From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Sat, 2 Apr 2005 22:05:41 -0500 From: Russ Cox To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] Secure ftp Again In-Reply-To: <64b70cf896f7dd37633fd9d5e7dfca94@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <64b70cf896f7dd37633fd9d5e7dfca94@comcast.net> Topicbox-Message-UUID: 31cc0a4c-ead0-11e9-9d60-3106f5b1d025 > Someone (Russ Cox???. I forget now.) replied saying that I > probably needed to be looking at tls and pushtls. Well, I have. > I hate to be a bonehead about this, but I still don't see how > to make use of these things. The tips pages have nice things > for ordinary users like mounting cds and using cdfs. Would > anyone be kind enough to walk me through making secure > ftp connections in a `tip o' the day' sort of way. I'm not sure anyone here has ever used FTP over SSL, so we're not very forthcoming with recipes. However, it looks like there are two ways people do FTP over SSL. The first is by connecting to port 990 and SSL-encrypting the entire connection. If this is what you're supposed to be doing, then running tlsclient tcp!yourserver!990 should give you something like "220 ftp server ready". If so, you need to change ftpfs/hget to pushtls after connecting: TLSconn conn; fd = dial(etc.); memset(&conn, 0, sizeof conn); fd = tlsClient(fd, &conn); instead of just calling dial. The other way appears to be to send an "AUTH TLS" command during the session, and if you get a 234 response back, to then push TLS using the last two lines above. If you do this you will also have to reinitialize the i/o buffers, if any, with the new file descriptor. http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-16.txt has what appears to be up-to-date info about TLS and FTP. For examples of pushing TLS onto connections, grep for tlsClient in /sys/src/cmd/hget.c (like the first case) or /sys/src/cmd/upas/fs/imap4.c (also like the first case) or /sys/src/cmd/upas/fs/pop3.c (the needssl code is like the first case; the needtls code is like the second; pop3pushtls illustrates reinitializing the i/o buffers). Russ