Information on how to use the ssl/tls feature for secure ftp

oldhouse · Post by *oldhouse » 2006-11-06, 17:47 UTC

Do u have any web link on how to do so? I really don't have any idea...

franck8244 · Post by *franck8244 » 2006-11-06, 18:28 UTC

For those who want to test the new ftp / ssl features:

ftps server : 194.146.111.60
username : pub_tc_user
passwd : tctest

pub key of the server (save as rootcert.pem)

Code: Select all

Uploaded files will be removed every hours...

Franck

oldhouse · Post by *oldhouse » 2006-11-07, 10:03 UTC

How can I get the public key from a site where I don't own certificate?

Teal_One · Post by *Teal_One » 2006-11-07, 15:58 UTC

ghisler(Author) wrote:Try to connect anonymously to our forum server:
ftps://ghisler.ch/

I did, however it hang on the command "LIST".

Code: Select all

----------
Connect to: (07.11.2006 16:46:28)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 6 of 50 allowed.
220-Local time is now 10:46. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
CWD /
250 OK. Current directory is /
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PORT 85,216,78,207,5,237
200 PORT command successful
LIST
Taste 'Abbrechen' betätigt!

franck8244 wrote:ftps server : 194.146.111.60
username : pub_tc_user
passwd : tctest

Thx a lot, however I've the same problem: It hang on the "LIST" command.

So three different server same problem (the problem I reported first is gone).

I use version 0.9.8d of libeay32.dll and libssl32.dll

be484325e8d904b61d769bdcec66bbb0 *libeay32.dll
57053e0ed5d31f7f776f9481d5d5cd83 *libssl32.dll

Post by *ghisler(Author) » 2006-11-07, 17:09 UTC

Try passive mode.

norfie² · Post by *norfie² » 2006-11-07, 17:44 UTC

I got no successful connection. Probably the router is the reason? The same error message with passive mode.

Code: Select all

----------
Connect to: (07.11.2006 16:51:08)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 10:51. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PORT 192,168,102,2,5,106
500 I won't open a connection to 192.168.102.2 (only to 85.216.78.207)

franck8244 · Post by *franck8244 » 2006-11-07, 17:56 UTC

2norfie²

That's indeed your router's problem...

848 · Post by *848 » 2006-11-08, 06:49 UTC

To establish a FTPS connection the URL must be entered like ftps://ghisler.ch This does not work well when connecting through a proxy. TC sends the URL including ftps:// to the proxy. The proxy does not know what to do with it.

This is sent to the example;

GET ftp://ftps://ghisler.ch/ HTTP/1.0
Host: ftps://ghisler.ch
User-Agent: Mozilla/4.0 (compatible; Totalcmd; Windows XP)

TC should omit ftps:// from the URL send to the proxy.

Maybe it is possible to enable FTPS via an optionbox like "Use firewall"? If so, this option should also be available with ctrl-n.

Post by *ghisler(Author) » 2006-11-08, 16:57 UTC

PORT 192,168,102,2,5,106

You are still in port mode! You need to switch that specific connection to passive mode, it's stored in the settings of each connection.

To establish a FTPS connection the URL must be entered like ftps://ghisler.ch This does not work well when connecting through a proxy.

Do not use the HTTP proxy with ftp support for ftps. It's a clear text http connection, and doesn't support encrypted ftp.
Instead, use the other HTTP proxy option HTTP CONNECT!

Teal_One · Post by *Teal_One » 2006-11-08, 17:28 UTC

ghisler(Author) wrote:Try passive mode.

Yes, now it works. Thx - but why is there the "insecure" icon (open key)?

norfie² · Post by *norfie² » 2006-11-08, 17:29 UTC

ghisler(Author) wrote:
PORT 192,168,102,2,5,106
You are still in port mode! You need to switch that specific connection to passive mode, it's stored in the settings of each connection.

Same error with passive mode

wcx_ftp.ini wrote:[ftps-Test Ghisler]
host=ftps://ghisler.ch
username=anonymous
anonymous=1
pasvmode=1

Code: Select all

----------
Connect to: (08.11.2006 18:22:05)
hostname=ghisler.ch
username=anonymous
startdir=
ghisler.ch=204.157.1.65
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 3 of 50 allowed.
220-Local time is now 12:21. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Cert subject: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown
/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
Cert issuer: /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown
/CN=gandalf.dewahost.net/emailAddress=ssl@cpanel.net
USER anonymous
230 Anonymous user logged in
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
 EPRT
 IDLE
 MDTM
 SIZE
 REST STREAM
 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
 MLSD
 ESTP
 PASV
 EPSV
 SPSV
 ESTA
 AUTH TLS
 PBSZ
 PROT
211 End.
PBSZ 0
200 PBSZ=0
PROT P
534 Fallback to [C]
Connect ok!
PWD
257 "/" is your current location
Verzeichnis einlesen
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (204,157,1,65,120,47)
PORT 192,168,102,2,4,183
500 I won't open a connection to 192.168.102.2 (only to 85.216.78.7)

EDIT: If I disable the firewall it works like expected. Which additional ports has to be enabled for working? FTPS Port 990 is enabled already.

Post by *ghisler(Author) » 2006-11-09, 16:59 UTC

You cannot open a fixed outgoing port for that - ftp and ftps use random ports for data connections, as you can see in the reponse to the PASV command (the last two numbers form the port).

OutlawZ · Post by *OutlawZ » 2006-11-12, 21:50 UTC

Hi!

I have problem.

Tried the new ftps feature. I've copied all the required files to tc's dir (ssleay32.dll, libeay32.dll and even tried libssl32.dll and rootcerts.pem) and always get the error msg:
OpenSSL Library not found!

What can/shoud i do to get it work?

Regards,

OutlawZ

Clo · Post by *Clo » 2006-11-12, 22:22 UTC

2OutlawZ

Hello ! Welcome aboard !

• Please, check if you have a correct version :
- Here, I've 0.9.8.1 and that works.

Kind regards,
Claude
Clo

OutlawZ · Post by *OutlawZ » 2006-11-13, 00:30 UTC

Thanks a lot!

It looks i've tried too old dll-s and i'm just installed openssl on my pc. Now with 0.9.8d it looks to work.

Is it possible the problem was that i haven't installed open ssl just downloaded the dll-s or fully the wrong versions of the dll's?

Thx a lot again
And thx the welcome;)

Regards

OutlawZ

Total Commander

Information on how to use the ssl/tls feature for secure ftp

ftps:// option does not work with a proxy

Version ?