I am trying to utilise the Alex FTPS Client in a SSIS file transfer process I am developing but am having some issues. When initiating a connection I get the error:
“Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.”.
However, I am able to connect, and transfer files, successfully with CuteFTP! For this I received a .p12 certificate which I split with OpenSSL into private (pem) and public (crt) keys – as required by CuteFTP.
The connection setting for CuteFTP are as follows:
FTP with TSL/SSL (Auth TSL-Explicit)
Data mode PASV
Username required but not a password
I have also included the successful CuteFTP connection log at the end of this post which might help resolve this issue.
For my Alex FTPS Client connection I am using the following:
Dim IsConnected As Boolean = False
Dim iPort As Integer = 990
Dim strHost As String = "xx.xx.xx.xxx"
Dim Credentials As NetworkCredential = New NetworkCredential("xx-xx-xx01", "")
Dim X509ClientCertificate As New X509Certificate
X509ClientCertificate = X509Certificate.CreateFromSignedFile("C:\x509Certificate\xxx_public.crt")
Using client As New FTPSClient()
New RemoteCertificateValidationCallback(AddressOf ValidateTestServerCertificate), _
0, 0, 0, System.Threading.Timeout.Infinite)
IsConnected = True
Dts.TaskResult = Dts.Results.Success
Catch ex As Exception
Dts.Events.FireInformation(0, "", "Error " & ex.Message, "", 0, True)
Dts.TaskResult = Dts.Results.Failure
Private Shared Function ValidateTestServerCertificate(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
' Accept any certificate
I have used various combinations of ESSLSupportMode but without any success.
I have successfully imported the .p12 certificate into the Windows certificate store where it is located in ‘Trusted Root Certificate Authorities’ for the local computer. I have also have also imported it into ‘Trusted Publishers’,
‘Intermediate Certificate Authorities’ & ‘Third-Party Root Certificate’ just to see if this worked. But this made no difference.
I am currently using the public certificate I extracted with OpenSSL. I have also exported the public certificate from the certificate store but again this made no difference.
I have checked our firewall setting and all is fine the correct ports are open and a connection is present – outbound and inbound. When checking with the provider of the FTPS server they have indicated that a “connection attempt has been refused”
but without any further details. However they have asked the question “The FTPS server authenticates by attempting to make an independent connection back to your client. Does this FTPS client support this?” which I would be grateful if you could
confirm. I am currently trying to obtain from them what FTPS server they are using but have not yet had a reply.
This is where I am stuck! Is there way of including some debug coding to see what is going on with the exchange of certificates and authentication as I think this is where the issue is. Any help would be greatly appreciated.
Log from successful CuteFTP connection
*** CuteFTP 8.3 - build May 19 2010 ***
STATUS:> [31/03/2011 09:17:26] Getting listing "/request"...
STATUS:> [31/03/2011 09:17:26] Connecting to FTP server... xx.xx.xx.xxx:990 (ip = xx.xx.xx.xxx)...
STATUS:> [31/03/2011 09:17:29] Socket connected. Waiting for welcome message...
[31/03/2011 09:17:29] 220 D-PS-003 FTP server (SecureTransport 4.9.2) ready.
STATUS:> [31/03/2011 09:17:29] Connected. Authenticating...
COMMAND:> [31/03/2011 09:17:29] AUTH TLS
[31/03/2011 09:17:29] 234 TLSv1
STATUS:> [31/03/2011 09:17:29] Establishing SSL session...
STATUS:> [31/03/2011 09:17:29] Connected. Exchanging encryption keys...
STATUS:> [31/03/2011 09:17:34] SSL Connect time: 4888 ms.
STATUS:> [31/03/2011 09:17:34] SSL encrypted session established.
COMMAND:> [31/03/2011 09:17:34] PBSZ 0
[31/03/2011 09:17:34] 200 PBSZ=0
COMMAND:> [31/03/2011 09:17:34] USER xx-xx-xx01
[31/03/2011 09:17:34] 230 Virtual user xx-xx-xx01 logged in.
STATUS:> [31/03/2011 09:17:34] Login successful.
COMMAND:> [31/03/2011 09:17:34] PWD
[31/03/2011 09:17:34] 257 "/" is current directory.
STATUS:> [31/03/2011 09:17:34] Home directory: /
COMMAND:> [31/03/2011 09:17:34] FEAT
[31/03/2011 09:17:35] Informational Message Only:
STATUS:> [31/03/2011 09:17:35] This site supports features.
STATUS:> [31/03/2011 09:17:35] This site supports XCRC.
STATUS:> [31/03/2011 09:17:35] This site supports SIZE.
STATUS:> [31/03/2011 09:17:35] This site can resume broken downloads.
COMMAND:> [31/03/2011 09:17:35] REST 0
[31/03/2011 09:17:35] 350 Restarting at 0.
COMMAND:> [31/03/2011 09:17:35] CWD /request
[31/03/2011 09:17:35] 250 CWD command successful.
STATUS:> [31/03/2011 09:17:35] PWD skipped. Current folder: "/request".
COMMAND:> [31/03/2011 09:17:35] PBSZ 0
[31/03/2011 09:17:35] 200 PBSZ=0
COMMAND:> [31/03/2011 09:17:35] PROT P
[31/03/2011 09:17:35] 200 PROT command successful
COMMAND:> [31/03/2011 09:17:35] PASV
[31/03/2011 09:17:35] 227 Entering Passive Mode (xxx,xxx,x,x,38,175)
STATUS:> [31/03/2011 09:17:35] Substituting received PASV address xxx.xx.x.x to server address xx.xx.xx.xxx.
COMMAND:> [31/03/2011 09:17:35] LIST
STATUS:> [31/03/2011 09:17:35] Connecting FTP data socket... xx.xx.xx.xxx:9903...
[31/03/2011 09:17:35] 150 Opening ASCII mode SSL data connection for file list.
STATUS:> [31/03/2011 09:17:35] Connected. Exchanging encryption keys...
STATUS:> [31/03/2011 09:17:36] SSL Connect time: 525 ms.
STATUS:> [31/03/2011 09:17:36] SSL encrypted session established.
[31/03/2011 09:17:36] 226 Transfer complete.
STATUS:> [31/03/2011 09:17:36] Directory listing completed.
Some additional information from the FTPS server host relating to the above.
- Ports: Control channel 990 & Data Channel 9900 to 9903. The data channels are used in a round robin method so they all must be enabled within the firewalls and proxy server etc... and also in the application if there is a restriction on the data channels.
- Login with Certificate and Username login only and User name is case sensitive.
- Auth TLS - Explicit should be used as the protocol type for FTPS.
Data connection: Passive Mode (PASV)
- Both the Control and Data channel must NOT be in the clear, our FTP server will reject any connect if it either’s connects in the clear or tries to downgrade from encrypted to clear after initial connect has been made. We do NOT support CCC (Clear
Control Channel) or CDC (Clear Data Channel).
- FTP server is Axway