Article delegate-en/4381 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: ftps fails to work with client side ssl
27 Feb 2009 03:56:30 GMT (Yutaka Sato)
The DeleGate Project

Hi Jacob,

First of all, I should say I'm implementing partial features of protocols
which are practically useful and necessary at the time.

In message <_A4380@delegate-en.ML_> on 02/27/09(09:59:51)
you Jacob Lundberg <> wrote:
 |On Thu, 2009-02-26 at 14:40 +0900, Yutaka Sato wrote:
 |> The problem is in the implicit-negotiation of SSL usage in FTPS of which
 |> specification is not well specified.  In your case, DeleGate is waiting
 |> SSL negotiation from the client on the data-connection but lftp does not
 |> do SSL (at least by default) for a FTPS server.
 |Aha!  Thank you for the information.  I read some of RFC 2228 and I see
 |the problem is that lftp never issues a PROT command (most likely
 |because delegate does not list PROT in its supported commands when in
 |ftps mode).  So, I have delegate configured to require an encrypted data
 |channel and lftp assumes it is PROT level C.  I suppose this means my
 |use of delegate is actually wrong according to the RFC.  The RFC expects
 |something like:

As long as I know, FTPS using port #990 applies SSL without any
negotiation and nothing to do with RFC2228.
And what I can't understand is why you still try to use FTPS with a
client as lftp which does not need it, supporting the negotiation by
RFC2228 over the standard FTP port #21.  It might be that you are
making a configuration which is commonly applicable to other
implementations of clients and servers, but I'm not sure...

 |I did notice one problem.  If delegate is configured to require
 |encryption on the data channel, it will still accept "PROT C" from the
 |client.  So the client says "PROT C" and delegate says "200" but then
 |the client will hang when it tries to download the file.  I think the
 |RFC is clear delegate should reject the PROT with "534" (protection
 |level refused).

Yes it should be, but I did not think it so necessary, at least when I
implemented it, to disable SSL while negotiating about SSL.
Nowadays the usage of SSL for FTP becomes more usual and it might be

  9 9   Yutaka Sato <>
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]