Secure control channel only

[botg]

There are only 10 levels of security: Secure and insecure.

[whale]

May FileZilla fallback to PROT C if P is not supported?

Code: Select all

11:56:52	Response:	220---------- Welcome to Pure-FTPd [TLS] ----------
11:56:52	Response:	220-You are user number 3 of 50 allowed.
11:56:52	Response:	220-Local time is now 11:55. Server port: 21.
11:56:52	Response:	220-This is a private system - No anonymous login
11:56:52	Response:	220 You will be disconnected after 15 minutes of inactivity.
11:56:52	Command:	AUTH TLS
11:56:55	Response:	234 AUTH TLS OK.
11:56:55	Status:	Initializing TLS...
11:56:55	Status:	Verifying certificate...
11:56:55	Command:	USER ************
11:56:55	Status:	TLS/SSL connection established.
11:56:55	Response:	331 User ************ OK. Password required
11:56:55	Command:	PASS ************
11:56:55	Response:	230-User ************ has group access to:  ************
11:56:55	Response:	230 OK. Current restricted directory is /
11:56:55	Command:	PBSZ 0
11:56:55	Response:	200 PBSZ=0
11:56:55	Command:	PROT P
11:56:55	Response:	534 Fallback to [C]
11:56:55	Status:	Connected
11:56:55	Status:	Retrieving directory listing...
11:56:55	Command:	PWD
11:56:55	Response:	257 "/" is your current location
11:56:55	Command:	TYPE I
11:56:55	Response:	200 TYPE is now 8-bit binary
11:56:55	Command:	PASV
11:56:55	Response:	227 Entering Passive Mode (210,17,215,154,32,152)
11:56:55	Command:	LIST
11:57:16	Error:	Connection timed out
11:57:16	Error:	Failed to retrieve directory listing

The server returned 534 but FileZilla ignored the error code.

[botg]

It even has to according to the specs, since PROT C is the initial default.

That's not the problem, please check the servers router and firewall configuration. It has to be configured as described in the Network Configuration guide.

[whale]

PROT C is the default, but the client may need to reset the data channel protection level to C by sending "PROT C" after P is rejected by the server.

Cases with FTP 7 for IIS 7.

Code: Select all

18:29:08	Command:	PBSZ 0
18:29:08	Response:	200 PBSZ command successful.
18:29:08	Command:	PROT P
18:29:08	Response:	536-Policy denies SSL.
18:29:08	Response:	 Win32 error:   Access is denied. 
18:29:08	Response:	 Error details: SSL policy denies SSL for data channel.
18:29:08	Response:	536 End
18:29:08	Status:	Connected
18:29:08	Status:	Retrieving directory listing...
18:29:08	Command:	PWD
18:29:08	Response:	257 "/" is current directory.
18:29:08	Command:	TYPE I
18:29:08	Response:	200 Type set to I.
18:29:08	Command:	EPSV
18:29:08	Response:	229 Entering Extended Passive Mode (|||49158|)
18:29:08	Command:	LIST
18:29:08	Response:	535-Protection level negotiation failed.
18:29:08	Response:	 Win32 error:   Access is denied. 
18:29:08	Response:	 Error details: Protection negotiation failed. PROT command with recognized parameter must precede this command.
18:29:08	Response:	535 End
18:29:08	Error:	Failed to retrieve directory listing
18:31:16	Error:	Connection closed by server

[grantpet]

i know i'm way over my head in this thread, but i thought i'd ask two questions if you don't mind.

its my understanding that mankiko is trying to encrypt the security and leave the files/folders unencrypted during these file transfers out of his older machines in order to keep wear and tear on them to a minimum....this makes sense to me, here's the question...Does this encryption process really use that much processor/ram/bandwidth (i am assuming the bandwidth is a non-factor since it's my understanding the amount of bandwidth required to run either way won't change)?

how many simultaneous users/transfers and how fat of a file are you anticipating on these older machines to process?

i ask this because i have an old win98se machine running things like a sheet feed scanner i've been using for years, i'd like to be able to make some of the folders/files on this machine available.

as a side note, i don't think telling ppl to chuck older equipment that works and spend money will go over real well.

thanks in advance

[botg]

Most computers are fast enough to saturate a 100Mbit connection with encryption.

[grantpet]

insert amazement whistle here

and here i was all happy when charter finally got to 10 down, 1 up

i wanted to ask a few transfer speed questions, i suppose the general topic is where that post should go?

[whale]

Any idea to the data channel protection level fallback?

[botg]

PROT C is the default, but the client may need to reset the data channel protection level to C by sending "PROT C" after P is rejected by the server.

Where does it says so?

[whale]

RFC 2228 says that "The default protection level if no other level is specified is Clear". However, after sending the PROT P command, the protection level is specified is Private and therefore I think a reset is needed.

Also, it seems that the servers are requiring the PROT C command.

[botg]

A command only has any effect if it succeeds. A failed command should be identical to NOOP.

Since clear data channel is the default, a serve requiring an explicit PROT C would violate the specifications. If you have such a server, you need to upgrade to a better one.

[whale]

After PROT P is rejected, is the data connection Clear?

[botg]

If PROT P is rejected, the protection level remains unchanged.