FTPc 1.55

I’ve updated FTPc to use AcornSSL for ftps.

FTPc is available from here.
AcornSSL is available from the latest ROOL Harddisc4 image here

FTPc supports Explicit and Implicit ftps. Implicit is a secure connection to port 990. Explicit is a normal connection to port 21 where a secure connection is negotiated.

Note FTPc supports ftps not sftp. sftp is a different protocol.

Thanks Colin this is really useful addition.

We talked about FTP server and FTPc at the MUG meeting today so just a few hours late to try and demo it their.

I missed this announcement (dunno how) until it was mentioned in another thread recently, so I promptly thought I’d try it.

I can only get it to do original non-secure FTP though. Any attempt to get it to use explicit ftps fails very swiftly with “Not con” and “Connection failed”. I noticed two commented-out lines in the !Run file that are clearly intended to log, so I tried the log to file option. Unfortunately the file is open while FTPc is there on the icon bar, but on quitting there is a crash with a postmortem offered – unfortunately always leaving a zero-length log file.

Since plain FTP works (as it always has done), clearly I have the correct user name and password.

My web space provider says that ftps works (they call it ftpes and say it’s still port 21).

I’m now open to help and suggestions to diagnose and fix the problem.

Clearly I’m going through the firewall of my BT SmartHub 6. I’ve not heard of any suggestions of a specific fix for “firewall issues”, other than restricting the range of other ports that the FTP server will use (of which I’m clearly not in control) and opening them for incoming conections. Rather vague and I can’t see how to do it or test whether it’s even necessary.

Dave, with the open log file have you tried using something like CloseFiles to close the file? Which you may be able to read.

http://www.vigay.com/software/closefiles.html

I used WimpDrain, but the file was zero length anyway. But thanks for the idea!

At the suggestion of the site’s support tech, I installed and tried Filezilla on Ubuntu. When given the ftps:// domain name, it complained of an unexpected TLS packet. When given the ftpes:// domain name, it stopped after opening a big “Unknown certificate” window, and asked whether I wanted to trust this certificate and carry on connecting.

The site’s tech is convinced that the certificate chain is valid, but even Filezilla (on Ubuntu 18.04) questions it and requires a manual OK from the user. So one question is how FTPc handles a questionable cert chain. (Another is why anything considers the chain to be questionable, but there we are.)

Once I’ve told Filezilla to trust the cert chain, it gets in with no further problem.

The cert chain is:

dragonfruit.active-ns.com             cPanel, Inc. Certification Authority
cPanel, Inc. Certification Authority  COMODO RSA Certification Authority
COMODO RSA Certification Authority    AddTrust External CA Root

The site’s tech is convinced that the certificate chain is valid, but even Filezilla (on Ubuntu 18.04) questions it and requires a manual OK from the user.

That’s normal.
The only way of avoiding that is to import the certificate before you connect as opposed to clicking OK and importing it…

If you run Filezilla with verbose logging it will give a clearer idea of the stages it goes through You’ve remembered that FTPS just uses the cp 990 link for control and the data is over some other ports of course. Sometimes the server end is nice and only uses a handful of data ports and others they list 100’s or 1000’s

Port 990 is ftps (implicit), ftpes (explicit) uses port 21 for connections.

It may just be the hostname(s) used on the site’s certificate and the actual hostname don’t match.
Does FTPc have a way to set AcornSSL_Setsockopt’s SO_ACORNSSL_HOSTNAME? Because that may be what’s needed here.

If you use (on linux):

openssl s_client -connect hostname:21 -starttls ftp

(with the correct hostname filled in, of course), does that hostname appear as first item in the chain?

does that hostname appear as first item in the chain?

Yes, as the Common Name.

The only way of avoiding that is to import the certificate before you connect as opposed to clicking OK and importing it

Does that work on RISC OS, and how would I do it?

I can see the certificates in the terminal window from Frank’s suggestion, so one way or another I can get hold of the certificate; but where would I put it for AcornSSL to see it?

If some item in that chain is unknown, I wouldn’t want to import it. And if even FileZilla doesn’t recognise it…
What are the other names in the chain?

The ones that are trusted should be in InetDBase:CertData.

But unless the certificate is messed up somehow, I would have expected AcornSSL’s wimp task to pop up a window allowing you to accept it. Are you sure that task is running?

What are the other names in the chain?

I showed the chain above. dragonfruit – cPanel – COMODO – AddTrust CA Root

cPanel isn’t in CertData, not even in the most recent version (January 2020 – see https://curl.haxx.se/docs/caextract.html). Don’t know what to make of it. Sounds a bit like someone created their own, unofficial CA.
On the other hand, if Comodo certified it…

The FTP URL begins with dragonfruit.active-ns.com for anyone who wants to try it, examine the cert chain, etc.

Hmmmmm… https://forums.cpanel.net/threads/the-sites-security-certificate-is-not-trusted-ssl-error.196082/

But you wouldn’t expect cPanel to be in CertData, would you? COMODO RSA Certification Authority and AddTrust External Root certainly are.

Are you sure that task is running?

Yes, AcornSSL is listed under “Module tasks”.

Somehow I wouldn’t expect a cPanel certificate to be on anyones site either (as a serious cert, I mean), but I admit I haven’t kept up with who/what is providing certificates these days.

Something else: I realised that, when I enabled logging, I had not commented out the original non-logging “Run” line. Commenting that out in favour of a line that enables logging, prevents the crash on exit. However, the log file remains zero length, whether I run a non-secure FTP session, i.e. one where something happens, or a failed secure session.

https://forums.cpanel.net/threads/the-sites-security-certificate-is-not-trusted-ssl-error.196082/

The tech’s reply: “That is a very old thread it doesn’t work like that any more the SSL is valid.”

I have had another report of ftps not working on certain sites but have found no solution. To eliminate setup problems this site should work – add below to the user menu.

name=“ftps test site Implicit”;
value="ftps://demo:password@test.rebex.net/ -secure 2";
list_flags = “-la”
name=“ftps test site Explicit”;
value="ftps://demo:password@test.rebex.net/";
list_flags = “-la”
name=“ftps test site no security”;
value="ftp://demo:password@test.rebex.net/";
List_flags = “-la”

This is the status log after connecting to dragonfruit.active-ns.com. It has connected ok.

Resolving host name: dragonfruit.active-ns.com
Connecting
Connection established
   220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
   220-You are user number 1 of 50 allowed.
   220-Local time is now 09:22. Server port: 21.
   220-This is a private system - No anonymous login
   220-IPv6 connections are also welcome on this server.
   220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
   234 AUTH TLS OK.
Secure connection established
USER anonymous
   331 User anonymous OK. Password required
PASS
   530 Login authentication failed

Where/how did you get that status log, Colin?

Main menu