FTPS instead of FTP or SFTP

[Christian.lanctot@jonas]

One of our vendors is using FTPS on port 990. I see that pvxplus can use *web/ftp on port 21 or *web/sftp on port 22. How would we be able to secure with TLS on port 990 using *web/ftp ?

Does pvxplus even do this?

thanks

[Devon Austen]

I haven't tried this and don't know if it will work but have you tried specifying ftps:// and the port when using *web/ftp.

CALL "*web/ftp;receive", "ftps://vendorServer:990", user$, password$, 0, "someFile.ext", download_dir$, case$, result$

FTPS is just FTP+SSL and behind the scenes we use curl which supports FTPS so it may be as a simple as that. If that doesn't work likely we would need to update the utility to try to support it. In which case I recommend creating a wish list forum post so we can gauge interest.

[Mike Hatfield]

Our hosting provider has just enforced TLS. They say the FTPS still works on port 21.
We have been using *web/ftp in our program for some time, now it fails with error 15.
I have tried *web/ftp using ftps://domain.com.au and it also fails with error 15.
When using FileZilla for the first time to connect via Explicit FTP over TLS you are presented with a screen to accept the certificate.
I imagine *web/ftp would need to deal with this as well.

What is the solution to this problem? How do we resolve it?
Our application uses *web/ftp to periodically verify the end user license and download a new license file.
This is going to become a major problem for us if we have to do this manually.

[Mike King]

Mike, it sounds like your FTP is just now failing and that using the ftps://... was working for you.

When using ftps we use curl and it, to the best of my knowledge, supports TLS 1.1 and 1.2.

The fact that filezilla is asking you about the certificate however is unusual.  TLS (like SSL before it) was designed to silently validate and accept certificates without user intervention.  I question why filezilla would ask you to accept their certificate, unless the certificate itself is invalid.

As we discussed at the last DIreXions, there are many reasons for a certificate to be invalid.  The most common one we run across is that the certificate has expired.  Basically when you get a certificate it comes with an expiry date and after that date the certificate will not be accepted.

Another possible issue is that the certificate cannot be or can no longer be trusted.  This recently has come to the forefront with both Chrome and Firefox canceling their trust of certificates issued by Symantec.
https://www.templarbit.com/blog/2018/09/07/the-story-of-why-chrome-and-firefox-will-soon-block-sites-with-certain-ssl-certificates/
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

I would suggest you see if you can determine why filezilla is asking you to manually accept their certificate as, if it has expired or was from Symantec, it may explain why *web/ftp is no longer working for you and won't until the host replaces their certificate.

[Mike King]

Just did some more in depth research and it seems filezilla always prompts about certificates so perhaps the certificate is valid, however I would still suggest you validate it since, from the sounds of your posting, this issue just started. 

As for using *web/ftp (curl), did you see what error message was returned?

Also rather than ftps, have you considered https if all you are doing is downloading?

[Mike Hatfield]

In the first example curl works with ftp and --ssl and -k. The -k ignores the certificate which whilst it works is not ideal.

You can see from the second example below that curl does not work using ftps.
curl is trying to use port 990 which would normally mean it is attempting 'implicit FTP over TLS' rather than 'explicit FTP over TLS'
Port 990 is open on the firewall.

Filezilla only presents the certificate the first time for a set of credentials (unless you don't accept the certificate).
The certificate is valid btw.

The site expects TLS 1.2 minimum with explicit FTP over TLS.

We use *web/ftp to upload the license files  and the end user is downloading the file.

C:\HIT\PVX>curl --ssl -k -O ftp://ftp.hit.net.au/public_html/Future/Texts/0030020.txt --user xxxxxx:xxxxxxxxxxxxx
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    66  100    66    0     0     86      0 --:--:-- --:--:-- --:--:--    86

C:\HIT\PVX>curl -O ftps://ftp.hit.net.au/public_html/Future/Texts/0030020.txt --user xxxxxx:xxxxxxxxxxxxx
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:20 --:--:--     0curl: (7) Failed to connect to ftp.hit.net.au port 990: Timed out

[Mike King]

Mike,

Have you inquired about switching to SFTP or HTTPS for the transfers?

Everything we have read about FTPS indicates its not the easiest to setup and using an explicit FTP it is somewhat insecure.  Also generally FTPS indicates you are using an implicit connection, whereas FTPES is generally used to refer to secure FTP on explicit connections.

Here are some links on the subject:
https://serverfault.com/questions/10807/what-firewall-ports-do-i-need-to-open-when-using-ftps
https://en.wikipedia.org/wiki/FTPS

Lastly, below is a link to a site that talks about how to get curl to use FTPES which may allow you to construct your own command.  It also advises how to deal with the certificate validation, which appears to basically be to copy our supplied cert file to curl-ca-bundle.crt.
https://www.lewisroberts.com/2010/08/06/scripting-ftpes-explicit-tlsssl-with-curl/

Frankly though I still think your should try to use HTTPS if all you are doing is downloading data is the easiest solution.

[Mike Hatfield]

Well maybe HTTPS is the way to go.
We do upload and download though.
SFTP should work but it is an onerous process to set up and then you have to distribute the keys to each client end user.

[Mike King]

depending on the server downloads are easy and if the server is using PxPlus its easy to create an HTTPS page for uploading.  If the server is not using PxPlus then you can use PHP or even a simple CGI script to handle uploading. 

Creating a CGI script for use on Linux to handle the uploads is a fairly easy task.