> In our case, turns out our firewall was doing Layer 7 type stuff, and
> having recognized the initial dialog as FTP it basically didn't know
> what to do with the first TLS packet and saw it as an "RFC non
> compliant PORT command" and just threw it away.
>
> We configured the firewall to not try and be so smart (to allow RFC
> violations in this case, but disabling the layer 7 stuff completely
> likely would have worked as well).

You know that CCC command was added to both clients and ftp servers
years ago to deal with this 'smart firewall' issue?
By unencrypting 'PASV' commands, it enables statefull firewalls with ftp
support to know whis ports should be opened.

--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html