Q : How to implement FXP (server to server transfer) over SSL/TLS using SSCN command

A : To enable ftp server to server file transfers over SSL/TLS connections , a new extension command is introduced , which is called SSCN (set secured client negotiation) , we (raidenftpd , smartftp , blackmoon ftp server , SurgeFTP , FTP Voyager , Titan FTP Server Orenosv HTTP/FTP Server and Globalscape Secure FTP Server , CuteFtp Pro , RemotelyAnywhere , FTP Serv-U , FlashFXP , Gene6 FTP Server teams) first introduced it and welcome any ftp server or client vendors to use this extension command freely if the following conditions are met .

1. Any implementation must follow all the protocol requirements listed in this page

2. You can not change the behavior of the SSCN commands (for 100% compatibilities between clients and servers)

3. There is no warranty of any kind

SSCN protocol requirements on the FTP server side

1. FTP server implementations must display SSCN in the features list such as the following

GREEN : FROM CLIENT , RED : FROM SERVER

FEAT

211-Extensions supported:
...
SSCN
...
211 END

2. FTP server must return the current ssl negotiation method if a SSCN command is sent to server without any argument , however the client should only read reply code 2xx or 5xx to determine if the request is granted by server

GREEN : FROM CLIENT , RED : FROM SERVER

SSCN
200 SSCN:SERVER METHOD
SSCN ON
200 SSCN:CLIENT METHOD
SSCN
200 SSCN:CLIENT METHOD
SSCN OFF
200 SSCN:SERVER METHOD
SSCN
200 SSCN:SERVER METHOD

3. FTP server must change the ssl_accept function call to ssl_connect , when using passive or active connections for the commands RETR/STOR/APPE/STOU if the client sends a SSCN ON command to server , the ssl_connect should be called right after 150 opening xxx ftp response message

4. FTP server must change the ssl_connect function call to ssl_accept , when using passive or active connections for the commands RETR/STOR/APPE/STOU if the client sends a SSCN OFF command to server , the ssl_accept should be called right after 150 opening xxx ftp response message

5. FTP server must returns a 421 xxx error message if the SSL/TLS negotiation fails for the server to server data connection

GREEN : FROM CLIENT , RED : FROM SERVER 1 , BLUE : FROM SERVER 2


STOR mos2-ppt.zip
150 Opening BINARY data connection for /mp3/mos2-ppt.zip using SSL/TLS
RETR mos2-ppt.zip
150 Sending /upload/mos2-ppt.zip (50068084 bytes) using SSL/TLS. Mode STREAM Type BINARY

421 Connection closed (SSL/TLS negotiation failed).
421 Connection closed (SSL/TLS negotiation failed).

6. FTP server must always use the ssl_accept function call , when using passive or active connections for the commands LIST/NLST no matter the server is currently in the state of SSCN ON or SSCN OFF

7. Without sending SSCN ON or SSCN OFF to FTP server , the server is always using ssl_accept function call , when using passive or active connections for the commands LIST/NLST/RETR/STOR/APPE/STOU

 

SSCN protocol requirements on the FTP client side

1. FTP client must not send SSCN ON , SSCN OFF , SSCN commands to server if a FEAT command is not sent to server to query the server extensions first

2. FTP client must not use SSCN ON , SSCN OFF , SSCN commands if it's not listed in server's features list

3. FTP client does not need to implement ssl_accept server methods , for dir listing commands LIST/NLST , the ftp client always uses ssl_connect method for data connections

4. FTP client does not need to send SSCN ON for every server to server file transfer , it only needs to send SSCN ON once at the beginning of server to server file transfer and sends SSCN OFF at the end of server to server file transfer

5. FTP client must send SSCN OFF , when it wants to do server to local , or local to server file transfers

Last notes : SSCN advantages over *other* fxp over ssl implementations

1. Minimal client modifications , client only need 1,2,3 to support SSCN , recognize this command , enable and disable it at the right time

2. IPv6 possibilities , without introducing new PASV or PORT commands , it's possible to combine SSCN with IPv6 EPRT and EPSV commands

3. Works with old clients , even if they don't support it , you can still send a manual command SSCN ON and OFF to do the fxp over ssl because there is no other new command needed

That's ALL

Copyright © RaidenFTPD TEAM , ALL RIGHTS RESERVED

REVISION 2.4 , 2004/03/05

The copyrighted works contained in this information service shall not be copied, reproduced, varied, altered, modified, adapted, distributed, performed and displayed in any form without the written permission of the copyright owner. All trademarks belong to their respective owners .