Norbert Novotny had problems with FTPS and he helped me work out a patch

that made curl run fine in his end. The key was to make sure we do the
SSL/TLS negotiation immediately after the TCP connect is done and not after
a few other commands have been sent like we did previously. I don't consider
this change necessary to obey the standards, I think this server is pickier
than what the specs allow it to be, but I can't see how this modified
libcurl code can add any problems to those who are interpreting the
standards more liberally.

1 files changed, 27 insertions, 19 deletions

diff --git a/lib/ftp.c b/lib/ftp.c
index 6ed0fa79b..bc30e2258 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -174,9 +174,13 @@ static bool isBadFtpString(const char *string)
  * to us. This function will sit and wait here until the server has
  * connected.
  *
+ * If FTP-SSL is used and SSL is requested for the data connection, this
+ * function will do that transport layer handshake too.
+ *
  */
 static CURLcode AllowServerConnect(struct connectdata *conn)
 {
+  CURLcode result;
   int timeout_ms;
   struct SessionHandle *data = conn->data;
   curl_socket_t sock = conn->sock[SECONDARYSOCKET];
@@ -231,6 +235,17 @@ static CURLcode AllowServerConnect(struct connectdata *conn)
     break;
   }
 
+  /* If PASV is used, this is is made elsewhere */
+  if(conn->ssl[SECONDARYSOCKET].use) {
+    /* since we only have a plaintext TCP connection here, we must now
+       do the TLS stuff */
+    infof(data, "Doing the SSL/TLS handshake on the data stream\n");
+    /* BLOCKING */
+    result = Curl_ssl_connect(conn, SECONDARYSOCKET);
+    if(result)
+      return result;
+  }
+
   return CURLE_OK;
 }
 
@@ -2017,16 +2032,6 @@ static CURLcode ftp_state_stor_resp(struct connectdata *conn,
       return result;
   }
 
-  if(conn->ssl[SECONDARYSOCKET].use) {
-    /* since we only have a plaintext TCP connection here, we must now
-       do the TLS stuff */
-    infof(data, "Doing the SSL/TLS handshake on the data stream\n");
-    /* BLOCKING */
-    result = Curl_ssl_connect(conn, SECONDARYSOCKET);
-    if(result)
-      return result;
-  }
-
   *(ftp->bytecountp)=0;
 
   /* When we know we're uploading a specified file, we can get the file
@@ -2126,15 +2131,6 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn,
         return result;
     }
 
-    if(conn->ssl[SECONDARYSOCKET].use) {
-      /* since we only have a plaintext TCP connection here, we must now
-         do the TLS stuff */
-      infof(data, "Doing the SSL/TLS handshake on the data stream\n");
-      result = Curl_ssl_connect(conn, SECONDARYSOCKET);
-      if(result)
-        return result;
-    }
-
     if(size > conn->maxdownload && conn->maxdownload > 0)
       size = conn->size = conn->maxdownload;
 
@@ -3096,6 +3092,18 @@ CURLcode Curl_ftp_nextconnect(struct connectdata *conn)
   if(!ftp->no_transfer && !conn->bits.no_body) {
     /* a transfer is about to take place */
 
+    if(conn->ssl[SECONDARYSOCKET].use &&
+       !data->set.ftp_use_port) {
+      /* PASV is used and we just got the data connection connected, then
+         it is time to handshake the secure stuff. */
+
+      infof(data, "Doing the SSL/TLS handshake on the data stream\n");
+      /* BLOCKING */
+      result = Curl_ssl_connect(conn, SECONDARYSOCKET);
+      if(result)
+        return result;
+    }
+
     if(data->set.upload) {
       NBFTPSENDF(conn, "TYPE %c", data->set.ftp_ascii?'A':'I');
       state(conn, FTP_STOR_TYPE);