What i am doing wrong from my secure FTPd project?

[Quarks 0]

I am currently confused about my secure FTP daemon in Delphi RIO and using ICS 8.6.4 from the SVN.

 

I have tried to mimic exactly the OverbyteIcsSslFtpServ example project (copy & paste components or manually copying and verifying it).

 

The problem is my project doesn't understand the AUTH TLS handshake.

 

When using openssl client, the result is :

openssl s_client -connect 127.0.0.1:21 -starttls ftp
CONNECTED(00000164)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 94 bytes and written 303 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

 

Like you have see above, my secure FTPd somehow doesn't serving TLS handshake.

 

Probably my code below is relevant to why it's doesn't work? :

procedure TfrmMain.StartServer;
var
    wsi     : TWSADATA;
    SSLType : TFtpSslType;
    SSLVer  : TSslVerMethod;
    SSLCache : TSslSessCacheMode;
    SSLCachemodes : TSslSessCacheModes;
    MinSSLMethod :  TSslVerMethod;
    MaxSSLMethod :  TSslVerMethod;
    SSLTypeModes : TFtpSslTypes;
begin
    { Display version info for program and use components }
    wsi := WinsockInfo;
    Logit(Trim(CopyRight));
    Logit('Using:');
    Logit('   ' + OverbyteIcsWSocket.CopyRight);
    Logit('   ' + OverbyteIcsFtpSrv.CopyRight);
    Logit('    Winsock:');
    Logit('        Version ' +
            Format('%d.%d', [WinsockInfo.wHighVersion shr 8,
                             WinsockInfo.wHighVersion and 15]));
    Logit('        ' + String(StrPas(wsi.szDescription)));
    Logit('        ' + String(StrPas(wsi.szSystemStatus)));
{$IFNDEF VER100}
    { A bug in Delphi 3 makes lpVendorInfo invalid }
    if wsi.lpVendorInfo <> nil then
        Logit('        ' + String(StrPas(wsi.lpVendorInfo)));
{$ENDIF}
    { Set SSL properties, internal session caching enabled }
//    SslContext1.SslVersionMethod            := sslV23_SERVER;
    //SslContext1.SslOptions                  := [sslOpt_NO_SSLv2]; //it's unsecure
    SslContext1.InitContext; //Pre-loads OpenSSL DLL's
    Logit(OpenSslVersion);
    Logit(OpenSslCompilerFlags);
    Logit(OpenSslBuiltOn);
    Logit(OpenSslPlatForm);
    Logit(OpenSslDir);
    frmMain.SslContext1.SslMinVersion       := sslVerTLS1_2;  { V8.37}
    frmMain.SslContext1.SslMaxVersion       := sslVerMax;   { V8.37}
    frmMain.SslContext1.SslCipherList       := CipherListEdit.Text;

    frmMain.SslContext1.SslDHParamFile       := DHParamEdit.Text;

    { Enables OpenSsl's internal session caching }
    frmMain.SslContext1.SslSessionCacheModes        := [sslSESS_CACHE_SERVER];
    frmMain.SslContext1.SslSessionTimeout           := 300; //sec
    frmMain.SslContext1.SslDefaultSessionIDContext  := 'AnyStringForSessionCaching';

    frmMain.SslContext1.SslCertFile                 := CertFileEdit.Text;
    frmMain.SslContext1.SslPassPhrase               := PassPhraseEdit.Text;
    frmMain.SslContext1.SslPrivKeyFile              := PrivKeyFileEdit.Text;
    frmMain.SslContext1.SslCAFile                   := CAFileEdit.Text;
    frmMain.SslContext1.SslCAPath                   := CAPathEdit.Text;
    frmMain.SslContext1.SslVerifyPeer               := VerifyPeerCheckBox.Checked;
    frmMain.SslFtpServer1.FtpSslTypes               := [ftpAuthTls, ftpAuthSsl];

