On Fri, 7 Jul 2006, Dan Nelson wrote:

> Tumbleweed's (formerly Valicert) Secure Transport server has the ability to
> do client-certificate-only authentication in its FTPS server, but it does it
> in a sort of annoying way. Instead of sending USER/PASS commands, you have
> to send SITE AUTH, which tells the server to pull the userid out of your
> client cert (which you have already sent due to AUTH SSL negotiation).

How very... silly.

> Anyway, attached is a patch that adds a CURLOPT_FTP_SITE_AUTH option
> (commandline flag --ftp-site-auth) that causes "SITE AUTH" to be sent
> instead of "USER xxx". I think I've added docs in all the right files.

Thanks. I do however feel a bit reluctant to apply this patch since it is so
_very_ specific to one particular (flawed) implementation of FTPS, and also
since it does in fact require you to know this and manually select this
option.

1) Won't it be better to let the option make libcurl send SITE AUTH only if
    the common USER approach doesn't work? Since then you can use this option
    for all servers and it would automatically work around this violation when
    need be.

2) I think (I'm not really done pondering over this subject and I would really
    value more feedback from others on this) that I would prefer a way for the
    app to provide the full custom command to send if the USER approach is not
    enough. I mean, the app would in this case not set CURLOPT_FTP_SITE_AUTH
    but would instead set CURLOPT_FTP_ALTERNATIVE_TO_USER to point to the
    string "SITE AUTH". It would then allow libcurl to be used for other
    similarly strange work-arounds without us having to add a new fix for each
    new incarnation...

Of course, I'm open to ideas and more comments.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html