Last active
February 4, 2016 08:24
-
-
Save ericpardee/93c76e0e34165cb4c842 to your computer and use it in GitHub Desktop.
IBM Aspera Connect Disables Encryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ran into a situation where a facility I work with opened a Trouble Ticket of Aspera Uploads failing, upload keeps stalling. | |
| The progress bar in the UI would get to the end but it would never finish. | |
| I opened a case with Aspera Tech Support. While I waited for a response, I installed aspera ascp client on linux host. | |
| The same file transfer went through without issue: | |
| ascp -P 33001 big.mxf [email protected]: | |
| I let the Aspera Connect GUI hang at the end as reported until finally it errored out: | |
| LOG [libssh2] 0.369915 Failure Event: -34 - libssh2_channel_wait_closed() invoked when channel is not in EOF state | |
| ERR [asssh] channel wait close rc=-34 | |
| After a few days of troubleshooting, I was finally able to get ahold of Aspera Support and they pointed me to the issue. | |
| The Issue: | |
| https://aspera.zendesk.com/entries/95400087 | |
| Basically the network appliance at this particular facility had Deep Packet Inspection enabled which Aspera says was rejecting one particular packet. | |
| My options: | |
| Option 1: | |
| Zip file prior to transfer. The client of the Aspera server we were sending to would not accept zip files, "Please DO NOT ZIP the files". | |
| As I understood it, zipping would disruption their workflow downstream. | |
| Option 2: | |
| Ask client to enable encryption server-side. | |
| The client of the Aspera server we were sending to would not do this despite Aspera's engineer having stated "Enabling encryption won't break anything with other deliveries, but if they have slower/older CPU's, there could be some performance impact." | |
| "We should convince the server side to encrypt your transfers. Please, let them know the recommendation is coming from Aspera Support, and they can enable per-user, so they could do it for your account only." | |
| Option 3: | |
| "Disable the deep packet inspection, at least on UDP traffic which Aspera transfers use" on this facility's network device (Sonicwall). | |
| I wasn't convinced that think this was the issue as I had been successful in sending using Linux ascp. | |
| Option 4: | |
| Train our Aspera operators on how to send files using Linux aspera ascp client... | |
| Unfortunately not easy task with our operator's familiarity with the shell and limited linux access. | |
| As a test, I decided to try Option 3. Low and behold it worked, transfers now went through with Aspera Connect on both Mac and Windows. | |
| When I ran this by the facility's management though, they did not like that we had to sacrifice DPI. | |
| I still felt the Aspera Client for OS X, which I think requires a license, could encrypt transfer in GUI per this page: | |
| https://support.asperasoft.com/hc/en-us/articles/216126788-Error-Client-requests-stronger-encryption-than-server-allows | |
| Aspera Support said I'd need to speak with Sales... | |
| After pushing Aspera Support some more, I found out that there was an ascp bundled within the Aspera Connect... | |
| Mac: | |
| ~/Applications/Aspera Connect.app/Contents/Resources/ascp | |
| Windows: | |
| C:\Users\%username%\AppData\Local\Programs\Aspera\Aspera Connect\bin\ascp.exe | |
| I found an aspera.conf file within the Aspera Connect directory. | |
| In reading the ascp for linux documentation, allowed_cipher in client is enabled by default, which is why my earlier linux commands succeeded, even without DPI off. | |
| So the client of the Aspera server were were sending to did allow encryption, they just didn't mandate it. | |
| This means that the Aspera Connect software is Explicitly Disabling Encryption of Data in Transit (-T)... | |
| As a test, I moved the ascp binary, tried to run Aspera Connect and it failed, which I then knew that it was just calling the binary. | |
| I ended doing the following: | |
| # make new directory | |
| mkdir ~/Applications/Aspera Connect.app/Contents/Resources/new | |
| # mv ascp to new directory | |
| mv ~/Applications/Aspera Connect.app/Contents/Resources/ascp ~/Applications/Aspera Connect.app/Contents/Resources/new/ | |
| # create this file ~/Applications/Aspera Connect.app/Contents/Resources/ascp | |
| #!/bin/bash | |
| my_dir="$(dirname "$0")" | |
| i=0 args=() | |
| for arg in "$@" | |
| do | |
| # remove Disable encryption option | |
| if [[ $arg != "-T" ]] | |
| then | |
| # double quote every argument | |
| arg=\"$arg\" | |
| # add to argument array | |
| args[$i]="$arg" | |
| fi | |
| ((++i)) | |
| done | |
| eval "\"$my_dir/new/ascp\"" "${args[@]}" | |
| My Mac operators can now use the free Aspera Connect app without having to turn off DPI at the facility. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment