FTP server communication

Questions about Cobian Reflector
User avatar
cobian
Site Admin
Posts: 4492
Joined: 31 Oct 2020, 01:25
Location: Sweden
Contact:

Re: FTP server communication

Post by cobian »

No, not tested sftp in Filezilla. Will do.
--
Luis Cobian
Cobian Backup's creator
BobbyJ
Posts: 8
Joined: 10 May 2022, 10:43

Re: FTP server communication

Post by BobbyJ »

After looing at the new filezilla server 1.41 I do not see an option for SFTP.

I use cobain to zip a database (15GB) and send the zip to offsite filezilla server (Homelab) I have GIgbit fiber

For some reason it maxes out at around 12 MB/sec sending to home. Today from the same server I tried sending some of the same files using Filezilla client using same keys to same filezilla home server and got 60MB/sec transfer.

Not sure why the huge speed discrepancy. I tried both new and old cobains but could not send much more than 12MB/sec Any clue was to why its slower?
BobbyJ
Posts: 8
Joined: 10 May 2022, 10:43

Re: FTP server communication

Post by BobbyJ »

One thing that kind of worries me on FTPs is what this fellow mentioned.

"One huge killer that I have noticed in my personal experience with FTPS is that it will “silently” default to plain FTP if the security handshakes fail. I have enough experience to know this and debug/exception handle each FTPS program I write to ensure that the connection is secure. However, someone less experienced may not know this and be happily sending sensitive data over plain FTP thinking that their connection is secure. Contrast this with SFTP, where if the security handshakes fail, you do not connect."

The older filezilla server supports tls 1.2 and had two setting to help secure transfers.

- Force PROT P to encrypt file transfers when using FTP over TLS
- Require TLS session resumption on data connection when using PROT P

The old cobain 11 worked with those two setting but I think was using TLS 1.0 not 1.2.
The new Reflector supports TLS 1.2 (maybe 1.3) but will not work if "Require TLS session resumption on data connection when using PROT P.

To me leaving that OFF would be a resumption might fall back to plain FTP with no TLS layer. Maybe i'm wrong on this but that setting seems to enforce TLS on resumption and might drop it back to plain FTP if left off.

I read this on the filezilla forum:

Q: 450 TLS session of data connection has not resumed or the session does not match the control connection

Reply:
It appears your client does not support TLS session resumption. Please contact your client vendor so that TLS session resumption can be implemented in your client.
Not requiring session resumption allows session stealing attacks. The problem with FTP is that the data connection does not authenticate the client: Imagine you a want to upload a new version of your website. To initiate the transfer your client sends the PASV command followed by the STOR command. The server opens a port and waits for the client to connect to it and upload the file. Now an attacker comes along and figures out the port the server listens on. He connects to the port before you can and uploads a piece of malware to your website.

TLS session resumption prevents this, it acts as a form of authentication. If the TLS session of the data connection matches the session of the control connection, both the client and the server have the guarantee that the data connection is genuine. Any mismatch in sessions indicates a potential attack.
Last edited by BobbyJ on 14 May 2022, 17:48, edited 1 time in total.
User avatar
cobian
Site Admin
Posts: 4492
Joined: 31 Oct 2020, 01:25
Location: Sweden
Contact:

Re: FTP server communication

Post by cobian »

Session resumption is checked as default.

I am kind of disappointed with the FTP libraries I am using at this moment. It seems like there are a lot of problems with just SSL and other small things here and there... :(
--
Luis Cobian
Cobian Backup's creator
BobbyJ
Posts: 8
Joined: 10 May 2022, 10:43

Re: FTP server communication

Post by BobbyJ »

Yes I can imagine its tough going with the SSL.

I included a photo of the filezilla server setting. Only if you uncheck the "Require TLS session resumption on data connection using PROT P" will it work.

Image

So even though resumption is checked as default filezilla acts like its not or maybe some mismatch of what command its expecting maybe the format is off a bit. No idea.
User avatar
cobian
Site Admin
Posts: 4492
Joined: 31 Oct 2020, 01:25
Location: Sweden
Contact:

Re: FTP server communication

Post by cobian »

Thank you for the info!
--
Luis Cobian
Cobian Backup's creator
BobbyJ
Posts: 8
Joined: 10 May 2022, 10:43

Re: FTP server communication

Post by BobbyJ »

Glad to help you. You are one of the good old school guys. Not many of us left.

Cobain is one of a kind. Very easy to use and great for linking together batch files. Not seen anything quite like it.
User avatar
cobian
Site Admin
Posts: 4492
Joined: 31 Oct 2020, 01:25
Location: Sweden
Contact:

Re: FTP server communication

Post by cobian »

:OK
--
Luis Cobian
Cobian Backup's creator
Post Reply