On Jun 1, 2011, at 16:44, augustin wrote:

> With the settings you suggest,

I did not really suggest changing any settings, I just noted that those are 
already the defaults so you shouldn't need to do anything and lftp will 
automatically use the secure connection if the server tells it that it's 

> how do I know I have a secure connection?

You are already on the right track, just turn on ssl-force for at least that 
server and then lftp will refuse to proceed without encryption.

You can conveniently set settings to apply only to specific servers, for example
set ftp:ssl-force/ftp.example.com on

Then you can just leave that forever in your ~/.lftp/rc file and not have to 
think about it ever again.

> Again, the man page does not differentiate between the various protocols, so 
> I  am double-plus unclear as to what options are available for which protocol.

Actually the settings are all nicely prefixed by the protocol they apply to, or 
a different prefix to note that it applies in a more generic way to all 
It's "ftp:ssl-force" so it applies to ftp.  "http:user-agent" is for http, and 
so on.

> I tried:
> set ftp:ssl-force true
> but I get:
> "Login failed: ftp:ssl-force is set and server does not support or allow SSL"

Looks like a misbehaving server.

> What's odd is the ftp:use-feat option.
> The following lines are only present with:
> set ftp:use-feat true
> ---> FEAT
> <--- 211-Extensions supported:
> <---  EPRT
> <---  IDLE
> <---  MDTM
> <---  SIZE
> <---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
> <---  MLSD
> <---  ESTP
> <---  PASV
> <---  EPSV
> <---  SPSV
> <--- 211 End.
> ---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
> <--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique

A friendlier server would advertise AUTH TLS in the FEAT reply so that clients 
connecting know it's supported.
Something like this: 
---> FEAT
<--- 211-Features:
<---  AUTH SSL
<---  AUTH TLS
<---  EPRT
<---  EPSV                
<---  MDTM
<---  PASV
<---  PBSZ
<---  PROT
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End

> The following lines are only present with:
> set ftp:use-feat false
> ---> AUTH TLS
> <--- 234 AUTH TLS OK.

Good, so it looks like your server supports AUTH TLS despite not admitting to 
it in the FEAT reply.
Just turn use-feat off for that server then.

set ftp:use-feat/example.com off
set ftp:ssl-force/example.com on

> When searching the web earlier, I found other people asking very similar 
> questions. There is a lot of confusion surrounding these topics; that's why I 
> am offering, with your help, to clearly document all of this.

Keep in mind I'm just a fellow user hanging around on this mailing list, my 
only qualification being a long-time satisified user of lftp. :)

There are two additional things to note in regards to using TLS with ftp.

First is certificate verification, same as when you'd visit an https web site. 
It's of little comfort that your password was sent with strong encryption if 
you sent it to the wrong guy. TLS uses certificates to help ensure you are 
connected to who you intented to.

A basic setup is to make sure certificate verification is turned on (these too 
are on by default in the current version):
set ssl:check-hostname yes
set ssl:verify-certificate yes
set ssl:ca-file "path to your a certificate bundle file, containing the 
certificate authorities you choose to trust"

An easy answer to what bundle of certificates authorities to trust is to just 
take what your browser vendor (eg. Mozilla) or operating system vendor 
supplies. Then you'll be generally as safe as you'd be accessing https web site 
in your browser.
More paranoid users might hand-pick what certificate authorities to trust on 
their own.

The second important part for ftp with TLS is unique for ftp's peculiarity of 
using multiple connections, one as a control channel and a separate one for 
transferring data.

lftp by default is set to encrypt only the control channel and leave the data 
channel in the clear.
I find computers and Internet connections plenty fast enough nowadays to afford 
encrypting everything, so just turn it all on:

set ftp:ssl-protect-data yes
set ftp:ssl-protect-list yes

As you can see from all this, everything is a whole lot simpler if you just 
connect with sftp to an ssh2 server instead. Everything is always encrypted no 
matter what, no separate control and data channels to worry about, no 
certificate authorities to trust (a host fingerprint is verified instead). 

Reply via email to