Thank you for that. It does appear that the cert and key files are not
required to log in.
Also if I set the PROT to C, both the listAsync and getAsync responses
are encrypted. If PROT is set to P, only the getAsync response is encrypted.
P and C are the only two PROT commands supported by this server.
Regards
Graham
On 20/12/2017 10:50, Angus Robertson - Magenta Systems Ltd wrote:
I use the 01cert.pem etc. as example files
SSL client applications don't need certificate or private key files,
unless the server is high security and requires secure identification
of remote users, like access to corporate LANs, money transfer services.
You only need a root CA file bundle, and ICS now bundles one in wsocket
as constants.
when I look at the data being transferred with Wireshark, I see
that everything is encrypted except for the response to the
DirAsync command.
Should be easy to answer, but actually not. Each data connection uses
a separate TCP connection that requires a new SSL handshake, which is
quite expensive in packets.
So data encryption is optional, defined by the PROT command, C means
clear, P means private which in modern terms means SSL. Clear might be
acceptable if the files are already encrypted and the overhead of extra
encryption is not required.
Remember this stuff was devised back in 1997 when computing power and
memory where expensive, and no-one envisaged how it might be
implemented in the future.
Assuming you have set protection to P, the ICS client should be opening
an SSL connection for directory related commands, there are several. I
have a log that shows
04:05:00 > XDMLSD -R
004:05:00 ! SSL Connected OK with TLSv1.2, cipher
ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH,
encryption AESGCM(256), message auth AEAD
So it's working with that particular directory command (only supported
by the ICS FTP server). But I can no say it works will all versions,
some of which use the control channel instead (which should be
encrypted anyway).
Assuming you are logging the SSL handshake event and FTP commands, your
application should tell you want is encrypted and how.
This is all down the client, not the server.
Angus
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
