FTPS on IIS7 "Could not retrieve directory listing" error


Recommended Posts

I followed the tutorial from this page: Using FTP Over SSL

I'm using FTP7.5 on IIS7 on a WIndows Server 2008 machine. For testing purposes, I set to "Allow SSL Connections", not "required" and I can make the connection using SSL using WinSCP, but once connected, I get the "Could not retrieve directory listing" error. If I log in using plain FTP (no ssl), it works fine. I also noticed if I change the port bindings to a non-standard port (pretty much anything except 21) I get the same results, even with plain FTP. Is there something I'm missing?

I've allowed the FTP service (ftpsvc) and the appropriate ports in the windows firewall, but the only thing that fully works is plain FTP using port 21.

Link to comment
Share on other sites

ftp can be tricky -- is the client coming in with active or passive.

in active the server makes the data connection back from source port 20 to port client gives, in passive server sends some port >1024 to client to connect too.. ftp through nat can be a problem.. With FTPS all traffic can be set to go through the SSL port both control and data which an remove some of the issues.

This is a great writeup on understanding how normal active and passive ftp works.

http://slacksite.com/other/ftp.html

directory listings, etc. use the data port - you telling the server to give you a listing is sent through control port which is 21 in standard ftp.

What router are you using? Many of them have helper applications that do some stuff in the background for ftp to work through nat.. With you connecting over some SSL port the helper might not see this - you should be able to require the ssl stuff to use the same connection for both data and control.

Link to comment
Share on other sites

The client (winscp) is using active, but I also tried passive with the same results, "Could not retrieve directory listing".

Also the router is an Asus RT-N16 running the latest version of Tomato firmware.

How can I set it up so that the control and data traffic all goes through the SSL port?

And why is it that plain FTP using the standard port 21 works perfectly, but anything else (non-standard port + plain FTP or FTPS + any port) does not work? I've never set up a FTP server in IIS before, but I have set up a few servers using Serv-U and never had this problem. I know that in the IIS console, you can set a Data Channel port range, but specifying the port range (in IIS > FTP Firewall Support) and opening that range in the firewall and router doesn't seem to work. fyi, the default data port range in IIS FTP is 49152-65535

Link to comment
Share on other sites

Ok first things first is this client your testing with actually on the public side of your router?? Your clients not on the private lan with the IIS server and your just hitting the public IP of your router?

You state with active standard ftp, your client which Im going to assume is outside your router -- well in active your server is making the connection out your router back to the client - no port forwards required.

If you doing a nat reflection thing where your client is on the same network as the server and your hitting the public ip of your router then all kinds of weird **** could be happening.

Let me fire up IIS on my server so I can run through that tutorial of yours, etc.

Link to comment
Share on other sites

Yes, with active standard FTP, the client (on the public side of the router) is able to connect and fully interact with the ftp server. The firewall on the server has the ftpsvc allowed and port 21 forwarded on the router.

Link to comment
Share on other sites

What I would do as a quick test is turn off the firewall on the server.. Your behind a nat, unless you have hostiles on your local lan the software firewall is not much more than a PITA ;)

Link to comment
Share on other sites

tried turning windows firewall off -- same error from client. It connects, but then I get the 'could not retrieve directory listing' error.

And thanks sc302, I'm looking through that link now to see if there's some info to help fix my problem.

Link to comment
Share on other sites

Its quite possible your nat router does not have a helper or is broken?

You state active ftp works, does passive? If you router does not have a helper or broken - then you would need to forward the ports your ftp server would use for passive connections.. And you would have to make sure the ftp server hands out the public IP vs its local IP.

Again the way that the ftp protocol works can be a bit of a pain to have it work through nat, etc. And then you have to take into account possible nat on the client side as well.

Did you read the article I linked to that explains how ftp passive and active work -- this will give you info to troubleshoot your problem.

Without actually looking at it, or even seeing the logs -- can you post up the log from your client.. So for example when connecting to a ftp server in active mode you see this.

so this is active connection to ftp on my local network.

Using FTP protocol.

Doing startup conversation with host.

PWD

257 "/" is your current location

Getting current directory name.

Retrieving directory listing...

