You mean with or without ftp-proxy?
On 8/3/07, soulshepard <[EMAIL PROTECTED]> wrote:
> is there any other way of getting ftp+ssl to pass normally on a bsd box?
>
> soul.
>
>
> Die Gestalt wrote:
> >
> > All I can tell you is I had for a while a ftp + ssl server running
> > (and yes ftp + ssl is useful in some scenarii) behind a pf machine and
> > it all worked perfectly well.
> >
> > The problem is that you get first a SSL handshake and then all the
> > rest is ciphered, preveting ftp-proxy from doing its work.
> >
> > You may need to do the following:
> >
> > - restrict the data ports of the ftp server to a certain range (for
> > example 40000 to 45000)
> > - open these ports on the pf machine (bypassing the ftp proxy behaviour)
> > - have the ftp server listen on a port other than 21
> >
> > If you wanted ftp-proxy to work transparently with SSL it would have
> > to proxy the SSL handshake as well which might be a problem in terms
> > of security since the data flow would exist in clear (somewhere in
> > memory) on the proxy.
> >
> > On 7/31/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
> >> A client of ours (don't ask) has been sold by somebody else on the
> >> idea that FTP over SSL (afaik implemented with some Microsoft system
> >> or other) is the way to go.
> >>
> >> Now FTP over SSL seems to be a variant which isn't obviously well
> >> supported other than a few experimental clients, and with a fairly
> >> straightforward 4.1 pf + ftp-proxy setup (close enough to the one in
> >> the tutorial[1]) near the client end, what I get is that the client
> >> and server happily clear authetication, but do not manage to set up
> >> their SSL connection.
> >>
> >> What I get from ftp-proxy is a sequence of
> >>
> >> Jul 31 10:49:27 delilah ftp-proxy[15797]: #1 client command too long or
> >> not clean
> >>
> >> with incrementing # numbers, until the partners give up.
> >>
> >> The 'techies' at the other end seem to have problems with concepts
> >> such a server tunables, so the question is, is there some obvious
> >> ftp-proxy workaround I've missed (other than the even more obvious
> >> 'use something else')?
> >>
> >> - P
> >>
> >> [1] http://home.nuug.no/~/peter/pf/, specifically
> >> http://home.nuug.no/~peter/pf/en/newftpproxy.html
> >>
> >> --
> >> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> >> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> >> http://www.nuug.no/
> >> "Remember to set the evil bit on all malicious network traffic"
> >> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/ftp-proxy-vs-%22FTP-over-SSL%22-tf4191916.html#a11980071
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
