Information on how to use the ssl/tls feature for secure ftp
Posted: 2006-11-01, 23:15 UTC
Here is some information on how to use the ssl/tls feature. Because of the Swiss crypto export laws, I cannot include the openssl dlls in the install package.
1. Get the compiled OpenSSL package from the LibCurl library:
http://curl.haxx.se/download.html#Win32
Please scroll down to the section named "Win32 - Generic"
and download the following package (or a newer one):
Win32 2000/XP 7.32.0 libcurl SSL enabled Günter Knauf 1.54 MB
2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
3. Now you can make connections with prefix ftps:// and https://
There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9. Issue the following two commands to convert to openssl format:
openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem
10. Put the file rootcert.pem in the Total Commander directory
[mod]Important notes (31.01.2014):
In the section named "Win32 - Generic", download the following package:
Win32 2000/XP libcurl SSL enabled Günter Knauf
64-bit: http://curl.haxx.se/download.html#Win64MinGW64
In the section named "Win64 - MinGW64", download the following package:
MinGW64 devel SSL SSH Günter Knauf
libeay32.dll
ssleay32.dll
zlib1.dll (optional)
libssh2.dll (optional)
Including the last two dll files will enable you to use the Secure FTP plugin for servers supporting the SSH File Transfer Protocol.
32-bit: Copy the dll files to the Total Commander program folder.
64-bit: Preferably copy the dll files to a folder named "64" in the Total Commander program folder.
Much simpler is to download Mozilla's root certificates converted to PEM format by the curl developers.
http://curl.haxx.se/ca/cacert.pem
Simply rename this file to "wincmd.pem"
Another way than mentioned above to export the Internet Explorer root certificates to PEM format:
http://www.ghisler.ch/board/viewtopic.php?p=277381#277381
If the wincmd.pem file is present (can be an empty file too) a connection is not made before passing authentication or the user's approval. If a certificate of a site could not be validated using the certificates in the wincmd.pem file, the user is asked confirmation before making the connection. When the connection is made the user can click on the lock icon to permanently accept the certificate. In that case the SHA fingerprint of the certificate is added to the wcx_ftp.ini file. Future connections to the site will be allowed as long as the fingerprint of the certificate of the site does not change.
The lock icon can have the following states:
Lock is red and open: Connection is encrypted but not authenticated.
Lock is grey and closed: Connection is encrypted and authenticated.
(for normal FTP connections no lock is shown)
White (moderator)
[/mod]
1. Get the compiled OpenSSL package from the LibCurl library:
http://curl.haxx.se/download.html#Win32
Please scroll down to the section named "Win32 - Generic"
and download the following package (or a newer one):
Win32 2000/XP 7.32.0 libcurl SSL enabled Günter Knauf 1.54 MB
2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
3. Now you can make connections with prefix ftps:// and https://
There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9. Issue the following two commands to convert to openssl format:
openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem
10. Put the file rootcert.pem in the Total Commander directory
[mod]Important notes (31.01.2014):
32-bit: http://curl.haxx.se/download.html#Win321. Get the compiled OpenSSL package from the LibCurl library:
In the section named "Win32 - Generic", download the following package:
Win32 2000/XP libcurl SSL enabled Günter Knauf
64-bit: http://curl.haxx.se/download.html#Win64MinGW64
In the section named "Win64 - MinGW64", download the following package:
MinGW64 devel SSL SSH Günter Knauf
The file libssl32.dll has been renamed to ssleay32.dll. So copy the following files:2. Copy the three dlls libssl32.dll, libeay32.dll and zlib1.dll from the "bin" subdir of the archive to the Total Commander directory (directly, not any subdir).
libeay32.dll
ssleay32.dll
zlib1.dll (optional)
libssh2.dll (optional)
Including the last two dll files will enable you to use the Secure FTP plugin for servers supporting the SSH File Transfer Protocol.
32-bit: Copy the dll files to the Total Commander program folder.
64-bit: Preferably copy the dll files to a folder named "64" in the Total Commander program folder.
After copying the dll files encrypted connections can be made. Be aware that authentication isn't checked before making a connection. That only happens when a "wincmd.pem" file is used.3. Now you can make connections with prefix ftps:// and https://
The instructions describe how to export the root certificates from Internet Explorer and convert them to PEM format. Converting the file is done using the opensll program from http://slproweb.com/products/Win32OpenSSL.html. This program nowadays does not function without certain Visual C++ 2008 Redistributables installed.There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
Much simpler is to download Mozilla's root certificates converted to PEM format by the curl developers.
http://curl.haxx.se/ca/cacert.pem
Simply rename this file to "wincmd.pem"
Another way than mentioned above to export the Internet Explorer root certificates to PEM format:
http://www.ghisler.ch/board/viewtopic.php?p=277381#277381
This was changed in the past. Now, the name must be "wincmd.pem" and must be put in the same folder as your wincmd.ini file (see Help/About in Total Commander)Step 10. Put the file rootcert.pem in the Total Commander directory
If the wincmd.pem file is present (can be an empty file too) a connection is not made before passing authentication or the user's approval. If a certificate of a site could not be validated using the certificates in the wincmd.pem file, the user is asked confirmation before making the connection. When the connection is made the user can click on the lock icon to permanently accept the certificate. In that case the SHA fingerprint of the certificate is added to the wcx_ftp.ini file. Future connections to the site will be allowed as long as the fingerprint of the certificate of the site does not change.
The lock icon can have the following states:
Lock is red and open: Connection is encrypted but not authenticated.
Lock is grey and closed: Connection is encrypted and authenticated.
(for normal FTP connections no lock is shown)
White (moderator)
[/mod]