Information on how to use the ssl/tls feature for secure ftp

Here you can propose new features, make suggestions etc.

Moderators: white, Hacker, petermad, Stefan2

Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

Well, that shows another possibility. As author himself says it's not tested, maybe he's doing that "lite" version of ssl shutdown. And IIS (where it works) may be just more tolerant. At least we now found enough different server software to test with.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Indeed TC doesn't shutdown the SSL connection, it just clears the control channel. This works fine with some servers, but not with all. Calling SSL_Shutdown followed by a loop of SSL_read calls seems to fix the problem. I will add it to beta 18.
Author of Total Commander
https://www.ghisler.com
gulikoza
Junior Member
Junior Member
Posts: 26
Joined: 2006-09-28, 11:23 UTC

Post by *gulikoza »

Thanks for looking into this :D
gulikoza
Junior Member
Junior Member
Posts: 26
Joined: 2006-09-28, 11:23 UTC

Post by *gulikoza »

Just tested beta18 and it seems to correctly shutdown TLS on control channel now. But it fails to build data connection. The (ftp) logs show:

starting TLS negotiation on data connection

but it does not complete. Without sending CCC, the connection will succeed (of course only if there's no NAT between the client and the server) so pure SSL/TLS works. Is there anything I can try to check on my end?

edit: tested both passive and active mode.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

TC doesn't support encrypted data connections together with unencrypted control connections, sorry. Try sending the command:
PROT C
Author of Total Commander
https://www.ghisler.com
gulikoza
Junior Member
Junior Member
Posts: 26
Joined: 2006-09-28, 11:23 UTC

Post by *gulikoza »

It works.
Any chance of adding support for encrypted data connections as well? :D
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

I will consider it. may I still use your test account to test it?
Author of Total Commander
https://www.ghisler.com
gulikoza
Junior Member
Junior Member
Posts: 26
Joined: 2006-09-28, 11:23 UTC

Post by *gulikoza »

Certainly :D
gulikoza
Junior Member
Junior Member
Posts: 26
Joined: 2006-09-28, 11:23 UTC

Post by *gulikoza »

SSL/TLS now works correctly with CCC (and across NAT) while preserving data & authentication encryption in TC8b19. Thanks :)

2Sob
Perhaps you could test IIS and Gene6 FTP just to be sure? I could only test Proftpd :)
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

Tested and they both work fine.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Thanks for testing it!
Author of Total Commander
https://www.ghisler.com
User avatar
gezgin
Junior Member
Junior Member
Posts: 36
Joined: 2009-05-16, 07:58 UTC
Location: Izmir, Turkey

Post by *gezgin »

ghisler(Author) wrote: First, try to find out whether it's a server problem, or on your side. Try to connect anonymously to our forum server:
ftps://ghisler.ch/
When I try to connect ftps://ghisler.ch with TC (control-F) I get a "Connect calll failed" error.
I have these files installed:
c:\totalcmd\libeay32.dll
c:\totalcmd\libssl32.dll
c:\totalcmd\rootcert.pem

What should I uses as "User name" and "Password"? I've tried several things including leaving them blank. I get the same error.

What am I doing wrong?
--
Bob
Sob
Power Member
Power Member
Posts: 941
Joined: 2005-01-19, 17:33 UTC

Post by *Sob »

ftps://ghisler.ch does not seem to work any more. Try ftps://test:test@ftp.secureftp-test.com.
User avatar
gezgin
Junior Member
Junior Member
Posts: 36
Joined: 2009-05-16, 07:58 UTC
Location: Izmir, Turkey

Post by *gezgin »

Sob wrote:ftps://ghisler.ch does not seem to work any more. Try ftps://test:test@ftp.secureftp-test.com.
Thanks for the link. I was able to make the connection and I've also solved the problem of being unable to FTPS to Yahoo Hosting as well.
--
Bob
yoshin
New Member
New Member
Posts: 1
Joined: 2012-06-11, 11:23 UTC

Post by *yoshin »

Question

Can someone explain in detail how to actually enter those commands
command line ? where ?

9. Issue the following two commands to convert to openssl format:

openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem
Post Reply