On Tue, 18 Jan 2005, Shun-Li Huang wrote:

Note that this quotes here are from "Gary Cohen" of "GlubTech's forum".
Obviously not 100% involved in this topic, curl-wise.

> We are following spec:

So is curl, if you use ftp:// URLs. As that is the way that spec says you do
SSL over FTP.

The ftps:// approach is deprecated and not defined properly anywhere (at least
not in the draft-murray-auth-ftp-ssl-15.txt spec he referred to). One can of
course argue how to behave with such servers and possibly curl doesn't do it
the "best" way. I'm open for suggestions.

> The initial state of the data connection MUST be 'Clear' (this is the
> behaviour as indicated by [RFC-2228].)

That is what curl assumes as well with ftp:// URLs.

> cURL is breaking spec by assuming that the data connection is secure.

This is false. Everyone can read the source code and verify this.

curl assumes the data connection is plain text unless you use a ftps:// URL,
in which case it assumes the data connection is using SSL (too).

> Additionally they send a PBSZ 0 command but no PROT P command. They need to
> do send a PROT command following a PBSZ command.

That is exactly what curl does. Use ftp://, --ftp-ssl and -v and view the
output to verify.

> Is his statement about cURL correct?

No.

And I didn't see many lines in there that actually tried to identify the
problem you see.

-- 
      Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
       Dedicated custom curl help for hire: http://haxx.se/curl.html