SFTP and SSLFTP Are they the same?

[M-Brig 0]

Hello,

 

Just a quick question. We need to connect to a SFTP Server and extract files. Can we use the TSSLFTPClient component?

 

Thanks for your help.

[Remy Lebeau 1394]

SFTP (FTP over SSH) and FTPS (FTP over SSL/TLS) are not the same thing, and are not interchangeable.  So make sure you are using the correct terminology.  Which technology do you really need to deal with - SFTP or FTPS?  TSSLFTPClient supports FTPS, not SFTP.  As TSSLFTPClient is an ICS component, you should ask questions about it in the ICS sub-forum instead of this VCL sub-forum.  I don't know if ICS has an SFTP client or not.

[Angus Robertson 574]

No ICS does not support SSH.

 

Angus

 

[Fr0sT.Brutal 900]

Moreover, there's implicit FTPS (just like HTTPS compared to HTTP - TLS from the very beginning using special port) and explicit (usual plain text FTP on usual port but initiates TLS after AUTH TLS command). Dunno why but the former is considered obsolete though it's somewhat simpler to implement.

[Angus Robertson 574]

Implicit TCP/IP connections were originally easier to implement since they did not requires changes to the protocol, often done with STunnel or similar for FTP, POP3, NNTP and SMTP.  Once the protocols got updated with the STARTTLS command, some people tried to make the implicit ports obsolete, but this can be dangerous since end users don't always tick the use SSL/TLS box.  

 

There is new RFC 8314 'Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access' that again recommends implicit ports as being good practice. 

 

I have penetration testing by Qualys on my public server and they kept failing FTP port 21 for allowing clear text passwords, so I've just updated the ICS FTP server component to return '533 USER requires a secure connection' if the LOGIN command is sent before STARTTLS, and Qualys is now happy again. 

 

Angus

 

 

 

[Remy Lebeau 1394]

On 1/26/2020 at 11:03 PM, Fr0sT.Brutal said:

Dunno why but the former is considered obsolete though it's somewhat simpler to implement.

Because implicit SSL/TLS usage generally requires more ports to be opened, which system admins don't like to do.  FTP is already bad enough with its port usage, what with Passive transfers and all.  When explicit TLS commands began being introduced into protocols, it allowed existing server ports to be re-used for both TLS and non-TLS connections.  So yes, explicit TLS takes more work to implement in code, but allows for more simplified system configuration.

[Remy Lebeau 1394]

On 1/27/2020 at 12:31 AM, Angus Robertson said:

I have penetration testing by Qualys on my public server and they kept failing FTP port 21 for allowing clear text passwords, so I've just updated the ICS FTP server component to return '533 USER requires a secure connection' if the LOGIN command is sent before STARTTLS, and Qualys is now happy again.

Interesting, I'll have to see how Qualys handles Indy's FTP server.  If the TIdFTPServer.UseTLS property is set to utUseRequireTLS, the USER/PASS/XAUT commands return a '421 Service not available, closing control connection' response and close the connection if an 'AUTH SSL', 'AUTH TLS', 'AUTH TLS-C', or 'AUTH TLS-P' command has not been issued yet.

[Angus Robertson 574]

Not sure if Qualys check FTP errors, the logs just show dozens of login attempts with real and anonymous credentials, the fail is when they get access.  Did not actually check any RFCs to see what to do, response 533 was already used for another command not allowed without TLS.

 

Angus