Question : FTPS Redhat error with cert - using Filezilla as the FTP client

Im Running RHL Enterprise server 5.3 for my FTP server. FTP works  but  when I enable  the TLS/SSL Encryption it almost connects, and I get the error at the bottom of this post. The client Im using is filezila 3.2.7.

Command:               USER auburnme
Status:                      TLS/SSL connection established.
Response:               331 Please specify the password.
Command:               PASS *******
Response:               230 Login successful.
Command:               SYST
Response:               215 UNIX Type: L8
Command:               FEAT
Response:               211-Features:
Response:               AUTH SSL
Response:               AUTH TLS
Response:               EPRT
Response:               EPSV
Response:               MDTM
Response:               PASV
Response:               PBSZ
Response:               PROT
Response:               REST STREAM
Response:               SIZE
Response:               TVFS
Response:               211 End
Command:               PBSZ 0
Response:               200 PBSZ set to 0.
Command:               PROT P
Response:               200 PROT now Private.
Status:                      Connected
Status:                      Retrieving directory listing...
Command:               PWD
Response:               257 "/"
Command:               TYPE I
Response:               200 Switching to Binary mode.
Command:               PASV
Response:               227 Entering Passive Mode (192,168,130,152,152,78)
Command:               LIST
Error:                        Connection timed out
Error:                        Failed to retrieve directory listing

Answer : FTPS Redhat error with cert - using Filezilla as the FTP client

I am assuming that the client and server are not on the same network, you are passing through a firewall when you are attempting to do this, and you are attempting to do this over the Internet.

The problem is that when in clear text mode the firewall is intercepting the response to the PASV command and changing the IP address from the servers real IP address to the public IP address that the firewall is NAT'ing it too.

When doing SSL/TSL transfers, the firewall can't see the PASV command and so it can't change the IP address.  The client is attempting to connect to the server's real IP address (192.168.130.152) in this case and it can't because that address is not routable on the Internet.

Because of the issues with SSL/TSL most ftp servers and clients support something called extend passive (or extend active) ftp.  When using the "extended" mode, only the port numbers are passed on the EPSV or EPRT commands and the client assumes that the address is the same address that the command/control connection is using.

There are some clients that if they can't connect to the address on the PASV/PORT commands they will try the address that the command/control session is using.