    { Use a custom multiline banner }
    //frmMain.SslFtpServer1.Banner := '';
    frmMain.SslFtpServer1.Banner := '220-Welcome to my Server' + #13#10 +
                            '220-' + #13#10 +
                            '220 ICS FTP Server ready.';
    frmMain.SslFtpServer1.Addr   := ServIpAddr.Text;  { V8.37 }
    frmMain.SslFtpServer1.Port   := FPortEdit.Text;
    frmMain.SslFtpServer1.Start;
    MinSSLMethod := frmMain.SslContext1.SslMinVersion;
    MaxSSLMethod := frmMain.SslContext1.SslMaxVersion;
    for SSLVer := sslVerSSL3 to sslVerMax do
    begin
    If SSLVer = MinSSLMethod then Logit('SSL Minimum Version : : ' + GetEnumName(TypeInfo(TSslVerMethod), Ord(MinSSLMethod)));
    end;

    for SSLVer := sslVerSSL3 to sslVerMax do
    begin
    If SSLVer = MaxSSLMethod then Logit('SSL Maximum Version : : ' + GetEnumName(TypeInfo(TSslVerMethod), Ord(MaxSSLMethod)));
    end;
    //Logit('SSL Minimum Version :' + String(frmMain.SslContext1.ToString) );
    //Logit('SSL Maximum Version :' + ToString(frmMain.SslContext1.) );

    SSLCacheModes := frmMain.SslContext1.SslSessionCacheModes;
    for SSLCache := sslSESS_CACHE_CLIENT to sslSESS_CACHE_NO_INTERNAL_STORE do
    begin
    If SSLCache in SSLCacheModes then Logit('SSL Session Cache Modes : ' + GetEnumName(TypeInfo(TSslSessCacheMode), Ord(SSLCache)));
    end;
    Logit('SSL Session Timeout :' + UIntToStr(frmMain.SslContext1.SslSessionTimeout) + 's' );
    Logit('SSL Certificate File :' + frmMain.SslContext1.SslCertFile );
    Logit('SSL Private List :' + frmMain.SslContext1.SslPrivKeyFile );
    Logit('SSL CA File :' + frmMain.SslContext1.SslCAPath + '\' + frmMain.SslContext1.SslCAFile );
    Logit('SSL Verify Peer :' + BoolToStr(frmMain.SslContext1.SslVerifyPeer) );
    SSLTypeModes := frmMain.SslFtpServer1.FtpSslTypes;
    for SSLType := ftpAuthSsl to ftpImplicitSsl do
    begin
    If SSLType in SSLTypeModes then Logit('FTP SSL Types : ' + GetEnumName(TypeInfo(TFtpSslType), Ord(SSLType)));
    end;

    Logit('Successfully Started the FTP Server');
end;

 

Full project files attached below, been spending more than 10 hours trying to debug it but no matter what i have tried, it doesn't serving TLS.

 

 

Simple FTP Server_send.rar

[Angus Robertson 574]

The code itself is probably OK if you copied it correctly. the issue is more likely all the settings and SSL/TLS certificates that are needed to make a secure server work, of which you show none.  

 

You could also have shown the protocol that you logged with all the errors.   What SSL certificate are you using, and what intermediate, since you are setting SslCaFile.  But servers don't use SslCAPath.

 

Angus

 

[Quarks 0]

@Angus Robertson

Thanks you for taking a look at my thread, that's the problems, Ticslogger is doesn't work in my part, showing up as "Integer Overflow" when starting the x64 server.

 

>>What SSL certificate are you using, and what intermediate, since you are setting SslCaFile.  But servers don't use SslCAPath.

The 01cert.pem, 01key.pem, cacert.pem are only default one from the ..\ICS\Samples\Delphi\SslInternet folder.

 

What i have tried is also tinkering with the OpenSSL cipherlist and even accepting all cipher with "ALL" still couldn't make it working.

 

Also countless time tinkering with SslMinVersion & SslMaxVersion still no dice, somehow it's like ICS ignoring my configurations/parameters :-(.

 

If you have time, please take a look at my project, i am sure something simple or worse something in  the code, upon comparing with beyond compare, i don't notice any big differences.

Edited April 1, 2020 by Quarks

[Angus Robertson 574]

Not sure what you are trying to achieve, but I suggest you get the original ICS sample working first, then work out what is different with your project. 

 

The IcsLogger is for our development purposes, not debugging applications.  Your code has lots of Logit commands, it's what those report that helps with debugging.

