Page 1 of 1

Reconfiguring FTP to FTPS

Posted: 2020-05-21 18:26
by PriFernanda
I enabled FTP over TLS on FileZilla server, using "self generating" the certificate and it worked fine when I tested from FileZilla CLient, even outside my "LAN".
But, one of my partners, that has an automation to send me files via FTP failled to submit with error 530 - server only accept FTP over TLS.
I am sorry about my maybe "ignorant" question: how can "clientes", over internet, connect to FileZilla Server now FTP over TLS? I am testing via Windows FTP command prompt and it´s also getting same error. Is there something missing in regards to certificate or just tell my partner to setup his cliente to use FTP over TLS? Sorry if it´s too basic, I am new to this "FTP world".

Re: Reconfiguring FTP to FTPS

Posted: 2020-05-21 23:38
by boco
In order to use FTP over TLS, both endpoints (client and server) must support it. The Windows ftp.exe and your partner's FTP implementation do not support it. These two clients can communicate with your server using plain FTP only (no encryption possible).

You seem to have made FTP over TLS mandatory in your server. Thus, all clients without TLS support are effectively locked out. There are two options:

1. Preferred option is to upgrade your partner's FTP client implementation to support FTP over TLS. But this might not always be possible.
2. In the FileZilla Server settings, don't use the "Disallow plain FTP connections" checkbox. That way, clients can still connect without having to use FTP over TLS. If you don't want that, make a special account with the "Force TLS for user login" option completely unchecked. Hand out the login data for that special account only to your partner, so he's the only one able to connect unencrypted.

Re: Reconfiguring FTP to FTPS

Posted: 2020-05-22 13:43
by PriFernanda
THANKS so much for such a clear and detailled reply. Last questions, after reading more documentation:

1 - If I check the Enable FTP over TLS support (FTPS) and uncheck the Disallow plain unencrypted FTP, BUT let the "Force PROT P to encrypt file transfers when using FTP over TLS", does that mean the partners will be able to connect without FTPS BUT data transfer will be all encrypted?

2 - Is there a way to create scripts on parters client to connect to FileZilla Server, using FTPS without installing the FileZilla Client ? If so, does that info is present in the Guidance/Manual you offer?

Thanks again

Re: Reconfiguring FTP to FTPS

Posted: 2020-05-23 02:58
by boco
1. No. If the client does not support FTP over TLS, then, that's true for all connections. These clients simply do not know how to handle encrypted data, at all.
The option just means that IF the client sends AUTH TLS/SSL for enabling FTP over TLS, all transfers will also need to be encrypted (this level of complete encryption is called PROT P).
There is also a level called PROT C where only the command channel (login data and commands) is encrypted while the transfers aren't. With the option checked, that lower level of protection is not allowed.

Again, "Force PROT P to encrypt file transfers when using FTP over TLS" does nothing for non-TLS connections. Transferring over VPN or other secure tunnel would be the only way to secure plain FTP connections.

2. Scripting and all that stuff is 100% a client thing. FTP over TLS is only possible if the used FTP client supports it. FileZilla Client cannot be used as it is not scriptable (and thus we don't have any manual for it). Windows ftp.exe cannot be used as it lacks the most basic support, namely Passive mode, any way of configuration, and FTP over TLS.

So you'd need an FTP client, preferably command-line driven, that supports at least:
1. Passive mode (PASV and/or EPSV).
2. FTP over TLS v1.1 or higher.

There are some in the wild, like lftp or cURL.

Re: Reconfiguring FTP to FTPS

Posted: 2020-05-25 14:03
by PriFernanda
Thanks Boco! We can close this Topic! It´s 100% resolved!
Thanks again. Be safe!

Re: Reconfiguring FTP to FTPS

Posted: 2020-05-25 20:57
by boco
[Closed] on request of topic owner.