Total Commander Forum Index Total Commander
Forum - Public Discussion and Support
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Information on how to use the ssl/tls feature for secure ftp
Goto page 1, 2, 3, 4, 5, 6, 7  Next
 
Post new topic   Reply to topic    Total Commander Forum Index -> TC suggestions (English) Printable version
View previous topic :: View next topic  
Author Message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 28534
Location: Switzerland

PostPosted: Wed Nov 01, 2006 5:15 pm    Post subject: Information on how to use the ssl/tls feature for secure ftp Reply with quote

Here is some information on how to use the ssl/tls feature. Because of the Swiss crypto export laws, I cannot include the openssl dlls in the install package.

1. Get the compiled OpenSSL package from the LibCurl library:
http://curl.haxx.se/download.html#Win32
Please scroll down to the section named "Win32 - Generic"
and download the following package (or a newer one):
Win32 2000/XP 7.32.0 libcurl SSL enabled Günter Knauf 1.54 MB

2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
3. Now you can make connections with prefix ftps:// and https://

There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9. Issue the following two commands to convert to openssl format:

openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem

10. Put the file rootcert.pem in the Total Commander directory


Moderation:
Important notes (31.01.2014):

Quote:
1. Get the compiled OpenSSL package from the LibCurl library:

32-bit: http://curl.haxx.se/download.html#Win32
In the section named "Win32 - Generic", download the following package:
Win32 2000/XP libcurl SSL enabled Günter Knauf

64-bit: http://curl.haxx.se/download.html#Win64MinGW64
In the section named "Win64 - MinGW64", download the following package:
MinGW64 devel SSL SSH Günter Knauf

Quote:
2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).

The file libssl32.dll has been renamed to ssleay32.dll. So copy the following files:

libeay32.dll
ssleay32.dll
zlib1.dll (optional)
libssh2.dll (optional)

Including the last two dll files will enable you to use the Secure FTP plugin for servers supporting the SSH File Transfer Protocol.

32-bit: Copy the dll files to the Total Commander program folder.
64-bit: Preferably copy the dll files to a folder named "64" in the Total Commander program folder.

Quote:
3. Now you can make connections with prefix ftps:// and https://

After copying the dll files encrypted connections can be made. Be aware that authentication isn't checked before making a connection. That only happens when a "wincmd.pem" file is used.

Quote:
There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:

The instructions describe how to export the root certificates from Internet Explorer and convert them to PEM format. Converting the file is done using the opensll program from http://slproweb.com/products/Win32OpenSSL.html. This program nowadays does not function without certain Visual C++ 2008 Redistributables installed.

Much simpler is to download Mozilla's root certificates converted to PEM format by the curl developers.
http://curl.haxx.se/ca/cacert.pem
Simply rename this file to "wincmd.pem"

Another way than mentioned above to export the Internet Explorer root certificates to PEM format:
http://www.ghisler.ch/board/viewtopic.php?p=277381#277381

Quote:
Step 10. Put the file rootcert.pem in the Total Commander directory

This was changed in the past. Now, the name must be "wincmd.pem" and must be put in the same folder as your wincmd.ini file (see Help/About in Total Commander)

If the wincmd.pem file is present (can be an empty file too) a connection is not made before passing authentication or the user's approval. If a certificate of a site could not be validated using the certificates in the wincmd.pem file, the user is asked confirmation before making the connection. When the connection is made the user can click on the lock icon to permanently accept the certificate. In that case the SHA fingerprint of the certificate is added to the wcx_ftp.ini file. Future connections to the site will be allowed as long as the fingerprint of the certificate of the site does not change.

The lock icon can have the following states:
Lock is red and open: Connection is encrypted but not authenticated.
Lock is grey and closed: Connection is encrypted and authenticated.
(for normal FTP connections no lock is shown)

White (moderator)

_________________
Author of Total Commander
http://www.ghisler.com


Last edited by ghisler(Author) on Mon Aug 19, 2013 4:10 am; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
DarkRuleR
Member
Member


Joined: 20 Feb 2003
Posts: 174
Location: Netherlands

PostPosted: Thu Nov 02, 2006 2:47 am    Post subject: Reply with quote

Hi,

First of all thanx for adding ssl/tls support.
What a great new feature!

Is it possible to specify a path where TC searches for the dlls?
Mabe a INI enty?

Greetz,

DR...
_________________
#106383 Windows 8.1 Pro 64-bit
Back to top
View user's profile Send private message Send e-mail
PuzoM
Junior Member
Junior Member


Joined: 20 Apr 2005
Posts: 45

PostPosted: Thu Nov 02, 2006 3:02 am    Post subject: Reply with quote

Hi Christian,

So both the OpenSSL package and the DLLs are mandatory for SSL to work?
I mean I want to use Tcmd portable as well so I'd not like to install extra software on systems where I use Tcmd on.
Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.

Oh and extra step after you created the rootcerts.p7b:

Code:
Copy rootcerts.p7b to C:\OpenSSL\bin\ (default installation folder of OpenSSL). Then run the 2 commands from inside that bin folder.


Cheers!
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 28534
Location: Switzerland

PostPosted: Thu Nov 02, 2006 10:00 am    Post subject: Reply with quote

Quote:
Is it possible to specify a path where TC searches for the dlls?

No. For security reasons, only dlls in the program directory will be used.

Quote:
Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.

