Uploaded image for project: 'Maven Wagon'
  1. Maven Wagon
  2. WAGON-600

FTP-Upload fails if server enforces data encryption



    • Improvement
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 2.0
    • None
    • wagon-ftp
    • None


      We recently deployed stronger encryption rules to a few of our webservers. Unfortunately this leads to an issue with the FTP-Upload of wagon plugin for FTP. We receive the message "425-Server reqires protected data connection".
      Due to our FTP-Server allows only data transfer with encryption, this error arises.

      RFC4217, 9 defines the behaviour of Data Connection Protection and defines two available modes for FTPS:
      'C' - Clear - neither Integrity nor Privacy
      'P' - Private - Integrity and Privacy

      With 'Clear' protection level, the data connection is made without
      TLS. Thus, the connection is unauthenticated and has no
      confidentiality or integrity. This might be the desired behaviour
      for servers sending file lists, pre-encrypted data, or non-
      sensitive data (e.g., for anonymous FTP servers).

      If the data connection security level is 'Private', then a TLS
      negotiation must take place on the data connection to the
      satisfaction of the Client and Server prior to any data being
      transmitted over the connection. The TLS layers of the Client and
      Server will be responsible for negotiating the exact TLS Cipher
      Suites that will be used (and thus the eventual security of the

      In addition, the PBSZ (protection buffer size) command, as
      detailed in [RFC-2228], is compulsory prior to any PROT command.
      This document also defines a data channel encapsulation mechanism
      for protected data buffers. For FTP-TLS, which appears to the FTP
      application as a streaming protection mechanism, this is not
      required. Thus, the PBSZ command MUST still be issued, but must
      have a parameter of '0' to indicate that no buffering is taking
      place and the data connection should not be encapsulated.
      However, it should be noted that using a value of '0' to mean a
      streaming protocol is a reasonable use of '0' for that parameter
      and is not ambiguous.

      Initial Data Connection Security

      The initial state of the data connection MUST be 'Clear' (this is
      the behaviour as indicated by [RFC-2228]).

      While inspecting the code I noticed that the plugin does not do any switch to "secure data connection" (PBSZ 0 and PROT P). So it looks like the plugin is not compatible to servers that enforce a data connection.

      A good behaviour would be that the plugin tries to switch to protected data connections and continue if the server can't handle the PROT Command. Many clients switch to data encryption too when a TLS encrypted FTP was started.

      I'm pretty sure this is also an issue in the current version.



        1. trace_ftp_original_wagon-ftp.pcapng
          59 kB
          David Obernöder
        2. trace_ftp_modified_wagon-ftp.pcapng
          106 kB
          David Obernöder



            Unassigned Unassigned
            dobernoeder David Obernöder
            0 Vote for this issue
            2 Start watching this issue



              Time Tracking

                Original Estimate - 8h
                Remaining Estimate - 8h
                Time Spent - Not Specified
                Not Specified