FTPES, but plain data transfers.

karrx10h

Member
Messages
73
Reaction score
8
Points
8
FileZilla v3.53.1, Windows 10 x64. The screenshot says it all.

FTPES.png

Why is this happening? I've never seen this before with any FTP server in the Net. Weird.
This server does not support TLS session resumption on the data connection.

TLS session resumption on the data connection is an important security feature to
protect against data connection stealing attacks.

If you continue, transferred files may be intercepted or their contents replaced by
an attacker.
 

spacresx

Community Advocate
Community Support
Messages
2,199
Reaction score
195
Points
63
i dont use filezilla, i use dreamweaver cs5 but ive never seen that issue.
i do have ssl on my website as well.
is it possible that you do not have ssl on the website, but you have
the ssl selected in filezilla ??

did you just update filezilla?
or maybe its a 1st time warning about the connection hazard.
and clicking accept makes the message go away.
 

karrx10h

Member
Messages
73
Reaction score
8
Points
8
is it possible that you do not have ssl on the website, but you have
the ssl selected in filezilla ??
Yes, I've always have selected SSL in FileZilla. And now, in the website too; that recent Let's Encrypt "magic".
did you just update filezilla?
As I write these lines, the version still is v3.53.1. So, yes; the up-to-date version.
maybe its a 1st time warning about the connection hazard.
and clicking accept makes the message go away.
Exactly.

Right before starting to write this answer, I've tried to capture traffic with Wireshark. If I connect to a "plain FTP", when I transfer a file, Wireshark captures/shows the "ftp-data" (protocol; in the filter bar) traffic. But if I do the same test with this server, Wireshark doesn't show any "ftp-data" traffic. I've done more tests; with other "FTPES" servers; and... with "ftp.xmission.com", the warning never shows up, but it does with "ftp.pureftpd.org". Again, the "ftp-data" traffic doesn't show up with this one in Wireshark.

And it seems not to be a bug in FileZilla: https://forum.filezilla-project.org/viewtopic.php?f=2&t=53710

Not so weird now.
 

spacresx

Community Advocate
Community Support
Messages
2,199
Reaction score
195
Points
63
that post generally states that the host dont support an
option that he new release of filezilla now searches for.
which quite honestly i dont think many hosts do support.

until now i never even heard of FTPES, only FTP.
and i do have a paid hosting account with another host.
so i know this is not just x10 that dont support it.

they may have what filezilla describes but i wouldnt know.
 
Last edited:

karrx10h

Member
Messages
73
Reaction score
8
Points
8
FTPES = FTP with Explicit Security

In this mode, you connect with plain FTP first and then, the FTP client tries a secure session:
Code:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 6 of 50 allowed.
220-Local time is now 16:03. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.


"ftp.cubic.org" doesn't support FTPES:
Code:
220 ProFTPD Server (ftp.cubic.org) [::ffff:193.108.181.132]
AUTH TLS
500 AUTH not understood
AUTH SSL
500 AUTH not understood
Estado: Servidor no seguro, no soporta FTP sobre TLS. (Something like: «Status: Unsecure server, it doesn't support FTP over TLS.»)


And you have also FTP with implicit security (FTPS). The FTP client connects to the port 990 (default) and you have a secure connection as soon as you connect to that port; from the 0 second. Currently, not enabled here.
 
Last edited:

spacresx

Community Advocate
Community Support
Messages
2,199
Reaction score
195
Points
63
just a mention,
i would just check that box off and click "accept" then you wont see the
message anymore which you never saw in earlier versions of filezilla,
i doubt x10hosting would change its standard protocol for free hosting.
because filezilla suggests it. just my opinion though.
 

karrx10h

Member
Messages
73
Reaction score
8
Points
8
Hm... I don't know. Now I'm curious about which servers have that "extended security" and which ones don't. o_O
 

garrettroyce

Community Support
Community Support
Messages
5,609
Reaction score
250
Points
63
I thought FTP on port 21 supported STARTTLS. I'm reading this thread really really quickly because I have to log out, but hopefully that'll add something to the conversation
 

spacresx

Community Advocate
Community Support
Messages
2,199
Reaction score
195
Points
63
@ garrettroyce
i beleive originally karrx10h was referring to FTPES and not just FTP.
its supposed to be a feature in newer releases of filezilla.
generally for extra security over normal FTP.
but i didnt know if x10 would support FTPES.
 

karrx10h

Member
Messages
73
Reaction score
8
Points
8
Resume:

FTP - File Transfer Protocol
SFTP - SSH File Transfer Protocol
FTPS - FTP through implicit TLS/SSL
FTPES - FTP through explicit TLS/SSL

Anyway. I've been doing some research and I found that FileZilla doesn't complaint about these servers not supporting that "TLS session resumption on the data connection" feature: FileZilla Server (installed locally), ftp.xmission.com, ftp.swcp.com, ftp.softlab-nsk.com, ftp.snobol4.com, ftp.sandpile.org, ftp.rubicon.ca, ftp.robelle3000.ai, ftp.robelle.com, ftp.qosient.com, ftp.procergs.com.br... I decided to stop here.

But I've been unable to find no... "special" thing that makes any difference between that servers and the x10Hosting one. The FEAT command didn't help me with the comparissions and I have no idea of how FileZilla "knows" what servers support the "TLS session..." and what ones don't.
 
Top