TYPE A

200 TYPE is now ASCII

PORT 192,168,1,100,32,170

200 PORT command successful

LIST -a

150 Connecting to port 8362

226-Options: -a -l

226 20 matches total

Directory listing successful

See the port command there client told server to connect to my client IP at 192.168.1.100 on port 32*256+170 or 8362.

Now in a passive connection.

Getting current directory name.

Retrieving directory listing...

TYPE A

200 TYPE is now ASCII

PASV

227 Entering Passive Mode (192,168,1,99,13,242)

LIST -a

150 Accepted data connection

226-Options: -a -l

226 20 matches total

Directory listing successful

The ftp server tells the client to connect to it its 192.168.1.99 on port 13*256+242 or 3570

In this case if client was behind a NAT.. being told to connect to private IP would be pointless, and does the nat router on the server side forward port 3570 to the server?

Please post up the logs of your connection from the client -- on the pasv connect you need to look to see what the client is seeing.. Is it the public IP - what port, is that port forwarded on your router!

These commands are sent through the control channel -- so if your control channel is encrypted - option when using FTPS then the helper might not be able to change the private IP to the public one, nor will it be able to read the port it needs to open.

Now keep in mind you can have nat on both sides that could cause problems - even with a active connection -- the server is creating the connection from source port 20 to the client.. IF that client is behind a nat - the router needs to forward that traffic -- normally it does this through helper service for ftp, etc.

But without seeing your logs of your connections its hard to know where your problem is.

Link to comment
Share on other sites

seems I missed my edit window ;)

edit: Another thing I would do is verify all the modes you want to use are working from a local machine connecting to the local IP of the server.. If it all works that way then it points to a problem on you router in the forwards or lack of or its ftp helper, etc.

I just got IIS and the ftp installed and taking a look at it now so can point you to exactly what could be the issue.. But again a test of local machine and logs from client outside your router would be most helpful in tracking down the root of your issue.

edit: Ok couple of things in that guide are already F'd up..

They clearly state this -

Make sure that the Allow SSL option is selected.

But then in the recap they state.

You chose to require Secure Sockets Layer (SSL) for the FTP site, and selected your SSL certificate.

And setting the server to only listen on the loopback -- because you will use the administrator account later?? Thats just nonsense -- if your going to want to use the ftp from any box other than the server, then your going to have to listen on that boxes IP address..

Well I set to required and picked my SSL cert -- but I take from the fact that you are using it without that you did not select required?

edit: Ok following that guide I can not even get a local SSL connection working.. So like I said before test that locally before you try from outside your router.. Looking into why the SSL is not working.

Link to comment
Share on other sites

ok, here are the logs...

FTP (active) -- this works

. 2011-01-21 20:51:33.038 Using FTP protocol.
. 2011-01-21 20:51:33.041 Doing startup conversation with host.
> 2011-01-21 20:51:33.044 PWD
< 2011-01-21 20:51:33.130 257 "/" is current directory.
. 2011-01-21 20:51:33.133 Getting current directory name.
. 2011-01-21 20:51:33.137 Retrieving directory listing...
> 2011-01-21 20:51:33.137 TYPE A
< 2011-01-21 20:51:33.212 200 Type set to A.
> 2011-01-21 20:51:33.213 PORT 192,168,1,77,253,128
< 2011-01-21 20:51:33.303 200 PORT command successful.
> 2011-01-21 20:51:33.303 LIST -a
< 2011-01-21 20:51:33.386 125 Data connection already open; Transfer starting.
< 2011-01-21 20:51:33.405 226 Transfer complete.
. 2011-01-21 20:51:33.718 Directory listing successful
. 2011-01-21 20:51:33.718 Startup conversation with host finished.
. 2011-01-21 20:51:33.793 Disconnected from server