 

Angus

 

[Quarks 0]

What  i am trying to achieve is only simple FTPd with only TLS v1.2 working.

Original ICS sample is working fine with the same components parameters that i have copied from it, but on my project somehow it doesn't with the same certificates, key, CA.

 

Just tried to generate my own self-signing certificate, key, and CA but the same thing happened. Used the ..\ICS\Samples\Delphi\SslInternet\SslCerts\IcsSslBuildCerts.bat file.

 

Currently here is the log from logit :

02/04/2020 01:38:59 -  -  Disconnected
02/04/2020 01:38:59 -  -  AUTH C:\TEMP\TLS
02/04/2020 01:38:59 -  -  Connected
02/04/2020 01:38:58 -  -  Disconnected
02/04/2020 01:38:58 -  -  AUTH C:\TEMP\TLS
02/04/2020 01:38:58 -  -  Connected
02/04/2020 01:38:53 - Successfully Started the FTP Server
02/04/2020 01:38:53 - FTP SSL Types : ftpAuthTls
02/04/2020 01:38:53 - FTP SSL Types : ftpAuthSsl
02/04/2020 01:38:53 - SSL Verify Peer :0
02/04/2020 01:38:53 - SSL CA File 😕
02/04/2020 01:38:53 - SSL Private List :ServerKey.pem
02/04/2020 01:38:53 - SSL Certificate File :ServerCert.pem
02/04/2020 01:38:53 - SSL Session Timeout :300s
02/04/2020 01:38:53 - SSL Session Cache Modes : sslSESS_CACHE_SERVER
02/04/2020 01:38:53 - SSL Maximum Version : : sslVerMax
02/04/2020 01:38:53 - SSL Minimum Version : : sslVerTLS1_2
02/04/2020 01:38:53 - OPENSSLDIR: "C:\Program Files\Common Files\SSL"
02/04/2020 01:38:53 - platform: VC-WIN64A-rtt
02/04/2020 01:38:53 - built on: Tue Mar 17 20:12:47 2020 UTC
02/04/2020 01:38:53 - compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM
02/04/2020 01:38:53 - OpenSSL 1.1.1e  17 Mar 2020
02/04/2020 01:38:53 -         Running
02/04/2020 01:38:53 -         WinSock 2.0
02/04/2020 01:38:53 -         Version 2.2
02/04/2020 01:38:53 -     Winsock:
02/04/2020 01:38:53 -     TFtpServer (c) 1998-2020 F. Piette V8.64 
02/04/2020 01:38:53 -     TWSocket (c) 1996-2020 Francois Piette V8.64 
02/04/2020 01:38:53 - Using:
02/04/2020 01:38:53 - SslFtpServ (c) 1998-2020 F. Piette V8.64

 

From the openssl client :

openssl s_client -connect 127.0.0.1:5420 -starttls ftp
CONNECTED(00000164)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 94 bytes and written 303 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[Angus Robertson 574]

You don't log the IP address and port your server is using, although your client says port 5420 which is not an SSL FTP port, so the server does not attempt to negotiate SSL   Using non standard ports for SSL requires extra code.  V8.64 has a new Option ftpsAuthForceSsl that might do it simply.

 

Not sure why you are testing an FTP servers with a non-FTP client that does not send the correct protocol. 

 

Angus

 

 

[Quarks 0]

>> You don't log the IP address and port your server is using, although your client says port 5420 which is not an SSL FTP port, so the server does not attempt to negotiate SSL   Using non standard ports for SSL requires extra code.  V8.64 has a new Option ftpsAuthForceSsl that might do it simply.

Using normal FTP port 21 also doing the same thing in openssl s_client and filezilla/smartftp. I have specified in filezilla/smartftp to do explicit AUTH TLS. Can you tell me on which event or parts for the extra code?, so i can make comparison with the ICS project. Already tried using 'ftpsAuthForceSsl' option but doesn't make any differences :-(.

 

>> Not sure why you are testing an FTP servers with a non-FTP client that does not send the correct protocol. 

