Information on how to use the ssl/tls feature for secure ftp

Sob · Post by *Sob » 2012-01-22, 21:18 UTC

Well, that shows another possibility. As author himself says it's not tested, maybe he's doing that "lite" version of ssl shutdown. And IIS (where it works) may be just more tolerant. At least we now found enough different server software to test with.

Post by *ghisler(Author) » 2012-01-23, 14:52 UTC

Indeed TC doesn't shutdown the SSL connection, it just clears the control channel. This works fine with some servers, but not with all. Calling SSL_Shutdown followed by a loop of SSL_read calls seems to fix the problem. I will add it to beta 18.

gulikoza · Post by *gulikoza » 2012-01-23, 15:35 UTC

Thanks for looking into this

gulikoza · Post by *gulikoza » 2012-02-03, 14:02 UTC

Just tested beta18 and it seems to correctly shutdown TLS on control channel now. But it fails to build data connection. The (ftp) logs show:

starting TLS negotiation on data connection

but it does not complete. Without sending CCC, the connection will succeed (of course only if there's no NAT between the client and the server) so pure SSL/TLS works. Is there anything I can try to check on my end?

edit: tested both passive and active mode.

Post by *ghisler(Author) » 2012-02-03, 14:06 UTC

TC doesn't support encrypted data connections together with unencrypted control connections, sorry. Try sending the command:
PROT C

gulikoza · Post by *gulikoza » 2012-02-03, 17:03 UTC

It works.
Any chance of adding support for encrypted data connections as well?

Post by *ghisler(Author) » 2012-02-05, 15:25 UTC

I will consider it. may I still use your test account to test it?

gulikoza · Post by *gulikoza » 2012-02-05, 15:34 UTC

Certainly

gulikoza · Post by *gulikoza » 2012-02-12, 16:31 UTC

SSL/TLS now works correctly with CCC (and across NAT) while preserving data & authentication encryption in TC8b19. Thanks

2Sob
Perhaps you could test IIS and Gene6 FTP just to be sure? I could only test Proftpd

Sob · Post by *Sob » 2012-02-13, 00:39 UTC

Tested and they both work fine.

Post by *ghisler(Author) » 2012-02-13, 16:02 UTC

Thanks for testing it!

gezgin · Post by *gezgin » 2012-07-28, 08:34 UTC

ghisler(Author) wrote: First, try to find out whether it's a server problem, or on your side. Try to connect anonymously to our forum server:
ftps://ghisler.ch/

When I try to connect ftps://ghisler.ch with TC (control-F) I get a "Connect calll failed" error.
I have these files installed:
c:\totalcmd\libeay32.dll
c:\totalcmd\libssl32.dll
c:\totalcmd\rootcert.pem

What should I uses as "User name" and "Password"? I've tried several things including leaving them blank. I get the same error.

What am I doing wrong?
--
Bob

Sob · Post by *Sob » 2012-07-28, 14:00 UTC

ftps://ghisler.ch does not seem to work any more. Try ftps://test:test@ftp.secureftp-test.com.

gezgin · Post by *gezgin » 2012-07-29, 12:02 UTC

Sob wrote:ftps://ghisler.ch does not seem to work any more. Try ftps://test:test@ftp.secureftp-test.com.

Thanks for the link. I was able to make the connection and I've also solved the problem of being unable to FTPS to Yahoo Hosting as well.
--
Bob

yoshin · Post by *yoshin » 2012-09-18, 03:28 UTC

Question

Can someone explain in detail how to actually enter those commands
command line ? where ?

9. Issue the following two commands to convert to openssl format:

openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem