Products > Security

FileZilla with Let's Encrypt

(1/3) > >>

T3sl4co1l:
Setting up a new FTP today.  I've used FZ before, seems reasonable enough.  Let's go get the current version and see.

I see an option for Let's Encrypt, integrating the ACME interface.  Cool.

I already have an account for that, even.  So I just need to... hmm, no, I can't just link it with my existing account, it looks like it has to make a completely new one?  Weird.

Well, I don't need to administer it that way either, I can just point it to the same files then.

Right?

LE doesn't make a private key file though.  I see the PEM and PFX files.  Do those work?

It doesn't even tell me what extensions it's looking for...

(From what I've seen in searching, it seems to want a *.key and *.pem respectively.  Still not entirely sure.  It seems to do nothing about an incorrect file, and one of them seems to use the *.pem but without the *.key it emits some random bullshit gnuTLS error. Thanks.)

No one is talking about this, any conceivable query I search on returns irrelevant results: sure, configure LE integration, but I don't want that; configure a 3rd-party cert (with all the related files included as a package), no not quite the same thing; it seems like the more insistent I am, trying to query this one narrow subject, the harder it pushes me towards something completely not that.

Am I just a complete idiot?  I know I don't know much about certificates and keys, as actually used by applications.  Is this just a question that is -- and I've somehow managed to miss this -- so immediately, patently obvious, that no one dares ask it?

As near as I can tell -- besides the fact that it says LE integration right there -- it wants a x.509 cert, that LE provides, and so, I should be very reasonably assuming, that it can just, *hands bumping together gesture, "now kiss"* and, that'd be that, right?

Is it hidden by intent, not coincidence?  I notice Filezilla is doing this "Pro" shit and I'm guessing, besides integration of commercial services, they want money for support too.  I get it, but that's no excuse for utterly crippling your supposed-free ware.  I'm not even seeing basic documents like what the fields are on the fucking dialog.  Also, version 1.1.0 is apparently so new, nobody's even screenshotted it; I see hits with the respective dialog for version 0.9.60-something.  Which again, do nothing with the particular text fields I'm trying to figure out.

Is this just a complete fucking waste of time, do I generate a self-signed cert and just leave it?  Will that do anything with respect to my domain?  (So obviously, yes this will be ftp on my domain, and no, it won't be public/anon, don't bother probing it etc...)

Tim

tru:
I have FileZilla Server working with FTP over TLS, using a Lets Encrypt generated private key and certificate file both in .pem format.
Note, I'm no expert, just used win-acme script to output the key and certificate to .pem format and to a particular folder.
Then in FZ server admin gui Settings/FTP over TLS settings, browsed to those two files.

Marco:

--- Quote ---FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
--- End quote ---

This has to be an elaborate joke. No one could have honestly wanted to extend one of the worst major protocols in history with TLS could they? In two incompatible ways to boot.

T3sl4co1l:
I have literally zero of those options, though. ???

Tim

ejeffrey:

--- Quote from: Marco on March 04, 2022, 04:18:05 pm ---
--- Quote ---FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
--- End quote ---

This has to be an elaborate joke. No one could have honestly wanted to extend one of the worst major protocols in history with TLS could they? In two incompatible ways to boot.

--- End quote ---

Pretty much every pre-1995 protocol still in use has these options.  Imap, smtp, and NNTP all have it as well.  HTTP is really the odd one out with no STARTTLS or equivalent version in use.  The dedicated SSL/TLS port was easy to implement and could be done with a simple shim.  However its more annoying to have two ports and harder to convince network administrators to open additional firewall ports for niche versions of what were already niche protocols. STARTTLS allows you to run the same port for encrypted and non encrypted clients. 

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version