cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl avoiding encrypted data connection

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 14 May 2010 23:12:08 +0200 (CEST)

On Thu, 13 May 2010, Bill J Harvey wrote:

> I'm trying to use the curl command line to encrypt the FTP control
> connection to my zOS FTP server, but leave the data connection
> unencrypted. My current attempt looks like:
> curl -k -v -T /tmp/src-filename.txt --ftp-ssl-control -u uid:pwd
> 'ftp://ftp.hostname.com/directory/dest-filename.txt'
> The way I'm reading the verbose output, the TLS control connection appears
> to be properly negotiated, but the connection is ultimately rejected with
> the message: "421 Open rejected due to insufficient resources."

That sounds like an issue you should direct to the admins of that site...

> I believe the FTP server is assuming the data connection is to be
> encrypted, and won't allow that because of site-restrictions.

If it wants the data connection encrypted, it doesn't at all explain why it
wouldn't allow your control connection to be encrypted as well or totally
independently. The data connection is setup afterwards.

> In the verbose output, I notice that curl appears to be using "AUTH SSL" to
> begin the negotiations of the encrypted control connection. According to my
> read of the description of the AUTH_TLS extension in the zOS FTP docs (
> http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.halz001/extns.htm
> ) I'm guessing that the FTP server is inferring an encrypted data connection
> from the "AUTH SSL" and I should be forcing curl to use "AUTH TLS"
> instead...

curl simply tries AUTH SSL and AUTH TLS to setup SSL negotiation, and it just
happens to try them in that order. libcurl even has an option to try them in
the reversed order but there's no option for that exposed via the curl tool.

> I think I want the command line equivalent of setting
> "CURLOPT_FTPSSLAUTH=CURLFTPAUTH_TLS". Does that sound right? Is it
> possible to set that option via command line?

Ah yes, that's the name of the option I mention above that the curl tool
cannot set! I wouldn't mind getting a patch that adds this ability.

SSL and TLS are effectively the same thing (both here and in many other
places), but we have seen a server or two where the actual command used has
made a difference.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-05-14

This message: [ Message body ]
Next message: Avinash: "How can I get Directory listing with HTTP"
Previous message: Bill J Harvey: "curl avoiding encrypted data connection"
In reply to: Bill J Harvey: "curl avoiding encrypted data connection"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]