此問題是this original question的後續。在用FTP隱含了一段時間後,我再次決定研究這個問題。這一次,我用純java(非android)編寫了一個簡單的FTP客戶端,並在我通過手機的熱點連接到互聯網時分析了SSL/TLS調試消息。FTP在celluar數據上顯式失敗
問題發生在ClientHello發送後的TLS握手過程中。 FTP方式,這對應於AUTH TLS
被服務器成功接受之後。失敗的交換表示如下:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1416712655 bytes = { <binary data> }
Session ID: {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=<server>]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 188
main, handling exception: java.net.SocketTimeoutException: Read timed out
Exception in thread "main" java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:150)
at java.net.SocketInputStream.read(SocketInputStream.java:121)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
main, called close()
作爲參考,一個成功的交換包含如下:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1416713014 bytes = { <binary data> }
Session ID: {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=<server>]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 188
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: 142326665 bytes = { <binary data> }
Session ID: { <session id data> }
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
我使用TLSv1.2工作,TLSv1.1和使用TLSv1嘗試和所有導致相同的結果,套接字超時和服務器關閉連接。 FTP服務器(FileZilla Server 0.9.48 beta)沒有提供詳細的問題日誌。
任何關於這個問題的見解將不勝感激。
我的方案中的所有通信都在被動模式下運行FTP(每個數據檢索/存儲命令之前發送'PASV'或'EPSV'命令)。此外,隱式FTP似乎工作得很好。我沒有得到的是爲什麼相同的TLS交易似乎在明確的時候失敗了,當它在隱含的情況下工作時沒有問題。 – initramfs 2014-11-23 08:03:08
使用被動模式或主動模式並不重要,因爲無法預先通知攔截設備您將在加密連接中使用被動模式。隱式和顯式TLS之間的區別在於顯式使用與普通FTP相同的端口,因此受輔助應用程序的影響。隱式代替使用另一個端口,可能不會被提供者攔截,因爲無論如何都無法重寫PORT/EPRT命令。 – 2014-11-23 08:17:41
經過額外的測試,你說的話似乎是合理的。仍然讓我感到困惑,他們如何才能阻止像這樣的流量(我住在互聯網流量相當開放,沒有過濾或任何其他地方的地區)。 – initramfs 2014-11-23 15:53:53