[stunnel-users] some thoughts of add ftp server proxy support to stunnel4. comments required

Brian Hatch bri at stunnel.org
Fri Jul 29 06:11:45 CEST 2005


> Any suggestions will be appreciated.

Not that they're nice suggesions:

	1) don't use Stunnel for something as already broken as
	   ftp.  If you must use ftp w/ ssl support, get an ssl
	   enabled ftp server, such as proftpd.

	2) ssl-protected ftp is not going to work through firewalls
	   nicely because the firewall can't inspect the packets
	   to re-write the IP addresses, or allow the ephemeral
	   ports, so you're stuck hoping they have a permissive
	   outbound firewall, you've got dedicated ports open on
	   your firewall that allow anything from anyone without
	   restriction and your ftp server is hard coded to use
	   only ephemeral ports in that range, and that the client
	   uses passive ftp only because active just plain won't work.

	 3) ftp icky.  icky icky icky icky.


-- 
Brian Hatch                  "So, how did you find about all of this?"
   Systems and               "I'm ... a telepath ... Work it out."
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20050728/276c3f4a/attachment.sig>


More information about the stunnel-users mailing list