cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: FTP/SSL issue; Help!

From: Max <maxshop01_at_gmail.com>
Date: Fri, 10 Apr 2009 10:36:27 -0400

Thanks John and Markus.

I was finally able to connect using the --ftp-ssl-ccc in conjunction
with the --ftp-ssl-control command.

Now I am on to the next step, i.e. changing ("cd") to a particular
directory and downloading file(s).

Thanks!

On Tue, Apr 7, 2009 at 12:05 PM, John Campo <misclists_at_jecsw.com> wrote:
> Max,
>
> Sorry to butt in, but I just went through an FTPS implementation.
>
>> I did some further investigation and also contacted the "server"
>> company, and here is what they said:
>
>> "Your FTP client must also be able to send the CCC (clear control
>> channel) command and support sever authentication. Client
>> authentication is not supported". I am not very clear on what exactly
>> they mean by server and client authentication.
>
> Roughly, this translates to "you can verify the server (from its
> certificate, same as https), but the server can't verify you".
> This mode is only useful in anonymous download situations.
>
>> I tried --ftp-ssl-ccc (jnstead of --ftp-ssl), but it failed right away
>> at the USER command saying that the "Server policy requires that all
>> clients be secured. Access denied 503". I also tried changing the CCC
>> mode to active (--ftp-ssl-ccc-mode active), but got the same error.
>
>> I have asked them if they use a specific port range for passive
>> connections, and am waiting for a response.
>
> Most use a subset of 40000-65535. That shouldn't be an issue, though - the
> entire point of passive mode FTP is that the client automatically "opens"
> the DATA port of the firewall by initiating the conversation with the
> server, using the server's specified port. The range is restricted only for
> the convenience and security of the server.
>
> Is it possible that your firewall has an FTP proxy running on it? In my
> experience these "break" FTPS explicit (port 21) clients behind the
> firewall.
>
> NOTE: Turning the FTP proxy off is probably not a good idea if you host FTP
> servers or use active mode FTP clients behind the firewall. In our
> case we also host FTP, so I simply run curl from our OpenBSD firewall
> itself.
>
> Cheers,
> John Campo
>
> jcampo_at_jecsw.com
>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-04-10