On 26.02.2010 19:31, Cray wrote:
> On Feb 16, 5:05 pm, Tecknode<teckn...@NOSPAM.com> wrote:
>> Cray wrote:
>>> I realize that the default ports for explicit FTPS is 20/21, and
>>> implicit FTPS on ports 989/990 has been deprecate. However, I am
>>> wondering if anyone chooses to run explicit FTPS (w/ Start TLS) on
>>> ports 989/990 for situational awareness or any other reasons? Is this
>>> possible, and if so - are people doing it? I realize this would
>>> require port modifications for FTPS on firewalls (and perhaps
>>> additional mods for application aware firewalls).
>>
>> Looking here...http://en.wikipedia.org/wiki/List_of...28computing%29
>>
>> I note that Ports 989/990 are FTP over *TLS/SSL*
>>
>> So what's the question?
>
> For FTPS, Ports 989/990 was reserved for the deprecated Implicit
> method. My question is, although the Explicit method (current adopted
> method) is meant to run on ports 20/21, does anyone choose to change
> the default ports and run the Explicit method on ports 989/990
> instead? This may be a silly question, but my colleague seems to
> think people are going against IETF and RFC recommendation and running
> Explicit FTPES on ports 989/990. I will like to know if anyone is
> doing this, and if so - why?
Stop ! there is a little miss-understanding about FTPS !
There is in fact 2 FTPS : FTPS and FTPES.
FTPS is FTP overs SSL/TLS which use an encrypted connecion BEFORE
dealing with the FTP protocol, and so the connecion is made to
differents ports (989/990) because standard FTP can't deal with this.
One of the common method to create a such service is to use then OpenSLL
port redirection on the server : port 989/990 are encrypted tunnel on
the server to the 20/21 port on the same server.
You muse understand that in this case, the encryptation is not part of
the FTP protocol, it's a socket encryptation.
Now, there the official, not deprecated, FTPES (explicite FTPS) that use
the AUTH command to start an ecnrypted authentification an stream. It
requested by the client after the connection to the FTP server.
In this case, the client and the server negociate the authentifcation
and encryptation method at the start of the communication AFTER the
socket is opened.
The server mays answer and error which mean it doesn't support
encryptation. The server may alos refuse not encrypt communication.
But in this officiel, not deprecated way, the FTP port can only the
official one, because the negociation is part of the FTP procotocol.
Regards
Linear Mode
