How do I use FTP with SSL?

Previous  Top  Next

In Indy 8.0 and Indy 9.0, you can not do this.  The File Transfer Protocol requires some extensions that those Indy versions do not support them.  The extensions provide encrypted or clear PORT and PASV data channels plus provide a command for starting negotiation with explicit TLS.  If you need to use SSL with FTP, you need the current Indy 10 source-code which is still in the alpha stage of development. 

 

For Indy 9.0

 

A commercial SSL implementation called SecureBlackbox includes a FTP client with TLS.  We do not endorse or support this product.

 

For Indy 10

 

In Indy 10, both the FTP client and server both already supports SSL.

 

In the Indy 10's TIdFTP, you simply have to assign a TIdSSLIOHandlerSocketBase descendent to the TIdFTP.IOHandler property and set specific properties for SSL.  Those properties are:

 

DataPortProtection - set to clear (ftpdpsClear) for unencrypted clear data transfers (PBSZ 0 and PROT C) or set to private (ftpdpsPrivate) for encrypted TLS data transfers (PBSZ 0 and PROT P).

 

Set UseTLS to one of the following values:

 

utNoTLSSupport - you do not wish to use TLS at all
utUseImplicitTLS - You wish to use implicit TLS.  In implicit TLS FTP, you connect to port 990, start TLS negotiation, and the entire session is encrypted.  IETF has depreciated implicit TLS FTP so this setting should only be used with FTP servers that do not yet support explicit TLS.
utUseRequireTLS - You wish your session to use explicit TLS.  In explicit TLS FTP, you connect to port 21 like the unencrypted version of FTP, issue a special command (AUTH TLS, AUTH SSL, AUTH TLS-P, or AUTH TLS-C), start TLS negotiation, and encryption lasts until you disconnect or issue the reinitialize command (REIN).  If UseTLS is utUseRequireTLS, no attempt is made to continue the FTP session if TLS negotiation fails. This setting is for situations where security is more important than interoperability.
utUseExplicitTLS - You wish your session to use explicit TLS if the FTP server supports it.

 

Indy 10's TIdFTPServer supports both either implicit TLS FTP or explicit TLS FTP.  Assign the IOHandler property to a TIdServerIOHandlerSSLBase descendant and then set the UseTLS property to one of these values:

 

utNoTLSSupport - you do not want your server to use TLS at all
utUseImplicitTLS - You want your server to use implicit TLS.  In implicit TLS FTP, you connect to port 990, start TLS negotiation, and the entire session is encrypted.  IETF has depreciated implicit TLS FTP so this setting should only be used with older FTP clients that do not yet support explicit TLS.
utUseRequireTLS - You want your server to require the client to use explicit TLS by not accepting unencrypted usernames and passwords. The FTP Server will disconnect a client that attempts to if the client tries to authenticate without encryption. This setting is for situations where security is more important than interoperability.
utUseExplicitTLS - You want your server to support explicit TLS and also accept unencrypted logins.  This setting is for situations where interoperability may be more important than security.

 

If you would like more information about TLS FTP, please consult the current IETF (Internet Engineering Task Force) working draft document titled Securing FTP with TLS.

 

See also:

 

What is the difference between implicit TLS and explicit TLS?
How do I use FTP with SSL behind a NAT?