Details
-
Improvement
-
Status: Open
-
Trivial
-
Resolution: Unresolved
-
2.0
-
None
-
None
Description
We recently deployed stronger encryption rules to a few of our webservers. Unfortunately this leads to an issue with the FTP-Upload of wagon plugin for FTP. We receive the message "425-Server reqires protected data connection".
Due to our FTP-Server allows only data transfer with encryption, this error arises.
RFC4217, 9 defines the behaviour of Data Connection Protection and defines two available modes for FTPS:
'C' - Clear - neither Integrity nor Privacy
'P' - Private - Integrity and Privacy
With 'Clear' protection level, the data connection is made without
TLS. Thus, the connection is unauthenticated and has no
confidentiality or integrity. This might be the desired behaviour
for servers sending file lists, pre-encrypted data, or non-
sensitive data (e.g., for anonymous FTP servers).
If the data connection security level is 'Private', then a TLS
negotiation must take place on the data connection to the
satisfaction of the Client and Server prior to any data being
transmitted over the connection. The TLS layers of the Client and
Server will be responsible for negotiating the exact TLS Cipher
Suites that will be used (and thus the eventual security of the
connection).
In addition, the PBSZ (protection buffer size) command, as
detailed in [RFC-2228], is compulsory prior to any PROT command.
This document also defines a data channel encapsulation mechanism
for protected data buffers. For FTP-TLS, which appears to the FTP
application as a streaming protection mechanism, this is not
required. Thus, the PBSZ command MUST still be issued, but must
have a parameter of '0' to indicate that no buffering is taking
place and the data connection should not be encapsulated.
[...]
However, it should be noted that using a value of '0' to mean a
streaming protocol is a reasonable use of '0' for that parameter
and is not ambiguous.
Initial Data Connection Security
The initial state of the data connection MUST be 'Clear' (this is
the behaviour as indicated by [RFC-2228]).
While inspecting the code I noticed that the plugin does not do any switch to "secure data connection" (PBSZ 0 and PROT P). So it looks like the plugin is not compatible to servers that enforce a data connection.
A good behaviour would be that the plugin tries to switch to protected data connections and continue if the server can't handle the PROT Command. Many clients switch to data encryption too when a TLS encrypted FTP was started.
I'm pretty sure this is also an issue in the current version.