This is correct, you need just these 3 files. The OpenSSL installation is needed only to get the two dlls, and to convert the Internet Explorer root certificates to the OpenSSL format.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Symlink
Junior Member
Junior Member


Joined: 21 Jan 2005
Posts: 15
Location: .at

PostPosted: Thu Nov 02, 2006 2:12 pm    Post subject: Reply with quote

Do I understand it correctly that for now it is not possible to use this feature from within the ftp server connection dialog (ctrl+f) but only with new connection (ctrl+n)?
Thanks!
Regards,
S.
Back to top
View user's profile Send private message
Sir_SiLvA
Power Member
Power Member


Joined: 06 May 2003
Posts: 2755

PostPosted: Thu Nov 02, 2006 2:49 pm    Post subject: Reply with quote

Symlink: no u can use it inside strg+f if u write ftps insteat of ftp Exclamation
Back to top
View user's profile Send private message
Mikefield
Power Member
Power Member


Joined: 26 Feb 2006
Posts: 522
Location: Thießen, Germany SA

PostPosted: Thu Nov 02, 2006 3:16 pm    Post subject: Reply with quote

Hi, I've made all as described abvove and tried to connect to an ssl server (Red Hat Linux), but it didn't work.

This is shown in the connecting window when I use ftps://10.87.2.150

----------
Connect to: (02.11.2006 14:57:09)
hostname=10.87.2.150
username=dadmin
startdir=

Then comes an error, "Verbindung nicht erfolgreich"


This is shown in the connecting window when I use ftps://10.87.2.150:22,
but ftps:// is not necessary.

----------
Connect to: (02.11.2006 14:57:34)
hostname=10.87.2.150:22
username=dadmin
startdir=
SSH-2.0-OpenSSH_3.4p1

And nothing happens.


Any ideas?

mf
Back to top
View user's profile Send private message
848
Junior Member
Junior Member


Joined: 10 Aug 2003
Posts: 21
Location: The Netherlands

PostPosted: Thu Nov 02, 2006 4:38 pm    Post subject: Reply with quote

Maybe this post can help?

http://www.ghisler.ch/board/viewtopic.php?t=12063
Back to top
View user's profile Send private message
Mikefield
Power Member
Power Member


Joined: 26 Feb 2006
Posts: 522
Location: Thießen, Germany SA

PostPosted: Fri Nov 03, 2006 12:34 am    Post subject: Reply with quote

Hmm, give it differences between ssl/tls and SSH?
Can we have ssh in the final release?

mf
Back to top
View user's profile Send private message
848
Junior Member
Junior Member


Joined: 10 Aug 2003
Posts: 21
Location: The Netherlands

PostPosted: Fri Nov 03, 2006 2:12 am    Post subject: Reply with quote

I strongly agree. This is number one on my wishlist for TC.
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 28534
Location: Switzerland

PostPosted: Fri Nov 03, 2006 12:22 pm    Post subject: Reply with quote

Unfortunately I cannot support SSH. There are no SSH DLLs, and writing my own is prohibited by the Swiss crypto export laws.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Teal_One
Junior Member
Junior Member


Joined: 17 Aug 2004
Posts: 30

PostPosted: Fri Nov 03, 2006 2:54 pm    Post subject: TLS doesn't work here Reply with quote

Thanks a lot for the SSL/TLS feature. However it doesn't work for me Crying or Very sad.

Code:

---------
Connect to: (03.11.2006 21:41:52)
hostname=ftp.xxxxx.de
username=XXXXXXX
startdir=
ftp.xxxxx.de=81.92.X.XXX
220 ProFTPD 1.2.10 Sever (www.XXXX*)
AUTH TLS
234 AUTH TLS successful
Cert subject: /C=DE/ST=Some-State/L=XXX/O=XXX*
Cert issuer: /C=DE/ST=Some-State/L=XXX/O=XXX*
USER XXXXX
331 Password required for XXXXX
PASS ***********



Verbindung nicht erfolgreich!


Can anyone help me? Do you need more informations? Which one? Should I ask the owner of the ftp server?
_________________
Opera|TheBat|TotalCommander|Kaspersky|IrfanView|WinRAR
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 28534
Location: Switzerland

PostPosted: Sun Nov 05, 2006 9:57 am    Post subject: Reply with quote

First, try to find out whether it's a server problem, or on your side. Try to connect anonymously to our forum server:
ftps://ghisler.ch/

It doesn't use a signed certificate, but you can verify whether you can connect or not.

If you can, you should see just one directory, incoming. If this works, please contact the owner of your server for help. If it doesn't work, please report what dlls you installed.
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
oldhouse
Junior Member
Junior Member


Joined: 06 Nov 2006
Posts: 3

PostPosted: Mon Nov 06, 2006 5:40 am    Post subject: Reply with quote

What can I do if I have to accept certificate from the ftp I connect to? It isn't displayed in locally installed certificate so it doesn't work with certificate.pem procedure.
Back to top
View user's profile Send private message
ghisler(Author)
Site Admin
Site Admin


Joined: 04 Feb 2003
Posts: 28534
Location: Switzerland

PostPosted: Mon Nov 06, 2006 10:28 am    Post subject: Reply with quote

2oldhouse
You can add the public key of that certificate to the pem file!
_________________
Author of Total Commander
http://www.ghisler.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Total Commander Forum Index -> TC suggestions (English) All times are GMT - 6 Hours
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Page 1 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Impressum: This site is maintained by Ghisler Software GmbH

Using phpBB © 2001-2005 phpBB Group