Seeking for advice - secure FTP

[s_k]

Hi all,

I will probably have to put some security in our FTP server, which I'm doing.

There are two main ways:

1) SSH, ie. SFTP
2) SSL over FTP

I would like to ask you, which of these do you think will be easier to implement? You know, time is passing fast and I must consider the difficulty of implementation too.

Thank you for all responses.

[usman999_1]

Well, If you have to "add" security, then go with FTP with SSL. This way the underlaying protocol i.e. FTP will stay the same, the only change would be to establish a sceure connection once (server/client auth) and thats not much of trouble using OpenSSL (little difficult to use incase you are using Asyn-Sockets) rest should be the same. If you have to start from beginning, probably using SFTP might be better, as you might find third-party servers easily as its a complete protocol itself.
Hope this helps,
Regards,
Usman.

[s_k]

Well, If you have to "add" security, then go with FTP with SSL. This way the underlaying protocol i.e. FTP will stay the same, the only change would be to establish a sceure connection once (server/client auth) and thats not much of trouble using OpenSSL (little difficult to use incase you are using Asyn-Sockets) rest should be the same. If you have to start from beginning, probably using SFTP might be better, as you might find third-party servers easily as its a complete protocol itself.
Hope this helps,
Regards,
Usman.

Thank you for response usman. What do you mean the difficulties when using async-sockets? I use WSAEventSelect() model.

[usman999_1]

well, If the socket is in blocking mode then to communicate to the other endpoint using SSL (using OpenSSL) is pretty easy. You create a socket, do a connect, give it to OpenSSL and then call ssl_send/recv from the OpenSSL API and the data you want to send will be encrypted before sending and data you recv will be decrypted before given back to you automatically(I am skipping some details like initialising OpenSSL lib and cleanup when you are done). But incase your socket is in non blocking mode, you can't call/use ssl_send and ssl_recv of OpenSSL API. For that purpose OpenSSL provides bio. This way, when you want to send some data, you first push it to the bio (its an in-memory object) and bio encrypts it, and you takeout the encrypted data from and send it by yourself, same for the received data, you recive it from the socket push it to bio to be decrypted and so on. Its not as easy as it seems, reason being sometimes you dont receive enough data to be decrypted, and then you have to wait for the remaining data & also wait for the SSL handshake to be done before you can send/recv data of your own and last but not least, the almost nonexistant documentation of OpenSSL except of the API in-params and return values explanation.
Hope this helps,
Regards,
Usman.

[javazoom]

FTPS (FTP over SSL) is simplier even if you have 3 items to implement :
1 - Explicit FTPS : AUTH TLS
2 - Explicit FTPS : AUTH SSL
3 - Implicit FTPS : Full SSL connection
You also have to deal with protection channel (SSL encrypt command and/or data channel)

The reference document for FTPS is available at :
http://www.ford-hutchinson.com/~fh-1...ftp-ssl-16.txt

We've written a Java client that implements all. Here is the URL below if it can help you to test your server-side code :
http://www.javazoom.net/applets/jcli...entupload.html

Hope it helps.

[Marc G]

[ moved thread ]