FTP servers send the list of supported features to the clients. For example, ProFTPD supports the following features: LANG en, MDTM, UTF8, AUTH TLS, PBSZ, PROT, REST STREAM, SIZE
. The default behavior of FTP features can be changed using the hash attribute features
, indexed by the name of the feature (e.g.: UTF8 or AUTH TLS).
The possible actions are shown in the table below. See Section 2.1, Policies for requests and responses for details.
The built-in FTP proxies permit the use of every feature by default.
Action | Description |
---|---|
FTP_FEATURE_ACCEPT | Forward the availability of the feature from the server to the client. |
FTP_FEATURE_DROP | Remove the feature from the feature list sent by the server. |
FTP_FEATURE_INSERT | Add the feature into the list of available features. |
Table 4.5. Policy about enabling FTP features.
For FTPS connections to operate correctly, the FTP server and client applications must comply to the FTP Security Extensions (RFC 2228) and Securing FTP with TLS (RFC 4217) RFCs.
For FTPS connections, the AUTH TLS, PBSZ, PROT
features must be accepted. Also, STARTTLS support must be properly configured. See Section 3.2, Handling TLS and SSL connections in Application-level Gateway for details.
If the proxy is configured to disable encryption between PNS and the client, the proxy automatically removes the AUTH TLS, PBSZ, PROT
features from the list sent by the server.
If STARTTLS connections are accepted on the client side (self.tls.client_security=TLS_ACCEPT_STARTTLS
), but TLS-forwarding is disabled on the server side, the proxy automatically inserts the AUTH TLS, PBSZ, PROT
features into the list sent by the server. These features are inserted even if encryption is explicitly disabled on the server side or the server does not support the FEAT
command, making one-sided STARTTLS support feasible.
Warning |
---|
When using inband routing with the FTPS protocol, the server's certificate is compared to its hostname. The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the PNS host) of the server (e.g., Alternatively, the Common Name or the Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the |
Note |
---|
|
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu