curl-users
Re: cURL and SSL
Date: Tue, 24 Jun 2003 14:20:30 +0200 (CEST)
On Tue, 24 Jun 2003, Carter Harris wrote:
> 1. I want to send a file to an ftp server using cURL. The ftp server
> (Serv-U) will accept SSL connections and generates it's own private
> certificate. I contacted Serv-U to determine if the cert had a file name so
> I could make a copy of it to use with cURL but was told there was not a file
> that "it just accepts SSL connections".
>
> I tested sending a file it was transferred to Serv-U with and without the -k
> switch without a problem.
>
> I checked the logs on the ftp server and there is nothing to tell me that
> SSL was used. Is there anyway to tell from the cURL side?
curl will not use SSL on FTP transfers unless you use ftps:// as protocol, and
even then it only supports a somewhat "unorthodox" version of FTP over SSL, so
the chances are high that it isn't the same kind of FTP over SSL that your
server wants to speak. curl's FTPS only uses SSL for the initial control
connection, sending the data unencrypted!
"Proper" SSL over FTP support is in the TODO list, but I don't know any test
servers to work against nor have I had any serious amount of people wanting
this feature or volounteering for co-writing it...
> Is there a way to be confident that this file is being securely transferred?
Currently, only if you use HTTPS and you *don't* use the -k option.
> 2. I also used cURL to connect to an HTTPS server and download a file or
> two. The HTTPS server required a uid and pwd in encrypted using Base64
> Encoding. I accomplished this by using the coded text in the -u parameter
> and it worked just fine.
>
> I pretty sure (correct me if I'm wrong) that uid and pwd are always sent
> clear-text since the logon takes place before the SSL handshake takes place.
> Is there some sort of standard encryption that can be used for uid and pwd?
SSL encryption is done on a lower level than HTTP so your recollection is
wrong. The user name and password are also encrypted, as is the rest of the
request that is sent to the remote host (which is one of the reasons you
don't easily do name-based virtual hosting on HTTPS-servers).
> Daniel: I'm really enjoying using your program; it's a great piece of code.
> It won't be retirement-time but I will hit you with paypal real soon.
Thanks for considering this!
-- Daniel Stenberg -- curl: been grokking URLs since 1998 ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.phpReceived on 2003-06-24