Information on how to use the ssl/tls feature for secure ftp

Here you can propose new features, make suggestions etc.

Moderators: white, Hacker, petermad, Stefan2

oldhouse
Junior Member
Junior Member
Posts: 3
Joined: 2006-11-06, 11:28 UTC

Post by *oldhouse »

Do u have any web link on how to do so? I really don't have any idea...
User avatar
franck8244
Power Member
Power Member
Posts: 703
Joined: 2003-03-06, 17:37 UTC
Location: Geneva...

Post by *franck8244 »

For those who want to test the new ftp / ssl features:

ftps server : 194.146.111.60
username : pub_tc_user
passwd : tctest

pub key of the server (save as rootcert.pem)

Code: Select all

-----BEGIN CERTIFICATE-----
MIICeTCCAeICCQDFOUrIQ9jyfzANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMC
R0UxDzANBgNVBAgTBkdFTkVWQTELMAkGA1UEBxMCR0UxDDAKBgNVBAoTAzdnMDEM
MAoGA1UECxMDN2cwMRcwFQYDVQQDEw4xOTQuMTQ2LjExMS42MDEeMBwGCSqGSIb3
DQEJARYPZnJnQGhlcHRhZ28uY29tMB4XDTA2MDkyNTEwMTc0MFoXDTA3MDkyNTEw
MTc0MFowgYAxCzAJBgNVBAYTAkdFMQ8wDQYDVQQIEwZHRU5FVkExCzAJBgNVBAcT
AkdFMQwwCgYDVQQKEwM3ZzAxDDAKBgNVBAsTAzdnMDEXMBUGA1UEAxMOMTk0LjE0
Ni4xMTEuNjAxHjAcBgkqhkiG9w0BCQEWD2ZyZ0BoZXB0YWdvLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA4cHYSQtW/CxgzR21ES9ZPqFfl3UOXxK28lmv
fkhvWorSCSm1B3DDWitQwz7/A90GwSXBgbNn8VMc2aAd9TqQfIZrvnUXAruNKZeQ
eiLZCa9CnyovxcqoJ98lIzRZKfxuEl/9GinTTrGEpBmnjIwaLXUPfY01vbtxHHFZ
UOWR/zECAwEAATANBgkqhkiG9w0BAQQFAAOBgQAfLz0+zvnTOBrqRwIOCkaN4jJm
epLwtAPvHlRKq0wbIEA98tdHnib2A0PqQ/+lxI49jGzLqBi4qf3PagKNhJZ9I6BW
fK06o7SnhTsGokkfen2v08x3bplrI+79P/EjZRwd4+MXPkMGnAM4/D6vRhjjZk/j
JRQdvU4uz5g+EQgSSA==
-----END CERTIFICATE-----
Uploaded files will be removed every hours...

Franck
TC#88260 -
oldhouse
Junior Member
Junior Member
Posts: 3
Joined: 2006-11-06, 11:28 UTC

Post by *oldhouse »

How can I get the public key from a site where I don't own certificate?
Teal_One
Junior Member
Junior Member
Posts: 30
Joined: 2004-08-17, 18:11 UTC

Post by *Teal_One »

ghisler(Author) wrote:Try to connect anonymously to our forum server:
ftps://ghisler.ch/
I did, however it hang on the command "LIST".

Code: Select all

----------
Connect to: (07.11.2006 16:46:28)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 6 of 50 allowed.
220-Local time is now 10:46. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
CWD /
250 OK. Current directory is /
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PORT 85,216,78,207,5,237
200 PORT command successful
LIST
Taste 'Abbrechen' betätigt!
franck8244 wrote:ftps server : 194.146.111.60
username : pub_tc_user
passwd : tctest
Thx a lot, however I've the same problem: It hang on the "LIST" command.

So three different server same problem (the problem I reported first is gone).

I use version 0.9.8d of libeay32.dll and libssl32.dll

be484325e8d904b61d769bdcec66bbb0 *libeay32.dll
57053e0ed5d31f7f776f9481d5d5cd83 *libssl32.dll
Opera|TheBat|TotalCommander|Kaspersky|IrfanView|WinRAR
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Try passive mode.
Author of Total Commander
https://www.ghisler.com
User avatar
norfie²
Power Member
Power Member
Posts: 986
Joined: 2006-02-10, 07:27 UTC

Post by *norfie² »

I got no successful connection. Probably the router is the reason? The same error message with passive mode.

