tags:

views:

1655

answers:

3

I am being asked to support implicit and explicit FTPS (also known as FTPES). We are currently using the .NET FTPWebRequest. Does the FTPWebRequest support both types of FTPES, and what is the difference.

Thanks

+1  A: 

Hello, as far as I know the current (.NET 2.0 and 3.5) version of FtpWebRequest supports Explicit SSL only.

Actually, .NET 2.0 does not currently support implicit SSL, only explicit. We will consider adding this for a future release.

JonCole - MSFTModerator at MSDN forum post

If you need to use both Implict and Explicit TLS/SSL you have to try one of third-party FTP/SSL components. Following code uses our Rebex FTP/SSL and is taken from the tutorial page.

Explicit TLS/SSL

Client connects to FTP server in a usual non-protected way, usually to port 21 was assigned to FTP protocol. When it is desired to protect the connection using SSL, an SSL negotiation is initialized, control connection is secured and all following communication is being protected.

// Create an instance of the Ftp class. 
Ftp ftp = new Ftp();

// Connect securely using explicit SSL. 
// Use the third argument to specify additional SSL parameters. 
ftp.Connect(hostname, 21, null, FtpSecurity.Explicit);

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

Explicit protection means that it is possible to secure the connection at any moment. If you don't know whether you will need the protection on not at the connection time, you might want to connect using the ordinary unencrypted FTP protocol and secure the connection later.

Ftp ftp = new Ftp();

// Connect to the server with no protection. 
ftp.Connect(hostname, 21);

// Upgrade connection to SSL. 
// This method also accepts an argument to specify SSL parameters. 
ftp.Secure();

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

Implicit SSL protection of the FTP session

FTPS protocol was originally assigned a separate port by the IANA. Upon connection to this port, an SSL negotiation starts immediately and the control connection is secured. All data connections are also secured implicitly in the same way. This is similar to the approach used by HTTPS.

This approach is not favored by the IETF and is deprecated. It is supported by Rebex FTP/SSL for interoperability with older servers, but it is strongly recommended to use the explicit protection instead whenever possible.

Ftp ftp = new Ftp();

// Connect securely using implicit SSL. 
// Use the third argument to specify additional SSL parameters. 
ftp.Connect(hostname, 990, null, FtpSecurity.Implicit);

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

You may download the component at rebex.net/ftp-ssl.net/

Martin Vobr
I appreciate the post, although seems like a conflict of interest...since you represent the component you are pushing.
PortageMonkey
I understand your concern. However it looks like the current consensus here is that mentioning own product is ethically OK as long as full disclosure is provided. I've even changed my nickname to be sure that my bias will not be overlooked ;-). You may find interesting following links at meta.stackoverflow discussing this topic: http://meta.stackoverflow.com/questions/15787/is-it-bad-etiquette-to-mention-your-own-products-in-a-stackoverflow-answer and http://meta.stackoverflow.com/questions/20031/vendors-on-stackoverflow. I think it's ok as long as answer is valid and identity is not hidden.
Martin Vobr
+2  A: 

I have used Alex FTPS Client earlier. May be you should look to http://ftps.codeplex.com/.

noob
+1 for AlexFTPS! LGPL and free (as in $$$) which is what a core library like this should be. Why MS didn't support implicit TLS/SSL in their built-in FTP classes, I'll never know.
mattmc3
A: 

edtFTPnet/PRO is an FTP client library that also supports FTPS implicit and explicit modes. It's simply a matter of specifying the right protocol:

 SecureFTPConnection conn = new SecureFTPConnection();
 conn.Protocol = FileTransferProtocol.FTPSImplicit;

 // set remote host, user, pwd etc ...

 // now connect
 conn.Connect();

The same component supports SFTP also.

And yes, I am one of the developers of this component (and of edtFTPnet, the free, open source .NET FTP client).

Bruce Blackshaw
Just to be clear, the product page seems to indicate that the "free" version doesn't support this functionality. Not that you explicitly said it did necessarily, but it's certainly an assumption I made based on your post.
mattmc3
the free version (LGPL) is FTP only - it does not support FTPS or SFTP
Bruce Blackshaw