Question

这个问题是this original question的后续问题。在用FTP隐式解决了一段时间之后，我再次决定调查这个问题。这一次，我在纯java（非android）中编写了一个简单的FTP客户端，并在我通过手机的热点连接到互联网时分析了SSL / TLS调试消息。

在发送ClientHello之后，在TLS握手期间出现问题。 FTP方式，这对应于服务器成功接受AUTH TLS之后。失败的交换表示如下：

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1416712655 bytes = { <binary data> }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=<server>]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 188
main, handling exception: java.net.SocketTimeoutException: Read timed out
Exception in thread "main" java.net.SocketTimeoutException: Read timed out
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:150)
    at java.net.SocketInputStream.read(SocketInputStream.java:121)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
main, called close()

供参考，下面列出了成功的交换：

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1416713014 bytes = { <binary data> }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=<server>]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 188
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 142326665 bytes = { <binary data> }
Session ID:  { <session id data> }
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***

我尝试过使用TLSv1.2，TLSv1.1和TLSv1，结果导致套接字超时，服务器关闭连接。 FTP服务器（FileZilla Server 0.9.48 beta）没有提供问题的详细日志。

对此问题的任何见解将不胜感激。

Answer 1

我建议流量＆＃34;优化＆＃34;在您的提供商处导致问题。深度包检查＆＃34;优化＆＃34;流量在蜂窝网络中很常见，通常用于改善流量，有时也用于阻止不必要的流量。

这与您的问题有何关系：在蜂窝网络中，通常需要NAT，即您没有获得公共IP地址。但是，至少FTP中的活动模式需要公共IP，因此使用帮助程序来转换FTP控制连接内的PORT / EPRT命令的IP和端口并不罕见。这些帮助程序无法使用加密连接，这意味着它们要么故意阻止这些连接，要么可能意外阻止它们，因为它们不再理解流量。

FTP显式在蜂窝数据上失败

1 个答案: