trace from previous location ---
at fff.dzb.MoveNext()
--- End of stack trace from previous location ---
at Rebex.TlsProxy.Core.Tunnel.d__39.MoveNext()
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][-]: Forwarding from inbound tunnel finished (IN ==> OUT).
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][-]: Closing tunnel from [::1]:22164.
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][O]: Alert:CloseNotify was sent.
13:57:02 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet: .
0000 |15-03-03-00-02-01-00 | .......
13:57:02 VRB Tunnel(1)[#0 'proxytunnel'][O]: Received TLS packet: .
0000 |15-03-03-00-02-01-00 | .......
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][O]: Alert:CloseNotify was received.
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][O]: Alert:CloseNotify was sent.
13:57:02 VRB Tunnel(1)[#0 'proxytunnel'][O]: Sent TLS packet: .
0000 |15-03-03-00-02-01-00 | .......
13:57:02 DBG Tunnel(1)[#0 'proxytunnel'][-]: Forwarding from outbound tunnel finished (IN <== OUT).
13:57:02 INF Tunnel(1)[#0 'proxytunnel'][-]: Tunnel from [::1]:22164 closed.
13:58:49 INF Stopping proxy.
13:58:49 INF Proxy stopped.

Can someone help me with the error?

Applies to: Rebex FTP/SSL

1 Answer

0 votes
by (73.5k points)

It seems you are not connecting to an FTP server, but a Telnet server.

Please note that standard default port for FTP/SSL is 990 not 923.
While port 23 is standard default port for Telnet, 923 is commonly used for Telnet/SSL.

Looking at the log I can see that after negotiating TLS the server sent 0xFF 0xFD 0x28, which is Telnet Option negotiation of TN3270E.
Then the connection was closed after 30 seconds of inactivity.

The FTP server should send something like: 200 FTP service ready.

To solve your current issue, please ensure you are connecting to an FTP server.

However, I think you will not be able to make the solution fully working. It is due to behavior of the FTP protocol, which requires new TCP/IP connection to be established for data transfer (and directory listing).

The more convenient solution is to use an FTP aware proxy (not a general TLS proxy).

by (120 points)
Hi Lukas,

Can you please point me to a document that has any idea about how to create an FTP aware proxy?
by (148k points)
Check out the following RFC draft: https://datatracker.ietf.org/doc/html/draft-fordh-ftp-ssl-firewall-01
It's quite old and never made it to a proper RFC, and it discusses firewalls rather than proxies, but the underlying principles apply to proxies as well.

However, please be warned that for an FTP-aware proxy to work with FTP over TLS, you would either have to:
a) Use CCC command to revert to unecrypted control channel.
- or -
b) Make the proxy actually decrypt-and-reencypt all the communication between the client and the server and replace the server's certificate with its own.

I don't know which problem you are trying to solve, but in general both of these solutions are discouraged.

A much better option would be to simply use an SOCKS5 proxy and SOCKS5-capable clients. (You would still have to allow outgoing connections through the proxy to any random ports for FTP to actually work, unless all the FTP servers you intent to use are under your control and you can limit the port range.)
by (73.5k points)
There is many FTP aware proxies. It is not needed to write your own. It only depends, which one your FTP client can use. Then setup your selected proxy according to its specification and configure your FTP client appropriately for that proxy.

For example, see list of possible proxies the Rebex FTP client can use: https://www.rebex.net/ftp-ssl.net/features/proxy.aspx
by (120 points)
Hi Lukas,
thanks for all your inputs, what I am trying here is I have an windows application right now that uses windows function InternetconnectA() plain text FTP (port 21) to connect to a mainframe server. Now, we have a customer where they are moving from plain text ftp to FTPS (FTP over SSL), they want a solution for this and since they are time bound we are thinking of creating a proxy tunnel to change FTP to FTPS using Rebex tls proxy.
Can you pease help me with any application/software that can help me create a FTP aware proxy?
The link that you provided helps but I am looking for some already existing app that can do this.
by (148k points)
So what you actually need is a proxy that would make it possible for plain FTP clients (with no TLS support) to connect to FTPS (FTP over SSL/TLS) servers? (The communication between the FTP client and the proxy would then be unencrypted, while communication between the proxy and FTP server would be protected by TLS/SSL).

If the FTPS server is under customer's control, and the following conditions are met:

- The FTP server supports FTP/SSL in implicit mode (on port 990)
- FTP clients can be configured to use passive mode
- The customer can limit the port range used by the server for FTP data to (for example) 50000-50099

Then you might actually be able to use Rebex TLS Proxy for that. But in addition to configuring port 21(unsecure)--->port 990(SSL), you would have to do the same for all those 100 ports (separately). That should work, although we have never actually tried that.

Of course, an FTP-aware proxy that does the mapping automatically would be a better solution, because that would make it possible to use FTP clients in active mode, and remove the need to limit the port range. But unfortunately, I'm not aware of any third-party proxy that can do that, and I was not able to find any.
If you are interested, we could add this feature to Rebex TLS Proxy for a one-time fixed fee. Please see https://www.rebex.net/support/services/ for details.
...