On Jun 1, 2011, at 16:44, augustin wrote: > With the settings you suggest,
I did not really suggest changing any settings, I just noted that those are already the defaults so you shouldn't need to do anything and lftp will automatically use the secure connection if the server tells it that it's supported. > how do I know I have a secure connection? You are already on the right track, just turn on ssl-force for at least that server and then lftp will refuse to proceed without encryption. You can conveniently set settings to apply only to specific servers, for example set ftp:ssl-force/ftp.example.com on Then you can just leave that forever in your ~/.lftp/rc file and not have to think about it ever again. > Again, the man page does not differentiate between the various protocols, so > I am double-plus unclear as to what options are available for which protocol. Actually the settings are all nicely prefixed by the protocol they apply to, or a different prefix to note that it applies in a more generic way to all protocols. It's "ftp:ssl-force" so it applies to ftp. "http:user-agent" is for http, and so on. > I tried: > set ftp:ssl-force true > but I get: > "Login failed: ftp:ssl-force is set and server does not support or allow SSL" Looks like a misbehaving server. > What's odd is the ftp:use-feat option. > The following lines are only present with: > set ftp:use-feat true > ---> FEAT > <--- 211-Extensions supported: > <--- EPRT > <--- IDLE > <--- MDTM > <--- SIZE > <--- REST STREAM > <--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; > <--- MLSD > <--- ESTP > <--- PASV > <--- EPSV > <--- SPSV > <--- 211 End. > ---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; > <--- 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique A friendlier server would advertise AUTH TLS in the FEAT reply so that clients connecting know it's supported. Something like this: ---> FEAT <--- 211-Features: <--- AUTH SSL <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- UTF8 <--- 211 End > The following lines are only present with: > set ftp:use-feat false > ---> AUTH TLS > <--- 234 AUTH TLS OK. Good, so it looks like your server supports AUTH TLS despite not admitting to it in the FEAT reply. Just turn use-feat off for that server then. set ftp:use-feat/example.com off set ftp:ssl-force/example.com on > When searching the web earlier, I found other people asking very similar > questions. There is a lot of confusion surrounding these topics; that's why I > am offering, with your help, to clearly document all of this. Keep in mind I'm just a fellow user hanging around on this mailing list, my only qualification being a long-time satisified user of lftp. :) There are two additional things to note in regards to using TLS with ftp. First is certificate verification, same as when you'd visit an https web site. It's of little comfort that your password was sent with strong encryption if you sent it to the wrong guy. TLS uses certificates to help ensure you are connected to who you intented to. A basic setup is to make sure certificate verification is turned on (these too are on by default in the current version): set ssl:check-hostname yes set ssl:verify-certificate yes set ssl:ca-file "path to your a certificate bundle file, containing the certificate authorities you choose to trust" An easy answer to what bundle of certificates authorities to trust is to just take what your browser vendor (eg. Mozilla) or operating system vendor supplies. Then you'll be generally as safe as you'd be accessing https web site in your browser. More paranoid users might hand-pick what certificate authorities to trust on their own. The second important part for ftp with TLS is unique for ftp's peculiarity of using multiple connections, one as a control channel and a separate one for transferring data. lftp by default is set to encrypt only the control channel and leave the data channel in the clear. I find computers and Internet connections plenty fast enough nowadays to afford encrypting everything, so just turn it all on: set ftp:ssl-protect-data yes set ftp:ssl-protect-list yes As you can see from all this, everything is a whole lot simpler if you just connect with sftp to an ssh2 server instead. Everything is always encrypted no matter what, no separate control and data channels to worry about, no certificate authorities to trust (a host fingerprint is verified instead).