Code: Select all

----------
Connect to: (07.11.2006 16:51:08)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 10:51. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PORT 192,168,102,2,5,106
500 I won't open a connection to 192.168.102.2 (only to 85.216.78.207)
Last edited by norfie² on 2006-11-07, 17:57 UTC, edited 1 time in total.
User avatar
franck8244
Power Member
Power Member
Posts: 703
Joined: 2003-03-06, 17:37 UTC
Location: Geneva...

Post by *franck8244 »

2norfie²

That's indeed your router's problem...
TC#88260 -
848
Junior Member
Junior Member
Posts: 21
Joined: 2003-08-10, 19:33 UTC
Location: The Netherlands

ftps:// option does not work with a proxy

Post by *848 »

To establish a FTPS connection the URL must be entered like ftps://ghisler.ch This does not work well when connecting through a proxy. TC sends the URL including ftps:// to the proxy. The proxy does not know what to do with it.

This is sent to the example;

GET ftp://ftps://ghisler.ch/ HTTP/1.0
Host: ftps://ghisler.ch
User-Agent: Mozilla/4.0 (compatible; Totalcmd; Windows XP)

TC should omit ftps:// from the URL send to the proxy.

Maybe it is possible to enable FTPS via an optionbox like "Use firewall"? If so, this option should also be available with ctrl-n.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

PORT 192,168,102,2,5,106
You are still in port mode! You need to switch that specific connection to passive mode, it's stored in the settings of each connection.
To establish a FTPS connection the URL must be entered like ftps://ghisler.ch This does not work well when connecting through a proxy.
Do not use the HTTP proxy with ftp support for ftps. It's a clear text http connection, and doesn't support encrypted ftp.
Instead, use the other HTTP proxy option HTTP CONNECT!
Author of Total Commander
https://www.ghisler.com
Teal_One
Junior Member
Junior Member
Posts: 30
Joined: 2004-08-17, 18:11 UTC

Post by *Teal_One »

ghisler(Author) wrote:Try passive mode.
:D Yes, now it works. Thx - but why is there the "insecure" icon (open key)?
Opera|TheBat|TotalCommander|Kaspersky|IrfanView|WinRAR
User avatar
norfie²
Power Member
Power Member
Posts: 986
Joined: 2006-02-10, 07:27 UTC

Post by *norfie² »

ghisler(Author) wrote:
PORT 192,168,102,2,5,106
You are still in port mode! You need to switch that specific connection to passive mode, it's stored in the settings of each connection.
Same error with passive mode
wcx_ftp.ini wrote:[ftps-Test Ghisler]
host=ftps://ghisler.ch
username=anonymous
anonymous=1
pasvmode=1

Code: Select all

----------
Connect to: (08.11.2006 18:22:05)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 3 of 50 allowed.
220-Local time is now 12:21. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown
/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown
/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (204,157,1,65,120,47)
PORT 192,168,102,2,4,183
500 I won't open a connection to 192.168.102.2 (only to 85.216.78.7)
EDIT: If I disable the firewall it works like expected. Which additional ports has to be enabled for working? FTPS Port 990 is enabled already.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

You cannot open a fixed outgoing port for that - ftp and ftps use random ports for data connections, as you can see in the reponse to the PASV command (the last two numbers form the port).
Author of Total Commander
https://www.ghisler.com
OutlawZ
Junior Member
Junior Member
Posts: 5
Joined: 2006-11-12, 21:40 UTC

Post by *OutlawZ »

Hi!

I have problem.

Tried the new ftps feature. I've copied all the required files to tc's dir (ssleay32.dll, libeay32.dll and even tried libssl32.dll and rootcerts.pem) and always get the error msg:
OpenSSL Library not found!

What can/shoud i do to get it work?

Regards,

OutlawZ
User avatar
Clo
Moderator
Moderator
Posts: 5731
Joined: 2003-12-02, 19:01 UTC
Location: Bordeaux, France
Contact:

Version ?

Post by *Clo »

2OutlawZ

:) Hello ! Welcome aboard !

• Please, check if you have a correct version :
- Here, I've 0.9.8.1 and that works.

:mrgreen:  Kind regards,
Claude
Clo
#31505 Traducteur Français de TC French translator Aide en Français Tutoriels Français English Tutorials
OutlawZ
Junior Member
Junior Member
Posts: 5
Joined: 2006-11-12, 21:40 UTC

Post by *OutlawZ »

Thanks a lot!

It looks i've tried too old dll-s and i'm just installed openssl on my pc. Now with 0.9.8d it looks to work.

Is it possible the problem was that i haven't installed open ssl just downloaded the dll-s or fully the wrong versions of the dll's?

Thx a lot again
And thx the welcome;)

Regards

OutlawZ
Post Reply