Brian Hatch wrote:
Not that they're nice suggesions:
- don't use Stunnel for something as already broken as
ftp is one of the most widely used protocols, may be it is broken, but people are still using it.
ftp. If you must use ftp w/ ssl support, get an ssl enabled ftp server, such as proftpd.
I know there are many ssl enabled ftp servers, but if I've deployed stunnel in my networks, established a PKI environment around it, setted access control to my http, pop3, smtp, imtp servers in stunnel.conf, I'd be fairely happy if I can add ssl ftp support by just add a few lines to my stunnel.conf, avoid the annoying process of downloading/compiling/installing a ssl enabled ftp server, migrating my previous ftp server settings to the new one, read its configuration manual, testing and hope everything is OK, and after 1 month, some new requirements force me to read its manual again because I total forget how to use it.
I've started to write codes to add ftp support to stunnel based on version 4.11 today, now my FlashFXP can connect to ftp server through stunnel, list files (the LIST command works), but still can not download a file (RECV failed. the log on the client side shows the ssl negotiation is ok, but stunnel.log complains for "SSL_write returned WANT_WRITE: retrying" "SSL_read returned WANT_READ: retrying").
Now I have more confident in the approach I described in my last mail.
- ssl-protected ftp is not going to work through firewalls nicely because the firewall can't inspect the packets to re-write the IP addresses, or allow the ephemeral ports, so you're stuck hoping they have a permissive outbound firewall, you've got dedicated ports open on your firewall that allow anything from anyone without restriction and your ftp server is hard coded to use only ephemeral ports in that range, and that the client uses passive ftp only because active just plain won't work.
Please consider such a situation, a company which has already setted up their firewall rules to allow access to the ftp server, they're using it everyday (from both WAN and LAN), but without encryption, the password is unsafe. adding a stunnel in front of the ftp server is the simplest solution.
Even if the firewall is an unavoidable problem, at least we solved the security problems in LAN ftp access, which, in my opinion, is more critical than the possible attacks from the outside Internet.
3) ftp icky. icky icky icky icky.
Yes, I agree :-)
To me, adding this functionality to stunnel because I like this software and if FTP protocol had been supported, plus some other improvments (ie. access control, configuration-on-the-fly, etc.), will make stunnel an ideal choice for a real SSLVPN.
Zhuang Yuyao