Describe ftps here.

address of ftp site

sudo mkdir -p /etc/pki/tls/certs

setup your own certificate on server

export cert to curl

get the cert into your firefox browser. export it. You now have p12 file

openssl pkcs12 -in pki_cert.pem.p12 -out ca.pem -cacerts -nokeys
openssl pkcs12 -in pki_cert.pem.p12 -out client.pem -clcerts -nokeys
openssl pkcs12 -in pki_cert.pem.p12 -out key.pem -nocerts

Log in to: and change your password.

curl -cacert ca.pem --cert client.pem --key key.pem -k -v -u USER:PASS --ftp-ssl

# apt-get build-dep gftp # apt-get install libssl-dev openssl # apt-get source gftp # cd gftp-2.0.18 *this is the version number, it's different in time* # vim debian/rules (or use nano or gedit or some editor) change the option on 10th or 15th line from --disable-ssl to --enable-ssl # debian/rules binary it should now compile and pack all gftp packages # cd .. # dpkg -i gftp*.deb

Explicit SSL—When using Explicit SSL, ftp server will allow SSL connections on the
standard FTP port. This port will be used for both FTP connections and FTP/S connections. In order to enter into a secure SSL session, the FTP
client will need to issue either the AUTH SSL or AUTH TLS command prior to establishing
the secure connection.
*Implicit SSL—When using implicit SSL, ftp server will listen on a specific port that will
only be used for SSL connections. By default this is port 990; however, any port may be

We recommend that you select Protocol Version TLS v.1.0 (SSL v3.1) because it has
security enhancements that are not found in SSL v3.0. We also recommend that you
enable Encrypt data channel by default to force encryption unless the client explicitly
turns it off. The Enable CCC feature allows plaintext communication to occur, so this
feature should be disabled in cases where encryption is always wanted. As a reminder,
you must enable Require all FTP connections from the clients to be secure if you are
using explicit SSL and do not wish to allow unsecured access to your server. Explicit SSL
is the preferred standard, but either method is secure. (Explicit SSL is the recommended
method for HIPAA compliance because implicit SSL is not formally adopted in an RFC.) If
you enable Require Trusted Certificates, please be aware that this feature requires that
all FTPS clients provide a trusted certificate to connect. This is the most secure method
of connecting but it requires that trusted keys be distributed to each user offline, so it
may not be practical.

Final Settings

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

curl -E certkey.pem -k -s -u username:pass --ftp-ssl --list-only

curl -E certkey.pem -k -v -u username:password --ftp-ssl --quote "cwd /#E2" -T filetoupload.txt


curl -E certkey.pem -s -u user:pass --ftp-ssl
--list-only -v
< 220 intftps1 IE-FTP server (v4r3m0.k) ready on system USA.
< 234 AUTH command accepted - proceed with Negotiation.
* successfully set certificate verify locations:
*   CAfile: none
 CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection #0

The name 'SSL23*' makes me suspect that this is once again a problem with the
automatic selection of SSL version 2 or version 3. I think it might help if you
select which SSL version to use on the command line. Try with -2 or -3 and see
if any of those makes it better. 

MyWiki: ftps (last edited 2009-09-06 02:49:34 by localhost)