Information on how to use the ssl/tls feature for secure ftp

Here you can propose new features, make suggestions etc.

Moderators: white, Hacker, petermad, Stefan2

Post Reply
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Information on how to use the ssl/tls feature for secure ftp

Post by *ghisler(Author) »

Here is some information on how to use the ssl/tls feature. Because of the Swiss crypto export laws, I cannot include the openssl dlls in the install package.

1. Get the compiled OpenSSL package from the LibCurl library:
http://curl.haxx.se/download.html#Win32
Please scroll down to the section named "Win32 - Generic"
and download the following package (or a newer one):
Win32 2000/XP 7.32.0 libcurl SSL enabled Günter Knauf 1.54 MB

2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
3. Now you can make connections with prefix ftps:// and https://

There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9. Issue the following two commands to convert to openssl format:

openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem

10. Put the file rootcert.pem in the Total Commander directory


[mod]Important notes (31.01.2014):
1. Get the compiled OpenSSL package from the LibCurl library:
32-bit: http://curl.haxx.se/download.html#Win32
In the section named "Win32 - Generic", download the following package:
Win32 2000/XP libcurl SSL enabled Günter Knauf

64-bit: http://curl.haxx.se/download.html#Win64MinGW64
In the section named "Win64 - MinGW64", download the following package:
MinGW64 devel SSL SSH Günter Knauf
2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
The file libssl32.dll has been renamed to ssleay32.dll. So copy the following files:

libeay32.dll
ssleay32.dll
zlib1.dll (optional)
libssh2.dll (optional)

Including the last two dll files will enable you to use the Secure FTP plugin for servers supporting the SSH File Transfer Protocol.

32-bit: Copy the dll files to the Total Commander program folder.
64-bit: Preferably copy the dll files to a folder named "64" in the Total Commander program folder.
3. Now you can make connections with prefix ftps:// and https://
After copying the dll files encrypted connections can be made. Be aware that authentication isn't checked before making a connection. That only happens when a "wincmd.pem" file is used.
There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
The instructions describe how to export the root certificates from Internet Explorer and convert them to PEM format. Converting the file is done using the opensll program from http://slproweb.com/products/Win32OpenSSL.html. This program nowadays does not function without certain Visual C++ 2008 Redistributables installed.

Much simpler is to download Mozilla's root certificates converted to PEM format by the curl developers.
http://curl.haxx.se/ca/cacert.pem
Simply rename this file to "wincmd.pem"

Another way than mentioned above to export the Internet Explorer root certificates to PEM format:
http://www.ghisler.ch/board/viewtopic.php?p=277381#277381
Step 10. Put the file rootcert.pem in the Total Commander directory
This was changed in the past. Now, the name must be "wincmd.pem" and must be put in the same folder as your wincmd.ini file (see Help/About in Total Commander)

If the wincmd.pem file is present (can be an empty file too) a connection is not made before passing authentication or the user's approval. If a certificate of a site could not be validated using the certificates in the wincmd.pem file, the user is asked confirmation before making the connection. When the connection is made the user can click on the lock icon to permanently accept the certificate. In that case the SHA fingerprint of the certificate is added to the wcx_ftp.ini file. Future connections to the site will be allowed as long as the fingerprint of the certificate of the site does not change.

The lock icon can have the following states:
Lock is red and open: Connection is encrypted but not authenticated.
Lock is grey and closed: Connection is encrypted and authenticated.
(for normal FTP connections no lock is shown)

White (moderator)
[/mod]
Last edited by ghisler(Author) on 2013-08-19, 10:10 UTC, edited 2 times in total.
Author of Total Commander
https://www.ghisler.com
User avatar
DarkRuleR
Member
Member
Posts: 190
Joined: 2003-02-20, 22:23 UTC
Location: Netherlands

Post by *DarkRuleR »

Hi,

First of all thanx for adding ssl/tls support.
What a great new feature!

Is it possible to specify a path where TC searches for the dlls?
Mabe a INI enty?

Greetz,

DR...
#106383 Windows 10 Pro 64-bit
User avatar
PuzoM
Junior Member
Junior Member
Posts: 45
Joined: 2005-04-20, 10:24 UTC

Post by *PuzoM »

Hi Christian,

So both the OpenSSL package and the DLLs are mandatory for SSL to work?
I mean I want to use Tcmd portable as well so I'd not like to install extra software on systems where I use Tcmd on.
Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.