FTP (passive) -- this works. XXX,XXX,XXX,XXX is the public IP of the server

. 2011-01-22 14:04:45.661 Using FTP protocol.
. 2011-01-22 14:04:45.664 Doing startup conversation with host.
> 2011-01-22 14:04:45.666 PWD
< 2011-01-22 14:04:45.703 257 "/" is current directory.
. 2011-01-22 14:04:45.706 Getting current directory name.
. 2011-01-22 14:04:45.710 Retrieving directory listing...
> 2011-01-22 14:04:45.710 TYPE A
< 2011-01-22 14:04:45.738 200 Type set to A.
> 2011-01-22 14:04:45.738 PASV
< 2011-01-22 14:04:45.771 227 Entering Passive Mode (XXX,XXX,XXX,XXX,207,225).
> 2011-01-22 14:04:45.771 LIST -a
< 2011-01-22 14:04:45.802 150 Opening ASCII mode data connection.
< 2011-01-22 14:04:46.252 226 Transfer complete.
. 2011-01-22 14:04:46.256 Directory listing successful
. 2011-01-22 14:04:46.256 Startup conversation with host finished.

FTPS (active) -- connects but craps out when using the data channel

. 2011-01-21 20:52:07.491 Using FTP protocol.
. 2011-01-21 20:52:07.494 Doing startup conversation with host.
> 2011-01-21 20:52:07.497 PWD
< 2011-01-21 20:52:07.578 257 "/" is current directory.
. 2011-01-21 20:52:07.581 Getting current directory name.
. 2011-01-21 20:52:07.585 Retrieving directory listing...
> 2011-01-21 20:52:07.585 TYPE A
< 2011-01-21 20:52:07.662 200 Type set to A.
> 2011-01-21 20:52:07.663 PORT 192,168,1,77,253,142
< 2011-01-21 20:52:07.747 501 Server cannot accept argument.
. 2011-01-21 20:52:07.747 Could not retrieve directory listing
. 2011-01-21 20:52:07.751 Retrieving directory listing...
> 2011-01-21 20:52:07.752 TYPE A
< 2011-01-21 20:52:07.827 200 Type set to A.
> 2011-01-21 20:52:07.827 PORT 192,168,1,77,253,143
< 2011-01-21 20:52:07.913 501 Server cannot accept argument.
. 2011-01-21 20:52:07.913 Could not retrieve directory listing
* 2011-01-21 20:52:07.913 (ECommand) Error listing directory '/'.
* 2011-01-21 20:52:07.913 Could not retrieve directory listing
* 2011-01-21 20:52:07.913 Server cannot accept argument.
. 2011-01-21 20:52:10.261 Startup conversation with host finished.

FTPS (passive) -- connects but craps out when using the data channel. 192,168,1,9 is the internal server IP

. 2011-01-21 20:50:04.525 Using FTP protocol.
. 2011-01-21 20:50:04.528 Doing startup conversation with host.
> 2011-01-21 20:50:04.531 PWD
< 2011-01-21 20:50:04.617 257 "/" is current directory.
. 2011-01-21 20:50:04.620 Getting current directory name.
. 2011-01-21 20:50:04.624 Retrieving directory listing...
> 2011-01-21 20:50:04.624 TYPE A
< 2011-01-21 20:50:04.703 200 Type set to A.
> 2011-01-21 20:50:04.809 PASV
< 2011-01-21 20:50:04.809 227 Entering Passive Mode (192,168,1,9,233,58).
> 2011-01-21 20:50:04.809 LIST -a
< 2011-01-21 20:50:04.870 150 Opening ASCII mode data connection.
. 2011-01-21 20:50:19.103 Timeout detected.
. 2011-01-21 20:50:19.171 Could not retrieve directory listing
* 2011-01-21 20:50:19.188 (ESshFatal) Lost connection.
* 2011-01-21 20:50:19.188 Timeout detected.
* 2011-01-21 20:50:19.188 Could not retrieve directory listing
* 2011-01-21 20:50:19.188 Opening ASCII mode data connection.
* 2011-01-21 20:50:19.188 Error listing directory '/'.

So as you can see, all the ports are within the server's default data channel port range of 49152-65535. For testing purposes, I forwarded that entire range from the server's router to the server.

EDIT:

And yes, I did notice a lot of inconsistencies with the tutorial. I currently have the server set to "allow SSL connections", not "require", for testing purposes. Once I have FTPS set up correctly and working, I will set it to "require". The cert I used is a self-signed certificate I created on the server. As I said in an earlier post, I can make the SSL connection (the client sees the certificate and can accept it), but the data channel is non-responsive.

I will test locally now and report back

Link to comment
Share on other sites

Ok for starters there is NO freaking possible way this would work from outside your router without a helper at work

You say this works.. ftp active

PORT 192,168,1,77,253,128

But you just told your server to connect to a private IP 192.168.1.77 -- so your ftp helper must be changing the IP that the server sees in that command to your clients public IP.

Same goes for the passive connection -- you say your client is seeing a public IP.. Well how would your server send that public IP?? Its behind a nat, did you specific the public IP address it should send in the passive setup? If not then Helper at work!

Now with your control channel being encrypted -- its impossible for the helper to change this stuff, cuz it does not see it.

So see here in the FTPS passive

< 2011-01-21 20:50:04.809 227 Entering Passive Mode (192,168,1,9,233,58).

So now your client sees a PRIVATE IP 192.168.1.9 to connect too, not the public like in the normal ftp passive connection -- so no **** your client would not be able to connect.

And in the ftps ACTIVE connection your still seeing the

PORT 192,168,1,77,253,142

But this time the helper on your router can not fix it up, since its encrypted -- so your server tries to connect to 192.168.1.77 on port 64910 -- that sure and the hell would not work ;)

edit: quick question what version of winscp are you using?? Im having trouble with it connecting using either ftps imp or exp modes.. but filezilla client connects fine with ftpes -- not liking ftps at all either.. Did you setup your client to trust your servers CA on that self signed cert or something?

edit: seems there some issues with 4.3.1 beta that IM using and ftps and ftpes

http://winscp.net/forum/viewtopic.php?t=9099

Topic "SSL_connect: error in SSLv3 read server hello B"

You must be using an older version 4.2.9? Cuz I can not get either to work with winscp even just locally.. Think I will fire up old faithful filezilla server and see if winscp is truely broken or IIS thing?

Link to comment
Share on other sites

yes :blush: I noticed this after posting them and seeing them all in the post above.

I'm trying to look into disabling the ftp help on the router. Both the client's router and server's router are running Tomato

Link to comment
Share on other sites

I'm using the latest stable version of winscp, 4.2.9

And I can successfully connect using FTP/FTPS locally using winscp.

Also, in winscp from the client computer, I get this warning:

certwarning.png

If I click Yes or No, it will accept the certificate.

Link to comment
Share on other sites

yup filezilla and winscp 4.3.1 work just fine with all modes be it ftps or ftpes ssl or tls, etc..

And you have much more control in filezilla server btw ;) hehehe You can easy set it to send public IP vs private it for passive connections. It listens on correct ftps port out of box ie 990..

What ties you to IIS?? I would suggest using filezilla server - FREE as well, and to be honest much more features than the ftp server that is part of IIS.

1.2.9 ??? You mean 4.2.9 ;)

BTW -- you understand your issue now don't you?? Your control channel is encrypted when using FTPS -- so your router helper is not working.. So if you want to use ftps through your router your going to have to get the server to send the right IP when in passive mode.

And in active mode on a client behind a nat, your going to have to make sure it sends its public IP, cuz if encrypted his helper is prob not going to work either.

Like I said ftp can be fun through nat ;) hehehehe

To be honest I would use SFTP -- its 1 PORT ;) so you only have to worry about the 1 nat inbound.. All traffic goes over the 1 port not like ftp with active or passive and the different data port.. Now throw SSL into the mix and you have new ports 990 and I believe 998 ftps data encryption..

Just setup SFTP ;) (ftp over ssh)

Link to comment
Share on other sites

What ties you to IIS??

I have a domain controller set up and it would be useful to be able to use the AD user permissions

I've never used filezilla, but I did a quick server and it seems as though filezilla does support AD

Link to comment
Share on other sites

To be honest I would use SFTP -- its 1 PORT ;) so you only have to worry about the 1 nat inbound.. All traffic goes over the 1 port not like ftp with active or passive and the different data port.. Now throw SSL into the mix and you have new ports 990 and I believe 998 ftps data encryption..

Just setup SFTP ;) (ftp over ssh)

Can't. The clients that will be connecting will only have FTP or FTPS ability, not SFTP.