 

The following command below is sending the correct explicit TLS protocol, first connect with plain text FTP protocol until "AUTH TLS", you can search it on the internet about it. It being used normally for testing TLS server. The specified ftp part is for the FTP testing specification not a port. (using it on ICS sample project is working perfectly)

openssl s_client -connect 127.0.0.1:5420 -starttls ftp

The same thing from filezilla or smartftp

6:25:37    Status:    Connecting to 127.0.0.1:5420...
16:25:37    Status:    Connection established, waiting for welcome message...
16:25:37    Status:    Initializing TLS...
16:25:37    Error:    GnuTLS error -110: The TLS connection was non-properly terminated.
16:25:37    Status:    Server did not properly shut down TLS connection
16:25:37    Status:    Connection attempt failed with "ECONNABORTED - Connection aborted".
16:25:37    Error:    Could not connect to server
16:25:37    Status:    Waiting to retry...

Edited April 2, 2020 by Quarks

[Angus Robertson 574]

I have no idea how the openssl client tool works or why you are using it to test FTP, but 'AUTH C:\TEMP\TLS' is not a valid command, it should be AUTH TLS'. You have not shown what smartftp sent.

 

Since the ICS sample works, you have missed something in your implementation but I can not debug your code. 

 

Angus

 

 

 

[Quarks 0]

>> I have no idea how the openssl client tool works or why you are using it to test FTP, but 'AUTH C:\TEMP\TLS' is not a valid command, it should be AUTH TLS'. You have not shown what smartftp sent.

I couldn't figure it out why either in the server or client (filezilla) it's sent or received as 'AUTH C:\TEMP\TLS', in smartftp it just mentioned as cannot connect just if as the server is down.

 

>> Since the ICS sample works, you have missed something in your implementation but I can not debug your code. 

The project was originally as normal plain non-secure FTP server, so i think also it may have missed something in the codes. Currently i cannot quite figure it out to pin point which is wrong.

Other than 'barking' at the same tree,  i think i will re-base my project with using the ICS sample project in which the project already 'guaranteed' & designed to work.

 

Thanks a lot for all these times.

 

[Angus Robertson 574]

Improving your logging will help, you did not report the response or errors to commands received which is essential to error tracing with bad clients. 

 

The latest ICS in SVN has FTP server improvements to simplify SSL configuration in the same way as the web and proxy servers two years ago using IcsHosts, but there is no sample to copy yet, you need to look at the multi-web server sample and see how that configures listeners and at http://wiki.overbyte.eu/wiki/index.php/FAQ_Using_IcsHosts. 

 

Angus.

[Quarks 0]

>> Improving your logging will help, you did not report the response or errors to commands received which is essential to error tracing with bad clients. 

I haven't know to logging the received command, perhaps you could give me the pointer or sample codes?. Logging in using filezilla or smartftp into ICS sample project is working fine.

 

>>The latest ICS in SVN has FTP server improvements to simplify SSL configuration in the same way as the web and proxy servers two years ago using IcsHosts, but there is no sample to copy yet, you need to look at the multi-web server sample and see how that configures listeners and at http://wiki.overbyte.eu/wiki/index.php/FAQ_Using_IcsHosts. 

Thanks for the reminder, i am already using latest and greatest SVN commit, but i don't use any proxy as these tests is only from local range. Does that info also relevant with TSslFTPServer?

 

About ICS 8.64 release, does sslTLS_V1_3_SERVER and sslTLS_V1_3_CLIENT will be finalized or completed before the final release?

Edited April 3, 2020 by Quarks

[Angus Robertson 574]

The FTP server sample does all the logging properly,SslFtpServer1AnswerToClient.

 

If you use IcsHosts in the latest server, you don't need an SslContext, all that is handled by the component. You set the certificates and an SSL security level and everything else is done automatically, including installing Let's Encrypt SSL certificates on a public server.  This all works now, just no new sample yet. 

 

Angus

 

[Quarks 0]

Thank you.