Oh and extra step after you created the rootcerts.p7b:

Code: Select all

Copy rootcerts.p7b to C:\OpenSSL\bin\ (default installation folder of OpenSSL). Then run the 2 commands from inside that bin folder.
Cheers!
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Is it possible to specify a path where TC searches for the dlls?
No. For security reasons, only dlls in the program directory will be used.
Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.
This is correct, you need just these 3 files. The OpenSSL installation is needed only to get the two dlls, and to convert the Internet Explorer root certificates to the OpenSSL format.
Author of Total Commander
https://www.ghisler.com
Symlink
Junior Member
Junior Member
Posts: 18
Joined: 2005-01-21, 14:55 UTC
Location: .at

Post by *Symlink »

Do I understand it correctly that for now it is not possible to use this feature from within the ftp server connection dialog (ctrl+f) but only with new connection (ctrl+n)?
Thanks!
Regards,
S.
User avatar
Sir_SiLvA
Power Member
Power Member
Posts: 3278
Joined: 2003-05-06, 11:46 UTC

Post by *Sir_SiLvA »

Symlink: no u can use it inside strg+f if u write ftps insteat of ftp :!:
Hoecker sie sind raus!
User avatar
Mikefield
Power Member
Power Member
Posts: 628
Joined: 2006-02-26, 19:13 UTC
Location: Oberursel, Germany HE

Post by *Mikefield »

Hi, I've made all as described abvove and tried to connect to an ssl server (Red Hat Linux), but it didn't work.

This is shown in the connecting window when I use ftps://10.87.2.150

----------
Connect to: (02.11.2006 14:57:09)
hostname=10.87.2.150
username=dadmin
startdir=

Then comes an error, "Verbindung nicht erfolgreich"


This is shown in the connecting window when I use ftps://10.87.2.150:22,
but ftps:// is not necessary.

----------
Connect to: (02.11.2006 14:57:34)
hostname=10.87.2.150:22
username=dadmin
startdir=
SSH-2.0-OpenSSH_3.4p1

And nothing happens.


Any ideas?

mf
848
Junior Member
Junior Member
Posts: 21
Joined: 2003-08-10, 19:33 UTC
Location: The Netherlands

Post by *848 »

User avatar
Mikefield
Power Member
Power Member
Posts: 628
Joined: 2006-02-26, 19:13 UTC
Location: Oberursel, Germany HE

Post by *Mikefield »

Hmm, give it differences between ssl/tls and SSH?
Can we have ssh in the final release?

mf
848
Junior Member
Junior Member
Posts: 21
Joined: 2003-08-10, 19:33 UTC
Location: The Netherlands

Post by *848 »

I strongly agree. This is number one on my wishlist for TC.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Unfortunately I cannot support SSH. There are no SSH DLLs, and writing my own is prohibited by the Swiss crypto export laws.
Author of Total Commander
https://www.ghisler.com
Teal_One
Junior Member
Junior Member
Posts: 30
Joined: 2004-08-17, 18:11 UTC

TLS doesn't work here

Post by *Teal_One »

Thanks a lot for the SSL/TLS feature. However it doesn't work for me :cry:.

Code: Select all

---------
Connect to: (03.11.2006 21:41:52)
hostname=ftp.xxxxx.de
username=XXXXXXX
startdir=
ftp.xxxxx.de=81.92.X.XXX
220 ProFTPD 1.2.10 Sever (www.XXXX*)
AUTH TLS
234 AUTH TLS successful
Cert subject: /C=DE/ST=Some-State/L=XXX/O=XXX*
Cert issuer: /C=DE/ST=Some-State/L=XXX/O=XXX*
USER XXXXX
331 Password required for XXXXX
PASS ***********



Verbindung nicht erfolgreich!
Can anyone help me? Do you need more informations? Which one? Should I ask the owner of the ftp server?
Opera|TheBat|TotalCommander|Kaspersky|IrfanView|WinRAR
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

First, try to find out whether it's a server problem, or on your side. Try to connect anonymously to our forum server:
ftps://ghisler.ch/

It doesn't use a signed certificate, but you can verify whether you can connect or not.

If you can, you should see just one directory, incoming. If this works, please contact the owner of your server for help. If it doesn't work, please report what dlls you installed.
Author of Total Commander
https://www.ghisler.com
oldhouse
Junior Member
Junior Member
Posts: 3
Joined: 2006-11-06, 11:28 UTC

Post by *oldhouse »

What can I do if I have to accept certificate from the ftp I connect to? It isn't displayed in locally installed certificate so it doesn't work with certificate.pem procedure.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

2oldhouse
You can add the public key of that certificate to the pem file!
Author of Total Commander
https://www.ghisler.com
Post Reply