Link to comment
Share on other sites

sorry I got a bit sidetracked ;)

I was playing with doing the data over SSL as well, and when doing a sniff of the traffic noticed some weird ****

WUDFHOST.exe was making connections to the internet - quite a bit of them actually. Now it was a IP owned by google - but I was like WTF?? And it was TLS encrypted to boot. For a few seconds I was like did I get myself infected with something??? But I checked the hash on the file, and it was clean -- so was like what the F is is doing???

So to see what it was doing I had to setup a MITM on my own network ;) So I could sniff the traffic -- turns out it was the location sensor stuff http://www.geosenseforwindows.com/

Check it out every 5 seconds it seems like -- seems like a bit of traffic for location aware if you ask me

post-14624-0-76418800-1295742946.jpg

Got to create the cert to use as the go between with the correct hostname, then got to setup your box to trust it.. Then you have to setup the proxy stunnel works nice - then have to have your name resolution point to where the ssl proxy is running, then you have to install that private side of the key into wireshark, etc. etc.

So it got me a bit sidetracked - sorry ;) But you have all the details you need to fix it up -- your just going to have to setup your forwards on your router correctly for it to work, since your helper is not going to do it for you. Quite often its not possible to disable the helper.. I don't even know if you can do it on dd-wrt??

So with a passive connection the server tells the client what IP and what port to connect too -- since this will be sent through the control channel that is encrypted and your helper wont fix up the ports and IPs you have to manually forward them on your router -- so I believe this is where you set a specific range to use, and the IP it will send.

post-14624-0-40745000-1295744167.jpg

When I get a chance will test it.. With active the connections from the outside you might have problems -- if they are through a nat as well and control is always encrypted, their helper wont be able to fix up the port command to point to their public nor would yours. So your server would try and connect to their private -- like you saw in the test you did.

You might be able to just setup auth only on the SSL -- and then everything else is not encrypted.

I wish I could be of more help -- but I stopped using FTP quite some time ago, I only ever use SFTP -- like I said its MUCH easier ;) Just one 1 port to deal with - no freaking helpers.. Does not matter if client behind nat or not and if they have helper - don't have to worry about active passive type of connection, etc. etc.

I would just move to SFTP - and tell you clients to use winscp ;)

Other option with ftp servers is to put them in a dmz so they are on an actual public IP ;)

edit: Another option -- VPN.. Have the client create a vpn connection, then they can ftp to your machines private IP directly and again no worries about nat dicking with the ftp protocols.

Link to comment
Share on other sites

I would just move to SFTP - and tell you clients to use winscp ;)

Not a possibility as the "clients" are IP phones which support FTP or FTPS... FTPS being the more secure of the 2. ;)

I have been fooling around with Filezilla and I'm not sure if I set it up correctly, but plain FTP is painfully slow to make a connection. Where it took 1-2 seconds to connect to the IIS FTP server, it now takes 10 seconds minimum to connect to the Filezilla FTP server.

I'm trying to set up FTPS on Filezilla, but running into the same problem -- could not retrieve directory listing. I'm also now getting that error on plain FTP passive. Only plain FTP active works.

This is what I've done:

Settings > SSL/TLS

- Generated new certificate

- Selected "Allow explicit FTP over TLS"

- unchecked "Disallow plain unecrypted FTP" (for testing)

- Listen for implicit SSL/TLS connection on port 990 (default)

Settings > Passive mode settings:

- Use the following IP: [external IP address]

- Use custom port range: 2000-3000 (and I forwarded these ports on the server's router)

One weird thing I noticed: If I try to connect with passive plain FTP, here's the log:

Using FTP protocol.
Doing startup conversation with host.
PWD
257 "/" is current directory.
Getting current directory name.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,7,210)
LIST -a
425 Can't open data connection.
Could not retrieve directory listing
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,7,211)
LIST
425 Can't open data connection.
Could not retrieve directory listing
(ECommand) Error listing directory '/'.
The server cannot open connection in active mode. If the problem persists, consider switching to passive mode.
Could not retrieve directory listing
Can't open data connection.
Startup conversation with host finished.
PWD
257 "/" is current directory.

