Previous Next

• 07-27-2008, 12:21 PM

  peaceable_whale Joined on 11-30-2006, 2:10 PM Hong Kong Posts 18

  FTP 7 and data channel protection (PROT) Reply Contact FTP 7 is not currently returning reply code conforming to RFC 2228. As a result, FTP clients cannot fallback to another protection level automatically. When private data channel (PROT P) is required but the client has requested PROT C, FTP 7 returns 533-Policy requires SSL: Command: PROT C Response: 533-Policy requires SSL. Response: Win32 error: Access is denied. Response: Error details: SSL policy requires SSL for data channel. Response: 533 End When private data channel is denied and clear data channel (PROT C) is required but the client has requested PROT P, FTP 7 returns 536-Policy denies SSL: Command: PROT P Response: 536-Policy denies SSL. Response: Win32 error: Access is denied. Response: Error details: SSL policy denies SSL for data channel. Response: 536 End However, according to RFC 2228, 534 should be used instead: If the server is not willing to accept the specified protection level, it should respond with reply code 534. Without the 534 reply, FTP clients do not fallback to another protection level automatically and terminate the connection instead. This is very problematic and the reply code should be corrected. Franklin Tse (whale)

  Tags: iis 7FTP 7

• 07-31-2008, 12:00 AM

  In reply to

  peaceable_whale Joined on 11-30-2006, 2:10 PM Hong Kong Posts 18	Re: FTP 7 and data channel protection (PROT) Reply Contact In addition, currently, FTP 7 requires the PROT command before any data connection. However, the author of FileZilla said that a server requiring an explicit PROT C had violated the specifications: http://forum.filezilla-project.org/viewtopic.php?f=2&t=4779&st=0&sk=t&sd=a&start=15 Franklin Tse (whale)

• 08-08-2008, 5:25 PM

  In reply to

  robmcm Joined on 05-27-2006, 1:05 AM Redmond, WA Posts 85

  Re: FTP 7 and data channel protection (PROT) Reply Contact I think the problem that you are seeing is due to the SSL settings, which are set to "Require SSL" by default. If you change your settings to "Allow SSL", then you can drop out of SSL. What's more, if you open the FTP SSL Settings feature and choose "Custom", then you can specify separate settings for the data channel and control channel. Robert McMurray

  Tags: SSLFTPSFTP7FTP 7

• 08-08-2008, 11:00 PM

  In reply to

  peaceable_whale Joined on 11-30-2006, 2:10 PM Hong Kong Posts 18

  Re: FTP 7 and data channel protection (PROT) Reply Contact Thanks for your reply. Actually, the problem is the incorrect reply code. Both "533-Policy requires SSL." and "536-Policy denies SSL." should be 534 according to RFC 2228, and existing FTP clients such as SmartFTP and Core FTP will change PROT C/P to another after receving a 534 reply. Without the 534 code, fallback will not work. Another problem is somewhat uncertain. It was reported by the author of FileZilla. FileZilla always sends PROT P when using FTP over TLS. It does not fallback PROT C/P as if the other clients. After the PROT P command is rejected by the server, FileZilla simply starts an usual data channal without sending a PROT C command as required by FTP 7. The author of FileZilla said that the explicit PROT C requirement is a violation of RFC 2228 since PROT C is always the default. To sum up, the questions are: Can 533 and 536 by replaced by 534 in an update to FTP 7 or in the next FTP version? Do you think that the PROT C requirement is legitimate? Thanks Franklin Tse (whale)