Jump to content
M-Brig

SFTP and SSLFTP Are they the same?

Recommended Posts

Hello,

 

Just a quick question. We need to connect to a SFTP Server and extract files. Can we use the TSSLFTPClient component?

 

Thanks for your help.

Share this post


Link to post

SFTP (FTP over SSH) and FTPS (FTP over SSL/TLS) are not the same thing, and are not interchangeable.  So make sure you are using the correct terminology.  Which technology do you really need to deal with - SFTP or FTPS?  TSSLFTPClient supports FTPS, not SFTP.  As TSSLFTPClient is an ICS component, you should ask questions about it in the ICS sub-forum instead of this VCL sub-forum.  I don't know if ICS has an SFTP client or not.

Share this post


Link to post

Moreover, there's implicit FTPS (just like HTTPS compared to HTTP - TLS from the very beginning using special port) and explicit (usual plain text FTP on usual port but initiates TLS after AUTH TLS command). Dunno why but the former is considered obsolete though it's somewhat simpler to implement.

Share this post


Link to post

Implicit TCP/IP connections were originally easier to implement since they did not requires changes to the protocol, often done with STunnel or similar for FTP, POP3, NNTP and SMTP.  Once the protocols got updated with the STARTTLS command, some people tried to make the implicit ports obsolete, but this can be dangerous since end users don't always tick the use SSL/TLS box.  

 

There is new RFC 8314 'Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access' that again recommends implicit ports as being good practice. 

 

I have penetration testing by Qualys on my public server and they kept failing FTP port 21 for allowing clear text passwords, so I've just updated the ICS FTP server component to return '533 USER requires a secure connection' if the LOGIN command is sent before STARTTLS, and Qualys is now happy again. 

 

Angus

 

 

 

Share this post


Link to post
On 1/26/2020 at 11:03 PM, Fr0sT.Brutal said:

Dunno why but the former is considered obsolete though it's somewhat simpler to implement.

Because implicit SSL/TLS usage generally requires more ports to be opened, which system admins don't like to do.  FTP is already bad enough with its port usage, what with Passive transfers and all.  When explicit TLS commands began being introduced into protocols, it allowed existing server ports to be re-used for both TLS and non-TLS connections.  So yes, explicit TLS takes more work to implement in code, but allows for more simplified system configuration.

Share this post


Link to post
On 1/27/2020 at 12:31 AM, Angus Robertson said:

I have penetration testing by Qualys on my public server and they kept failing FTP port 21 for allowing clear text passwords, so I've just updated the ICS FTP server component to return '533 USER requires a secure connection' if the LOGIN command is sent before STARTTLS, and Qualys is now happy again.

Interesting, I'll have to see how Qualys handles Indy's FTP server.  If the TIdFTPServer.UseTLS property is set to utUseRequireTLS, the USER/PASS/XAUT commands return a '421 Service not available, closing control connection' response and close the connection if an 'AUTH SSL', 'AUTH TLS', 'AUTH TLS-C', or 'AUTH TLS-P' command has not been issued yet.

Share this post


Link to post

Not sure if Qualys check FTP errors, the logs just show dozens of login attempts with real and anonymous credentials, the fail is when they get access.  Did not actually check any RFCs to see what to do, response 533 was already used for another command not allowed without TLS.

 

Angus

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×