XXX,XXX,XXX,XXX is the external IP address. The weird thing I noticed is the error "consider switching to passive mode". :unsure: I'm not sure if I did something incorrectly in filezilla

Link to comment
Share on other sites

And did you check this working locally only before trying it from outside.. If it works local only - then forwards not right on your router? Your helper is dicking with you -- their router on their end is causing an issue?

I would assume try active that is just a generic error when passive doesnt work, you can clearly see your issuing the pasv command.

Another thing you need to check is that those ports are open outbound from where you client is.. I can tell for example that at work I can not open ports outbound between 2000 and 3000.. At work only standard service ports are open ;) 80, 443, 22, etc.

Like I said ftp can be a bit tricky ;) with the different ports and all.

For passive to work pretty much all outbound ports much be open at the client side.

So you say normal ftp works right, then just use that - why all the need for SSL? Just lock down your ftp server to only accept connections from the IPs your phones will be coming from. Im curious why phones would need to ftp anyway?

Link to comment
Share on other sites

the config files to deploy the phones are on the server, which include plain text passwords for the voip accounts. The passwords will be changed once a month and I would prefer not to transfer the config files in plain text for anyone to see.

ok i slept on it and this morning I just screwed around with some settings but I don't think I changed anything from yesterday and now FTPS passive works. :huh:

Link to comment
Share on other sites

"would prefer not to transfer the config files in plain text for anyone to see."

You do understand that with FTPS by default the data is not encrypted -- so just because you send control info through a tunnel, the actual transfer of the data file would be in the clear.. So if its some sort of text file with passwords in it -- this would be in the clear ;)

From the RFC

http://www.faqs.org/rfcs/rfc4217.html

---

For TLS, the data connection can have one of two security levels.

1) Clear (requested by 'PROT C')

2) Private (requested by 'PROT P')

With 'Clear' protection level, the data connection is made without

TLS. Thus, the connection is unauthenticated and has no

confidentiality or integrity. This might be the desired behaviour

for servers sending file lists, pre-encrypted data, or non-

sensitive data (e.g., for anonymous FTP servers).

If the data connection security level is 'Private', then a TLS

negotiation must take place on the data connection to the

satisfaction of the Client and Server prior to any data being

transmitted over the connection. The TLS layers of the Client and

Server will be responsible for negotiating the exact TLS Cipher

Suites that will be used (and thus the eventual security of the

connection).

---

Need to make sure client issues a PROT P command so that data is secured.

Again yet another reason to go with SFTP ;) everything is inside the tunnel and secure ;)

Where exactly are these phones in relation to the server that you would be accessing your server over the public net?? Don't you have a vpn between their location and yours? Are these phones at the homes of your users? A vpn to where the phones are at would solve all your issues ;) And allow for just plain jane ftp as well - no need for ftps if communication is all on your private network.

Link to comment
Share on other sites

ok stupid question coming... I've never really worked with SSL certificates or CA's before, but I'm trying to install the certificate created from filezilla on the phone. There's an option to install the certificate from the phone interface and it requests a URL, but what URL do I provide? Sorry for the stupid question.

EDIT: I would have to create my own CA wouldn't I?

Link to comment
Share on other sites

I would assume the url to grab the cert from?? What specific phone are you working with so I can look up its manual and see how to install certs.

Just host the cert on a http server somewhere - you clearly have IIS installed ;)

Why would you need to run your own CA?

Are you meaning you want to trust the CA that created the cert on filezilla so your phone does not ask you about it?? How did you do it with self signed cert you created with IIS

Link to comment
Share on other sites

I've already tried hosting the certificate .crt file and inputting the URL on the Install Custom Certificates page of the phone interface. It says it installed the certificate, but after changing the server info to use FTPS on the phone, it cannot make the connection to the FTPS server

I never got ftps workin on IIS. With filezilla I can accept the SSL certificate when connecting from a PC bc winscp pops up a warning to ask if I want to accept or not. The Polycom SoundPoint IP501 phones do not pop up a warning, you have to install the certificate beforehand. The admin guide itself provides very little information about installing certificates, but gives a link to this tutorial: Using Custom Certificates With SoundPoint? IP Phones, which shows how to create a CA (with OpenSSL i think).

I'm thinking this is way overkill for deploying the IP phones, I may just give in and use plain FTP

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.