[stunnel-users] some thoughts of add ftp server proxy support to stunnel4. comments required
zhuangyy at netease.com
Fri Jul 29 11:26:24 CEST 2005
Brian Hatch wrote:
>Not that they're nice suggesions:
> 1) don't use Stunnel for something as already broken as
ftp is one of the most widely used protocols, may be it is broken, but people are still using it.
> ftp. If you must use ftp w/ ssl support, get an ssl
> enabled ftp server, such as proftpd.
I know there are many ssl enabled ftp servers, but if I've deployed
stunnel in my networks, established a PKI environment around it, setted
access control to my http, pop3, smtp, imtp servers in stunnel.conf, I'd
be fairely happy if I can add ssl ftp support by just add a few lines to
my stunnel.conf, avoid the annoying process of
downloading/compiling/installing a ssl enabled ftp server, migrating my
previous ftp server settings to the new one, read its configuration
manual, testing and hope everything is OK, and after 1 month, some new
requirements force me to read its manual again because I total forget
how to use it.
I've started to write codes to add ftp support to stunnel based on
version 4.11 today, now my FlashFXP can connect to ftp server through
stunnel, list files (the LIST command works), but still can not download
a file (RECV failed. the log on the client side shows the ssl
negotiation is ok, but stunnel.log complains for "SSL_write returned
WANT_WRITE: retrying" "SSL_read returned WANT_READ: retrying").
Now I have more confident in the approach I described in my last mail.
> 2) ssl-protected ftp is not going to work through firewalls
> nicely because the firewall can't inspect the packets
> to re-write the IP addresses, or allow the ephemeral
> ports, so you're stuck hoping they have a permissive
> outbound firewall, you've got dedicated ports open on
> your firewall that allow anything from anyone without
> restriction and your ftp server is hard coded to use
> only ephemeral ports in that range, and that the client
> uses passive ftp only because active just plain won't work.
Please consider such a situation, a company which has already setted up
their firewall rules to allow access to the ftp server, they're using it
everyday (from both WAN and LAN), but without encryption, the password
is unsafe. adding a stunnel in front of the ftp server is the simplest
Even if the firewall is an unavoidable problem, at least we solved the
security problems in LAN ftp access, which, in my opinion, is more
critical than the possible attacks from the outside Internet.
> 3) ftp icky. icky icky icky icky.
Yes, I agree :-)
To me, adding this functionality to stunnel because I like this software and if FTP protocol had been supported, plus some other improvments (ie. access
control, configuration-on-the-fly, etc.), will make stunnel an ideal choice for a real SSLVPN.
More information about the stunnel-users