 

New logging as follow :

03/04/2020 20:31:37 -  -  Disconnected
03/04/2020 20:31:37 - > 127.0.0.1 234 Using authentication type TLS
03/04/2020 20:31:37 -  -  AUTH C:\TEMP\TLS
03/04/2020 20:31:37 -  -  Connected
03/04/2020 20:30:58 -  -  Disconnected
03/04/2020 20:30:58 - > 127.0.0.1 234 Using authentication type TLS
03/04/2020 20:30:58 -  -  AUTH C:\TEMP\TLS
03/04/2020 20:30:58 -  -  Connected
03/04/2020 20:30:20 - Successfully Started the FTP Server

 

The code is simple :

 

procedure TfrmMain.SSLFtpServer1AnswerToClient(Sender: TObject;
  Client: TFtpCtrlSocket; var Answer: TFtpString);
begin
    Logit('> ' + Client.GetPeerAddr + ' ' + Answer)
end;

I could not quite figuring out on why there is extra "C:\TEMP" on client? or server? replies.

 

Waiting for IcsHosts for secure ftp server sample.

Edited April 3, 2020 by Quarks

[Angus Robertson 574]

What it should say is:

 

02:10:08  > AUTH TLS
02:10:08  < 234 Using authentication type TLS
02:10:08  Check for Old SSL Session
02:10:08  No Old SSL Session Cached
02:10:08  Starting SSL Session
02:10:08  Cache SSL Session: New
02:10:08  ! SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-CHACHA20-POLY1305, key auth RSA, key exchange ECDH, encryption CHACHA20/POLY1305(256), message auth AEAD
 

But that depends on how many other events you are logging, you cam see in the sample where all this comes from (although this log is from a real server).  I suspect you are still testing with the OpenSSL client which to be honest is a waste of time, it does not understand the FTP protocol.   With TCP, it is rarely obvious which end caused disconnection. 

 

Angus

 

 

[Quarks 0]

I don't have a clue without someone checking the project out.

 

No, openssl s_client is understand the explicit starttls & ftp protocol, you can check the definition in here :

 

-starttls protocol

Send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", "irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".

[Quarks 0]

The reason i am not using more proper FTP Client is because it's faster to paste from windows command prompt.

 

When using openssl s_client working then it will be guarantee to work in full pledges ftp client.

Edited April 3, 2020 by Quarks

[Fr0sT.Brutal 900]

In FileZilla you can enable detailed log (right-click over log control) to see what happens actually. The

AUTH C:\TEMP\TLS

you get is very suspicious.

[Quarks 0]

Here is from filezilla :

23:16:31    Status:    Connecting to 127.0.0.1:5420...
23:16:31    Status:    Connection established, waiting for welcome message...
23:16:31    Response:    220-Welcome to my Server
23:16:31    Response:    220-
23:16:31    Response:    220 ICS FTP Server ready.
23:16:31    Command:    AUTH TLS
23:16:31    Response:    234 Using authentication type TLS
23:16:31    Status:    Initializing TLS...
23:16:31    Error:    GnuTLS error -110: The TLS connection was non-properly terminated.
23:16:31    Status:    Server did not properly shut down TLS connection
23:16:31    Status:    Connection attempt failed with "ECONNABORTED - Connection aborted".
23:16:31    Error:    Could not connect to server
23:16:31    Status:    Waiting to retry...

 

From smartftp, the ftp server logged also the same like openssl s_client, filezilla, smartftp :

03/04/2020 23:19:41 -  -  Disconnected
03/04/2020 23:19:41 - > 127.0.0.1 234 Using authentication type TLS
03/04/2020 23:19:41 -  -  AUTH C:\TEMP\TLS
03/04/2020 23:19:41 -  -  Connected

 

So confirmed it's from my ftp server. searching thorough ICS folder or my project file doesn't return a match for 'C:\TEMP' or 'TEMP'.

 

 

[Angus Robertson 574]

I always test the ICS FTP server with the ICS OverbyteIcsXferTst sample, then you just click a single button to perform a complete FTP session, with proper logging.  

