Total Commander

Here is some information on how to use the ssl/tls feature. Because of the Swiss crypto export laws, I cannot include the openssl dlls in the install package.

1. Get the compiled OpenSSL package from the LibCurl library:
http://curl.haxx.se/download.html#Win32
Please scroll down to the section named "Win32 - Generic"
and download the following package (or a newer one):
Win32 2000/XP 7.32.0 libcurl SSL enabled Günter Knauf 1.54 MB

2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
3. Now you can make connections with prefix ftps:// and https://

There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9. Issue the following two commands to convert to openssl format:

openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem

10. Put the file rootcert.pem in the Total Commander directory


[mod]Important notes (31.01.2014):

1. Get the compiled OpenSSL package from the LibCurl library:

32-bit: http://curl.haxx.se/download.html#Win32
In the section named "Win32 - Generic", download the following package:
Win32 2000/XP libcurl SSL enabled Günter Knauf

64-bit: http://curl.haxx.se/download.html#Win64MinGW64
In the section named "Win64 - MinGW64", download the following package:
MinGW64 devel SSL SSH Günter Knauf

2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).

The file libssl32.dll has been renamed to ssleay32.dll. So copy the following files:

libeay32.dll
ssleay32.dll
zlib1.dll (optional)
libssh2.dll (optional)

Including the last two dll files will enable you to use the Secure FTP plugin for servers supporting the SSH File Transfer Protocol.

32-bit: Copy the dll files to the Total Commander program folder.
64-bit: Preferably copy the dll files to a folder named "64" in the Total Commander program folder.

3. Now you can make connections with prefix ftps:// and https://

After copying the dll files encrypted connections can be made. Be aware that authentication isn't checked before making a connection. That only happens when a "wincmd.pem" file is used.

There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:

The instructions describe how to export the root certificates from Internet Explorer and convert them to PEM format. Converting the file is done using the opensll program from http://slproweb.com/products/Win32OpenSSL.html. This program nowadays does not function without certain Visual C++ 2008 Redistributables installed.

Much simpler is to download Mozilla's root certificates converted to PEM format by the curl developers.
http://curl.haxx.se/ca/cacert.pem
Simply rename this file to "wincmd.pem"

Another way than mentioned above to export the Internet Explorer root certificates to PEM format:
http://www.ghisler.ch/board/viewtopic.php?p=277381#277381

Step 10. Put the file rootcert.pem in the Total Commander directory

This was changed in the past. Now, the name must be "wincmd.pem" and must be put in the same folder as your wincmd.ini file (see Help/About in Total Commander)

If the wincmd.pem file is present (can be an empty file too) a connection is not made before passing authentication or the user's approval. If a certificate of a site could not be validated using the certificates in the wincmd.pem file, the user is asked confirmation before making the connection. When the connection is made the user can click on the lock icon to permanently accept the certificate. In that case the SHA fingerprint of the certificate is added to the wcx_ftp.ini file. Future connections to the site will be allowed as long as the fingerprint of the certificate of the site does not change.

The lock icon can have the following states:
Lock is red and open: Connection is encrypted but not authenticated.
Lock is grey and closed: Connection is encrypted and authenticated.
(for normal FTP connections no lock is shown)

White (moderator)
[/mod]

Hi,

First of all thanx for adding ssl/tls support.
What a great new feature!

Is it possible to specify a path where TC searches for the dlls?
Mabe a INI enty?

Greetz,

DR...

Hi Christian,

So both the OpenSSL package and the DLLs are mandatory for SSL to work?
I mean I want to use Tcmd portable as well so I'd not like to install extra software on systems where I use Tcmd on.
Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.

Oh and extra step after you created the rootcerts.p7b:
Cheers!

Is it possible to specify a path where TC searches for the dlls?

No. For security reasons, only dlls in the program directory will be used.

Please confirm that only libeay32.dll, libssl32.dll, rootcert.pem are needed and so I don't need to install OpenSSL on different.

This is correct, you need just these 3 files. The OpenSSL installation is needed only to get the two dlls, and to convert the Internet Explorer root certificates to the OpenSSL format.

Do I understand it correctly that for now it is not possible to use this feature from within the ftp server connection dialog (ctrl+f) but only with new connection (ctrl+n)?
Thanks!
Regards,
S.

Symlink: no u can use it inside strg+f if u write ftps insteat of ftp

Hi, I've made all as described abvove and tried to connect to an ssl server (Red Hat Linux), but it didn't work.

This is shown in the connecting window when I use ftps://10.87.2.150

----------
Connect to: (02.11.2006 14:57:09)
hostname=10.87.2.150
username=dadmin
startdir=

Then comes an error, "Verbindung nicht erfolgreich"


This is shown in the connecting window when I use ftps://10.87.2.150:22,
but ftps:// is not necessary.

----------
Connect to: (02.11.2006 14:57:34)
hostname=10.87.2.150:22
username=dadmin
startdir=
SSH-2.0-OpenSSH_3.4p1

And nothing happens.


Any ideas?

mf

Maybe this post can help?

http://www.ghisler.ch/board/viewtopic.php?t=12063

Hmm, give it differences between ssl/tls and SSH?
Can we have ssh in the final release?

mf

I strongly agree. This is number one on my wishlist for TC.

Unfortunately I cannot support SSH. There are no SSH DLLs, and writing my own is prohibited by the Swiss crypto export laws.

Thanks a lot for the SSL/TLS feature. However it doesn't work for me .
Can anyone help me? Do you need more informations? Which one? Should I ask the owner of the ftp server?

First, try to find out whether it's a server problem, or on your side. Try to connect anonymously to our forum server:
ftps://ghisler.ch/

It doesn't use a signed certificate, but you can verify whether you can connect or not.

If you can, you should see just one directory, incoming. If this works, please contact the owner of your server for help. If it doesn't work, please report what dlls you installed.

What can I do if I have to accept certificate from the ftp I connect to? It isn't displayed in locally installed certificate so it doesn't work with certificate.pem procedure.

2oldhouse
You can add the public key of that certificate to the pem file!