Earlier I had encountered problems with publishing over FTPS from TC to Azure, with Azure FTP configured to FTPS only. Fragment of TC agent log is attached. Wireshark packets capture is attached as well (badFTPS.zip, client is on subnet 10.x). One can see that negotiation between client and server is going supposedly well, then after timeout of 75 sec the server bails out. Not sure why it happens. SSLPoke doesn't complain about secure connection to Azure FTPS on port 990 from build agent jre. WinSCP is accessing that Azure URL over FTPS (FTP+implicit enryption) with no problem either from the same machine. I even obtained certificates from that Azure FTPS url via openssl and added them to the TCbuild agent Java cacerts. It didn't help. But that's not a main issue for now.
At the same time deployment via FTPS from VS2019 on different system to the same Azure site is performed without any problem. I took a look at the packets captured there and was surprised to learn that FTPES is actually used there, i.e. explicit encryption. Not FTPS proper, with implicit encryption. I thought it's fine, maybe FTPES would work on TC deployment as well. It did. At least it seemed, as all the files were deployed successfully. Until I analyzed packets there and found out that no TLS negotiations is performed and all the deployment objects are transferred unencrypted.
Starting packets capture from good VS deployment is attached (goodFTPES.zip, client is on local subnet 192.x). One can see from packets 9-10 that TLS negotiation is expected. Indeed, after exchange on port 21 using clear FTP, TLSv1.2 negotiation takes place in packets 61-63, with Client Hello and Server Hello. Requested file is transferred encrypted. Negotiation is repeated for the next file ( packets 153-155) and so on.
Nothing of that is on the packets captured from FTPES deployment on TC ( badFTPES,zip, again client is on subnet 10.x ). Except promising TLS Negonations (packets 4-5). After similar exchange sequence (packets 56-60 on good FTPES, 87-91 on bad one), TC plugin starts streaming unencrypted file (bad packet 92). Just a glance on packet content reveals plain content. While at the same time TLS negotiation is performed on good FTPES. Shouldn't this be done by TC deployer plugin as well ?
Looking forward to hear back. Thanks.
badFTPS.zip build_agent.log
Starting packets capture from good VS deployment is attached (goodFTPES.zip, client is on local subnet 192.x). One can see from packets 9-10 that TLS negotiation is expected. Indeed, after exchange on port 21 using clear FTP, TLSv1.2 negotiation takes place in packets 61-63, with Client Hello and Server Hello. Requested file is transferred encrypted. Negotiation is repeated for the next file ( packets 153-155) and so on. Nothing of that is on the packets captured from FTPES deployment on TC ( badFTPES,zip, again client is on subnet 10.x ). Except promising TLS Negonations (packets 4-5). After similar exchange sequence (packets 56-60 on good FTPES, 87-91 on bad one), TC plugin starts streaming unencrypted file (bad packet 92). Just a glance on packet content reveals plain content. While at the same time TLS negotiation is performed on good FTPES. Shouldn't this be done by TC deployer plugin as well ? Looking forward to hear back. Thanks.
goodFTPES.zip badFTPES.zip