 

Angus

 

[Quarks 0]

Here is from OverbyteIcsXferTst :

23:38:18:401 03/04/2020
23:38:18:401 Connect/Logon to FTP Server: 127.0.0.1:5420
23:38:18:401 23:38:18:401 Control DNS Lookup Done - 127.0.0.1
23:38:18:402 23:38:18:402 02562470 Socket handle created handle=1780
23:38:18:402 23:38:18:402 TWSocket will connect to 127.0.0.1:5420
23:38:18:402 23:38:18:402 Control Socket Connect, error=0 to 127.0.0.1:5420
23:38:18:402 < 220-Welcome to my Server
23:38:18:402 < 220-
23:38:18:402 < 220 ICS FTP Server ready.
23:38:18:402 FTP Session Connected OK to: 127.0.0.1:5420
23:38:18:402 23:38:18:402 Start command, Req=HostAsync - HOST [127.0.0.1]
23:38:18:402 > HOST [127.0.0.1]
23:38:18:402 23:38:18:402 02562470 PutDataInSendBuffer handle=1780 [9] Data:$4F48 $5453 $5B20 $3231 $2E37 $2E30 $2E30 $5D31 $A0D $00 $00 $00 $10 $264 $4B0 $02 $01 $00 
23:38:18:404 < 220 HOST Ok, FTP Server ready.
23:38:18:404 23:38:18:404 Start command, Req=AuthAsync - AUTH TLS
23:38:18:404 > AUTH TLS
23:38:18:404 23:38:18:404 02562470 PutDataInSendBuffer handle=1780 [10] Data:$5541 $4854 $5420 $534C $A0D $00 $00 $00 $6061 $271 
23:38:18:405 < 234 Using authentication type TLS
23:38:18:405 23:38:18:405 02562470 StartSslHandshake handle=1780
23:38:18:405 23:38:18:405 02562470 InitSSLConnection handle=1780
23:38:18:405 Check for Old SSL Session
23:38:18:405 No Old SSL Session Cached
23:38:18:405 23:38:18:405 02562470 Start Ssl ReadBIO
23:38:18:405 23:38:18:405 02562470 ICB> SSL_handshake_start: where=00000010, state=before SSL initialization
23:38:18:405 23:38:18:405 02562470 ICB> SSL_connect: before SSL initialization
23:38:18:405 23:38:18:405 ProtoMsg: None, State: SSLv3/TLS write client hello, Send, DataLen: 5, Data= 160301019A
23:38:18:405 23:38:18:405 ProtoMsg: TLS 1.3 Handshake: Client Hello, State: SSLv3/TLS write client hello, Send, DataLen: 410, Data= 0100019603031EBEED0E108F8683EC69BDE3CDF6D17ABAD9C6D50CB5482E5C25CA61335517C420C515D9A0637BB8533DC1CF5BE2EBEB6460B36D1DF0F0BB4BD8E571FE517E2A7900B8130213031301C02CC03000A3009FCCA9CCA8CCAAC0AFC0ADC0A3C09FC05DC061C057C05300A7C02BC02F00A2009EC0AEC0ACC0A2C09EC05CC060C056C05200A6C024C028006B006AC073C07700C400C3006D00C5C023C02700670040C072C07600BE00BD006C00BFC00AC0140039003800880087C019003A0089C009C01300330032009A009900450044C0180034009B0046009DC0A1C09DC051009CC0A0C09CC050003D00C0003C00BA00350084002F00960041000700FF01000095000B000403000102000A000C000A001D0017001E00190018002300000016000000170000000D0030002E040305030603080708080809080A080B080408050806040105010601030302030301020103020202040205020602002B0009080304030303020301002D00020101003300260024001D0020C75A256AD644C155D13B89F87F19F3F5F46FD3170B381C087A0E546B9C9AE973
23:38:18:405 23:38:18:405 02562470 ICB> SSL_connect: SSLv3/TLS write client hello
