[Question] FTPS (SSL) Connection Oddity... need confirmation

Juno · Post by *Juno » 2007-01-22, 03:42 UTC

So I followed Christian's instructions in his post on how to setup TC7 to enable an FTPS (SSL) connection. I am using TC 7 beta 3 along with Fillezilla Server 0.9.22.

I installed OpenSSL 0.9.8d as suggested and copied the two .dll files to the TC7 program folder. However, the two commands to convert the rootcerts.p7b file to PEM format didn't work. I executed the commands in a DOS command prompt and I got no confirmation after executing the commands, and no .PEM file appeared.

HOWEVER, it didn't seem to matter! I created a certificate within Filezilla Server (.crt file in the Filezilla folder), and that's all I needed... I seemed to be able to connect via SSL/TLS! Here's the log when I connect via my regular port (private cert details are obscured by asterisks):

----------
Connect to: (01/21/2007 7:29:12 PM)
hostname=localhost:1010
username=admin
startdir=
localhost=127.0.0.1
220 -=Connected=-
AUTH TLS
234 Using authentication type TLS
Cert subject: /CN=****/C=01/ST=British Columbia/L=Vancouver/O=****/OU=**/emailAddress=guest@host.com
Cert issuer: /CN=****/C=01/ST=British Columbia/L=Vancouver/O=****/OU=**/emailAddress=guest@host.com
USER admin
331 Password required for admin
PASS ***********
230 Logged on
SYST
215 UNIX emulated by FileZilla
FEAT
211-Features:
MDTM
REST STREAM
SIZE
MLST type*;size*;modify*;
MLSD
AUTH SSL
AUTH TLS
UTF8
CLNT
211 End
PBSZ 0
200 PBSZ=0
PROT P
200 Protection level set to P
Connect ok!
PWD
257 "/" is current directory.
Get directory
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (127,0,0,1,19,141)
LIST
150 Connection accepted
Download
Waiting for server...
226 Transfer OK

So is this connection (both authentication & data-stream) actually encrypted? Did I do it properly? It's weird that it works without a rootcert.pem file (as per Christian's instructions). ALSO, I'm connecting via my regular port that I configured in Filezilla Server (port 1010).

In Filezilla Server I also configured a port for which it will listen for SSL/TLS-only connections. If I connect via this port (999), it also seems to work:

----------
Connect to: (01/21/2007 7:34:48 PM)
hostname=localhost:999
username=admin
startdir=
localhost=127.0.0.1
Cert subject: /CN=****/C=01/ST=British Columbia/L=Vancouver/O=****/OU=****/emailAddress=guest@host.com
Cert issuer: /CN=****/C=01/ST=British Columbia/L=Vancouver/O=****/OU=****/emailAddress=guest@host.com
220 -=Connected=-
USER admin
331 Password required for admin
PASS ***********
230 Logged on
SYST
215 UNIX emulated by FileZilla
FEAT
211-Features:
MDTM
REST STREAM
SIZE
MLST type*;size*;modify*;
MLSD
AUTH SSL
AUTH TLS
UTF8
CLNT
211 End
PBSZ 0
200 PBSZ=0
PROT P
200 Protection level set to P
Connect ok!
PWD
257 "/" is current directory.
Get directory
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (127,0,0,1,19,142)
LIST
150 Connection accepted
Download
Waiting for server...
226 Transfer OK

So it works on both my regular server port (1010), and my port specified to listen for SSL/TLS connections (999)... without a rootcert.pem file. The only difference seems to be that when connecting via my regular port (1010), it explicitly says "using authentication type TLS".

Is everything working properly? Can somebody who knows more about this stuff confirm that I did this correctly? Thanks.

Post by *ghisler(Author) » 2007-01-22, 21:51 UTC

In TC7 beta 3, TC disconnects if you checked the option "FTPS" for the connection and the connection isn't encrypted.

You will also see a little locker in the ftp toolbar. A gray locker means that the connection was authenticated and the certificate could be verified. A red locker means that the connection could be authenticated, but the certificate was not OK. You can get more information by clicking on the locker (it's a button).

Juno · Post by *Juno » 2007-01-23, 00:12 UTC

Thanks for the reply Christian.

I see an open red lock after I connect. I click on the lock, and it says "Certificate is not valid. Not signed by a trusted self-certificate. Always trust this certificate?"

I click YES. The lock icon doesn't change.

I disconnect and reconnect, but I still see the open red lock. I click it again, and now it says "The presented server certificate seems to belong to a different server name!"

I'm not sure how to fix that message however. But I know you're doing something with this for upcoming versions...

Juno · Post by *Juno » 2007-01-23, 02:53 UTC

Oh, I also have a couple of suggestions related to this:

1) Change the lock icon so it's locked (closed) when the connection is encrypted, so users can tell.

2) Change the lock icon's color to green or gold, to confirm that the certificate is valid (or any other positive color you choose, red usually means bad or wrong).

Post by *ghisler(Author) » 2007-01-24, 15:21 UTC

I'm not sure how to fix that message however.

Just connect to the server name presented in the certificate as the "Common name" instead of connecting to your own server name. That's the name for which the certificate was created.

For example, when I try to connect to my forum host ghisler.ch, I see that the "Common name" of the certificate is gandalf.dewahost.net .

Juno · Post by *Juno » 2007-01-24, 18:54 UTC

Just connect to the server name presented in the certificate as the "Common name" instead of connecting to your own server name. That's the name for which the certificate was created.

For example, when I try to connect to my forum host ghisler.ch, I see that the "Common name" of the certificate is gandalf.dewahost.net .

Thanks, that did it. I don't have an actual hostname for my FTP server, so I just made my common name this: [ip address]:[port].

One more suggestion, if you don't mind!

When you first click on the open red lock, the dialog box comes up asking if you want to trust this unsigned certificate, and you click YES, nothing seems to change immediately. If you click that lock icon again, the SAME dialog box comes up asking the same question (even though you already clicked YES to trust).

It's only after you disconnect, and reconnect, that the dialog box changes to reflect that you trust it now. Can this behaviour be changed so that a reconnection to the server isn't necessary?

Post by *ghisler(Author) » 2007-01-26, 17:48 UTC

This will indeed be changed in beta 4. TC will also remember the name difference between certificate and server.