cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] Compatibility flag for SecureTransport FTPS

From: Dan Nelson <dnelson_at_allantgroup.com>
Date: Fri, 7 Jul 2006 13:08:55 -0500

Tumbleweed's (formerly Valicert) Secure Transport server has the
ability to do client-certificate-only authentication in its FTPS
server, but it does it in a sort of annoying way. Instead of sending
USER/PASS commands, you have to send SITE AUTH, which tells the server
to pull the userid out of your client cert (which you have already sent
due to AUTH SSL negotiation). This is annoying because I know of no
FTPS clients that support this login method, so their claim of
"standards-based compatibility" with FTPS is a little silly, and also
annoying because I had to truss their fdx client to figure out what was
going on. Much easier would be for them to accept a USER command, and
as long as the username matched what was in the certificate, allow the
login.

Anyway, attached is a patch that adds a CURLOPT_FTP_SITE_AUTH option
(commandline flag --ftp-site-auth) that causes "SITE AUTH" to be sent
instead of "USER xxx". I think I've added docs in all the right files.

Here's what the login flow looks like with the flag enabled:

* About to connect() to sft.site.com port 21
* Trying 11.22.33.44... connected
* Connected to sft.site.com (11.22.33.44) port 21
< 220 STEE 4.1.4> ready.
> AUTH SSL
< 234 SSLv23/TLSv1
SSL connection using DES-CBC3-SHA
* SSL certificate verify ok.
> SITE AUTH
< 230 Virtual user certuser1 logged in.

-- 
	Dan Nelson
	dnelson_at_allantgroup.com

Received on 2006-07-07