[stunnel-users] some thoughts of add ftp server proxy support to stunnel4. comments required

Fri Jul 29 11:26:24 CEST 2005

Brian Hatch wrote:

>Not that they're nice suggesions:
>
>	1) don't use Stunnel for something as already broken as
>  
>
ftp is one of the most widely used protocols, may be it is broken, but people are still using it.

>	   ftp.  If you must use ftp w/ ssl support, get an ssl
>	   enabled ftp server, such as proftpd.
>
I know there are many ssl enabled ftp servers, but if I've deployed 
stunnel in my networks, established a PKI environment around it, setted 
access control to my http, pop3, smtp, imtp servers in stunnel.conf, I'd 
be fairely happy if I can add ssl ftp support by just add a few lines to 
my stunnel.conf, avoid the annoying process of 
downloading/compiling/installing a ssl enabled ftp server, migrating my 
previous ftp server settings to the new one, read its configuration 
manual, testing and hope everything is OK, and after 1 month, some new 
requirements force me to read its manual again because I total forget 
how to use it.

I've started to write codes to add ftp support to stunnel based on 
version 4.11 today, now my FlashFXP can connect to ftp server through 
stunnel, list files (the LIST command works), but still can not download 
a file (RECV failed. the log on the client side shows the ssl 
negotiation is ok, but stunnel.log complains for "SSL_write returned 
WANT_WRITE: retrying" "SSL_read returned WANT_READ: retrying").

Now I have more confident in the approach I described in my last mail.

>	2) ssl-protected ftp is not going to work through firewalls
>	   nicely because the firewall can't inspect the packets
>	   to re-write the IP addresses, or allow the ephemeral
>	   ports, so you're stuck hoping they have a permissive
>	   outbound firewall, you've got dedicated ports open on
>	   your firewall that allow anything from anyone without
>	   restriction and your ftp server is hard coded to use
>	   only ephemeral ports in that range, and that the client
>	   uses passive ftp only because active just plain won't work.
>
>  
>
Please consider such a situation, a company which has already setted up 
their firewall rules to allow access to the ftp server, they're using it 
everyday (from both WAN and LAN), but without encryption, the password 
is unsafe. adding a stunnel in front of the ftp server is the simplest 
solution.

Even if the firewall is an unavoidable problem, at least we solved the 
security problems in LAN ftp access, which, in my opinion, is more 
critical than the possible attacks from the outside Internet.

>	 3) ftp icky.  icky icky icky icky.
>
Yes, I agree :-)

To me, adding this functionality to stunnel because I like this software and if FTP protocol had been supported, plus some other improvments (ie. access 
control, configuration-on-the-fly, etc.),  will make stunnel an ideal choice for a real SSLVPN.

Zhuang Yuyao