SSL/TLS and PROT command suggestion

When an explicit TLS session is started, the negociation goes fine. Your
client properly sends "AUTH TLS", the encryption layer is turned on on the
connection socket, then "PBSZ" is sent. All is ok.

The problem comes when the server is configured to use SSL/TLS on the
connection socket, but the data socket is intentionnaly left unencrypted.

Your client sends the "PROT" command to ask for possible SSL/TLS encryption
on the data socket. Then, if the server replies with a 200 error code
everything goes on with SSL/TLS.

But the server can also reply with a 534 error code which according to RFC
means "I don't want _this_ protocol on the data socket".

When your client get that 534 error code, it immediately ends the session.

Maybe it would be nicer in this case to retry with "PROT C" to fallback to
cleartext.

Your software wouldn't break with servers that only want the connection
channel encrypted.

Sure, there is an option in your software to explicitely have a clear data
connection. But this is rather confusing for end users. An automatic
fallback would be more convenient.

Please let me know if this issue is addressed in a newer release so that
the part about your product in the TLS documentation of Pure-FTPd can be
updated on http://www.pureftpd.org/README.TLS

Automatically falling back to clear mode may be a security problem.

Automatically falling back to clear mode may be a security problem.

Why not an "automatic" mode that would do this instead of forcing the end user to manually select whether the data channel is encrypted or not?

There's no real security issue here, as the connection channel is encrypted, a man-in-the-middle can't inject fake server replies to force the fallback.

Please try the latest developer build from:
https://www.smartftp.com/download

and let me know if it behaves as you would expect it.

Thanks

Hello ..

Works here with any host I've tested.

e.g. try

ftps://ftp.smartftp.com

-Mat

Hello ..
Works here with any host I've tested.
e.g. try
ftps://ftp.smartftp.com
-Mat

Strange.

Try:
ftp.fr.pureftpd.org
user: ftptest
pass: ftptest

works with various other clients.

looks like my report to pureftpd team was received =)

darix

p.s.: i just tried the latest developer version:
***********************************************************************************************



*          SESSION STARTED AT 06.Aug.2003 18:05:53



***********************************************************************************************







    Resolving host name ftp.fr.pureftpd.org...



    Connecting to (ftp.fr.pureftpd.org) ->  IP: 213.41.148.142 PORT: 21



    Connected to (ftp.fr.pureftpd.org) -> Time = 240ms



    Socket connected waiting for login sequence.



220---------- Welcome to Pure-FTPd [TLS] ----------



220-You are user number 3 of 10 allowed.



220-Local time is now 18:05. Server port: 21.



220 You will be disconnected after 15 minutes of inactivity.



    AUTH TLS



234 AUTH TLS OK.



    PBSZ 0



200 PBSZ=0



    USER ftptest



331 User ftptest OK. Password required



    PASS (hidden)



230-User ftptest has group access to:  ftptest 



230 OK. Current restricted directory is /



    SYST



215 UNIX Type: L8



    FEAT



211-Extensions supported:



 EPRT



 IDLE



 MDTM



 SIZE



 REST STREAM



 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;



 MLSD



 TVFS



 ESTP



 PASV



 EPSV



 SPSV



 ESTA



 AUTH TLS



 PBSZ



 PROT



211 End.



    Detected Server Software: PureFTPd



    PWD



257 "/" is your current location



    TYPE A



200 TYPE is now ASCII



    PROT P



534 C



    PROT C



200 OK



    PASV



227 Entering Passive Mode (213,41,148,142,250,173)



    Opening data connection IP: 213,41,148,142,250,173 PORT: 64173.



    LIST -laLT



150 Accepted data connection



    1366 bytes received successfully. (0.27 KB/s) (00:00:05).



226-Options: -a -l 



226 21 matches total







***********************************************************************************************



*          SESSION  CLOSED AT 06.Aug.2003 18:06:09



***********************************************************************************************

works so far. just:
200 TYPE is now ASCII
PROT P
534 C
PROT C
200 OK
PASV

both teams keep up the good work :)

darix

Sorry, the problem might be on my side because of the firewall.
Darix I'm glad to hear it works for you.

i mean. i wrote a mail to j at pureftpd point org some days ago. there pureftpd and smartftp didnt work together. so i thought you are posting here for him =)

darix.

update to the log above:

i just installed pureftpd-tls (CVS HEAD) on my local linux box (yeah i got it working :] ). an the "bug" with this single C is still there. no firewall between server and client.
but it looks like its no smartftp problem. below is a log from lftp.
[ftp] ::1:/> ls



---- Connecting to ::1 (::1) port 2121



<--- 220 FTP server ready.



---> AUTH TLS



<--- 234 AUTH TLS OK.



Certificate depth: 0; subject: /C=DE/ST=MV/L=HRO/O=pixalized/OU=technet/CN=darix/Email=darix@web.de; issuer: /C=DE/ST=MV/L=HRO/O=pixalized/OU=technet/CN=darix/Email=darix@web.de



WARNING: Certificate verification: self signed certificate



---> USER anonymous



<--- 230-Your bandwidth usage is restricted



<--- 230 Anonymous user logged in



---> PBSZ 0



<--- 200 PBSZ=0



---> PROT P



<--- 534 C



---> EPSV



<--- 229 Extended Passive mode OK (|||1362|)



---- Connecting data socket to (::1) port 1362



---> LIST



<--- 150 Accepted data connection



drwxr-xr-x    5 0        0              55 Jul 24 21:00 .



drwxr-xr-x    5 0        0              55 Jul 24 21:00 ..



-rw-r--r--    1 0        0             128 Jan  9  2002 .banner



drwxr-xr-x    2 0        0              31 Jul 24 20:59 etc



drwxr-xr-x    2 40       2               6 Aug  7 00:43 incoming



drwxr-xr-x    3 0        0              17 Aug  5 09:35 pub



---- Closing data socket



<--- 226-Options: -a -l



<--- 226 6 matches total



[ftp] ::1:/>

The single "C" is normal.