23:38:18:405 23:38:18:405 02562470 BIO_read(nbio, 0x24F2FF8, 415) = 415   [11] Data:$316 $101 $19A $100 $396 $1E03 $EDBE $100E $868F $EC83 $BD69 $CDE3 $D1F6 $BA7A $C6D9 $CD5 $48B5 $5C2E $CA25 $3361 $1755 $20C4 $15C5 $A0D9 $7B63 $53B8 $C13D $5BCF $EBE2 $64EB $B360 $1D6D $F0F0 $4BBB $E5D8 $FE71 $7E51 $792A $B800 $213 $313 $113 $2CC0 $30C0 $A300 $9F00 $A9CC $A8CC $AACC $AFC0 $ADC0 $A3C0 $9FC0 $5DC0 $61C0 $57C0 $53C0 $A700 $2BC0 $2FC0 $A200 $9E00 $AEC0 $ACC0 $A2C0 $9EC0 $5CC0 $60C0 $56C0 $52C0 $A600 $24C0 $28C0 $6B00 $6A00 $73C0 $77C0 $C400 $C300 $6D00 $C500 $23C0 $27C0 $6700 $4000 $72C0 $76C0 $BE00 $BD00 $6C00 $BF00 $AC0 $14C0 $3900 $3800 $8800 $8700 $19C0 $3A00 $8900 $9C0 $13C0 $3300 $3200 $9A00 $9900 $4500 $4400 $18C0 $3400 $9B00 $4600 $9D00 $A1C0 $9DC0 $51C0 $9C00 $A0C0 $9CC0 $50C0 $3D00 $C000 $3C00 $BA00 $3500 $8400 $2F00 $9600 $4100 $700 $FF00 $01 $9500 $B00 $400 $03 $201 $A00 $C00 $A00 $1D00 $1700 $1E00 $1900 $1800 $2300 $00 $1600 $00 $1700 $00 $D00 $3000 $2E00 $304 $305 $306 $708 $808 $908 $A08 $B08 $408 $508 $608 $104 $105 $106 $303 $302 $103 $102 $203 $202 $204 $205 $206 $2B00 $900 $308 $304 $303 $302 $01 -$102 $01 3&$$1D $C720 $255A $D66A $C144 $D155 $893B $7FF8 $F319 $F4F5 $D36F $B17 $1C38 $7A08 $540E $9C6B $E99A s$00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 $00 
23:38:18:405 23:38:18:405 02562470 BIO_read(nbio, 0x24F14C8, 0) = 0   [12] Data:
23:38:18:406 23:38:18:406 02562470 TCustomSslWSocket.Do_FD_CLOSE error #0 handle=1780
23:38:18:406 23:38:18:406 02562470 *CloseCalled handle=1780, State=SSLv3/TLS write client hello (TLS_ST_CW_Client_Hello), Err=error:00000000:lib(0):func(0):reason(0)
23:38:18:406 23:38:18:406 02562470 SslHandshakeDone(1) Handle=1780. error:00000000:lib(0):func(0):reason(0), State: SSLv3/TLS write client hello, connection closed unexpectedly, session reused=False
23:38:18:406  SSL Handshake Failed - error:00000000:lib(0):func(0):reason(0), State: SSLv3/TLS write client hello, connection closed unexpectedly
23:38:18:406 23:38:18:406 02562470 TCustomWSocket.Shutdown 1 handle=1780
23:38:18:406 23:38:18:406 02562470 FCloseInvoked=0 handle=1780, State=SSLv3/TLS write client hello
23:38:18:406 23:38:18:406 Control Socket Closed, error=0
23:38:18:406 FTP Session Closed
23:38:18:406 23:38:18:406 02562470 ResetSslSession handle=1780

 

 

From the server :

03/04/2020 23:38:18 -  -  Disconnected
03/04/2020 23:38:18 - > 127.0.0.1 234 Using authentication type TLS
03/04/2020 23:38:18 -  -  AUTH C:\TEMP\TLS
03/04/2020 23:38:18 - > 127.0.0.1 220 HOST Ok, FTP Server ready.
03/04/2020 23:38:18 -  -  HOST C:\TEMP\[127.0.0.1]
03/04/2020 23:38:18 -  -  Connected
03/04/2020 23:38:10 - Successfully Started the FTP Server

 

The TfrmMain.SSLFtpServer1Host code :

procedure TfrmMain.SSLFtpServer1Host(Sender: TObject; Client: TFtpCtrlSocket;
  Host: TFtpString; var Allowed: Boolean);
begin
{ HOST might be ftp.domain.com or [123.123.123.123]   }
    Allowed := true;
end;

[Angus Robertson 574]

When you improve the logging in the server to show errors and events, similarly to the sample you copied code from,. you'll get some debugging information.  See SslFtpServer1SslVerifyPeer,  SslFtpServer1SslHandshakeDone, 

 

And also fix the logging bug that is adding this path, not coming from the clients, HOST C:\TEMP\[127.0.0.1]

 

Angus