Secure control channel only

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

There are only 10 levels of security: Secure and insecure.

whale · **Joined:** 2008-07-24 03:22 **Posts:** 16

May FileZilla fallback to PROT C if P is not supported?

Code:

56:52   Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
56:52   Response:   220-You are user number 3 of 50 allowed.
56:52   Response:   220-Local time is now 11:55. Server port: 21.
56:52   Response:   220-This is a private system - No anonymous login
56:52   Response:   220 You will be disconnected after 15 minutes of inactivity.
56:52   Command:   AUTH TLS
56:55   Response:   234 AUTH TLS OK.
56:55   Status:   Initializing TLS...
56:55   Status:   Verifying certificate...
56:55   Command:   USER ************
56:55   Status:   TLS/SSL connection established.
56:55   Response:   331 User ************ OK. Password required
56:55   Command:   PASS ************
56:55   Response:   230-User ************ has group access to:  ************
56:55   Response:   230 OK. Current restricted directory is /
56:55   Command:   PBSZ 0
56:55   Response:   200 PBSZ=0
56:55   Command:   PROT P
56:55   Response:   534 Fallback to [C]
56:55   Status:   Connected
56:55   Status:   Retrieving directory listing...
56:55   Command:   PWD
56:55   Response:   257 "/" is your current location
56:55   Command:   TYPE I
56:55   Response:   200 TYPE is now 8-bit binary
56:55   Command:   PASV
56:55   Response:   227 Entering Passive Mode (210,17,215,154,32,152)
56:55   Command:   LIST
57:16   Error:   Connection timed out
57:16   Error:   Failed to retrieve directory listing

The server returned 534 but FileZilla ignored the error code.

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

It even has to according to the specs, since PROT C is the initial default.

That's not the problem, please check the servers router and firewall configuration. It has to be configured as described in the Network Configuration guide.

whale · **Joined:** 2008-07-24 03:22 **Posts:** 16

PROT C is the default, but the client may need to reset the data channel protection level to C by sending "PROT C" after P is rejected by the server.

Cases with FTP 7 for IIS 7.

Code:

29:08   Command:   PBSZ 0
29:08   Response:   200 PBSZ command successful.
29:08   Command:   PROT P
29:08   Response:   536-Policy denies SSL.
29:08   Response:    Win32 error:   Access is denied. 
29:08   Response:    Error details: SSL policy denies SSL for data channel.
29:08   Response:   536 End
29:08   Status:   Connected
29:08   Status:   Retrieving directory listing...
29:08   Command:   PWD
29:08   Response:   257 "/" is current directory.
29:08   Command:   TYPE I
29:08   Response:   200 Type set to I.
29:08   Command:   EPSV
29:08   Response:   229 Entering Extended Passive Mode (|||49158|)
29:08   Command:   LIST
29:08   Response:   535-Protection level negotiation failed.
29:08   Response:    Win32 error:   Access is denied. 
29:08   Response:    Error details: Protection negotiation failed. PROT command with recognized parameter must precede this command.
29:08   Response:   535 End
29:08   Error:   Failed to retrieve directory listing
31:16   Error:   Connection closed by server

grantpet · **Joined:** 2008-07-22 13:21 **Posts:** 118

i know i'm way over my head in this thread, but i thought i'd ask two questions if you don't mind.

its my understanding that mankiko is trying to encrypt the security and leave the files/folders unencrypted during these file transfers out of his older machines in order to keep wear and tear on them to a minimum....this makes sense to me, here's the question...Does this encryption process really use that much processor/ram/bandwidth (i am assuming the bandwidth is a non-factor since it's my understanding the amount of bandwidth required to run either way won't change)?

how many simultaneous users/transfers and how fat of a file are you anticipating on these older machines to process?

i ask this because i have an old win98se machine running things like a sheet feed scanner i've been using for years, i'd like to be able to make some of the folders/files on this machine available.

as a side note, i don't think telling ppl to chuck older equipment that works and spend money will go over real well.

thanks in advance

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

Most computers are fast enough to saturate a 100Mbit connection with encryption.

grantpet · **Joined:** 2008-07-22 13:21 **Posts:** 118

insert amazement whistle here

and here i was all happy when charter finally got to 10 down, 1 up

i wanted to ask a few transfer speed questions, i suppose the general topic is where that post should go?

whale · **Joined:** 2008-07-24 03:22 **Posts:** 16

Any idea to the data channel protection level fallback?

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

Quote:

PROT C is the default, but the client may need to reset the data channel protection level to C by sending "PROT C" after P is rejected by the server.

Where does it says so?

whale · **Joined:** 2008-07-24 03:22 **Posts:** 16

RFC 2228 says that "The default protection level if no other level is specified is Clear". However, after sending the PROT P command, the protection level is specified is Private and therefore I think a reset is needed.

Also, it seems that the servers are requiring the PROT C command.

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

A command only has any effect if it succeeds. A failed command should be identical to NOOP.

Since clear data channel is the default, a serve requiring an explicit PROT C would violate the specifications. If you have such a server, you need to upgrade to a better one.

whale · **Joined:** 2008-07-24 03:22 **Posts:** 16

After PROT P is rejected, is the data connection Clear?

botg · **Joined:** 2004-02-23 20:49 **Posts:** 14307

If PROT P is rejected, the protection level remains unchanged.

FileZilla Forums

Secure control channel only

Who is online