From 17d5a724164bdbf22ca3118c38fca39dddaebd9d Mon Sep 17 00:00:00 2001 From: Heiko Bornholdt Date: Sat, 30 May 2020 16:02:35 +0200 Subject: [PATCH] ftp: add explicit tls support Add support for explicit FTP over TLS. Fixes #4100 --- backend/ftp/ftp.go | 27 ++++++++++++++++++++++++--- docs/content/ftp.md | 24 +++++++++++++++++++++--- 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/backend/ftp/ftp.go b/backend/ftp/ftp.go index 8119b19ca..2850229a7 100644 --- a/backend/ftp/ftp.go +++ b/backend/ftp/ftp.go @@ -50,8 +50,19 @@ func init() { IsPassword: true, Required: true, }, { - Name: "tls", - Help: "Use FTP over TLS (Implicit)", + Name: "tls", + Help: `Use FTPS over TLS (Implicit) +When using implicit FTP over TLS the client will connect using TLS +right from the start, which in turn breaks the compatibility with +non-TLS-aware servers. This is usually served over port 990 rather +than port 21. Cannot be used in combination with explicit FTP.`, + Default: false, + }, { + Name: "explicit_tls", + Help: `Use FTP over TLS (Explicit) +When using explicit FTP over TLS the client explicitly request +security from the server in order to upgrade a plain text connection +to an encrypted one. Cannot be used in combination with implicit FTP.`, Default: false, }, { Name: "concurrency", @@ -90,6 +101,7 @@ type Options struct { Pass string `config:"pass"` Port string `config:"port"` TLS bool `config:"tls"` + ExplicitTLS bool `config:"explicit_tls"` Concurrency int `config:"concurrency"` SkipVerifyTLSCert bool `config:"no_check_certificate"` DisableEPSV bool `config:"disable_epsv"` @@ -152,12 +164,21 @@ func (f *Fs) Features() *fs.Features { func (f *Fs) ftpConnection() (*ftp.ServerConn, error) { fs.Debugf(f, "Connecting to FTP server") ftpConfig := []ftp.DialOption{ftp.DialWithTimeout(fs.Config.ConnectTimeout)} - if f.opt.TLS { + if f.opt.TLS && f.opt.ExplicitTLS { + fs.Errorf(f, "Implicit TLS and explicit TLS are mutually incompatible. Please revise your config") + return nil, errors.New("Implicit TLS and explicit TLS are mutually incompatible. Please revise your config") + } else if f.opt.TLS { tlsConfig := &tls.Config{ ServerName: f.opt.Host, InsecureSkipVerify: f.opt.SkipVerifyTLSCert, } ftpConfig = append(ftpConfig, ftp.DialWithTLS(tlsConfig)) + } else if f.opt.ExplicitTLS { + tlsConfig := &tls.Config{ + ServerName: f.opt.Host, + InsecureSkipVerify: f.opt.SkipVerifyTLSCert, + } + ftpConfig = append(ftpConfig, ftp.DialWithExplicitTLS(tlsConfig)) } if f.opt.DisableEPSV { ftpConfig = append(ftpConfig, ftp.DialWithDisabledEPSV(true)) diff --git a/docs/content/ftp.md b/docs/content/ftp.md index 0e5b23a60..0714e2bb2 100644 --- a/docs/content/ftp.md +++ b/docs/content/ftp.md @@ -61,6 +61,9 @@ password: Use FTP over TLS (Implicit) Enter a boolean value (true or false). Press Enter for the default ("false"). tls> +Use FTP over TLS (Explicit) +Enter a boolean value (true or false). Press Enter for the default ("false"). +explicit_tls> Remote config -------------------- [remote] @@ -181,11 +184,29 @@ FTP password Use FTP over TLS (Implicit) +When using implicit FTP over TLS the client will connect using TLS +right from the start, which in turn breaks the compatibility with +non-TLS-aware servers. This is usually served over port 990 rather +than port 21. Cannot be used in combination with explicit FTP. + - Config: tls - Env Var: RCLONE_FTP_TLS - Type: bool - Default: false +#### --ftp-explicit-tls + +Use FTP over TLS (Explicit) + +When using explicit FTP over TLS the client explicitly request +security from the server in order to upgrade a plain text connection +to an encrypted one. Cannot be used in combination with implicit FTP. + +- Config: explicit_tls +- Env Var: RCLONE_FTP_TLS +- Type: bool +- Default: false + ### Advanced Options Here are the advanced options specific to ftp (FTP Connection). @@ -243,6 +264,3 @@ FTP could support server side move but doesn't yet. Note that the ftp backend does not support the `ftp_proxy` environment variable yet. - -Note that while implicit FTP over TLS is supported, -explicit FTP over TLS is not.