[Cyberduck-trac] [Cyberduck] #10468: FTPS explicit TLS no longer works without client certificate

Cyberduck trac at cyberduck.io
Mon Sep 2 20:09:09 UTC 2019 

#10468: FTPS explicit TLS no longer works without client certificate
-------------------------+----------------------
 Reporter:  codeskipper  |         Owner:
     Type:  defect       |        Status:  new
 Priority:  normal       |     Milestone:  7.1
Component:  ftp-tls      |       Version:  6.7.0
 Severity:  major        |    Resolution:
 Keywords:  TLS, FTPS    |  Architecture:  Intel
 Platform:  macOS 10.13  |
-------------------------+----------------------
Description changed by dkocher:

Old description:

> A few years ago I set up an FTP server for a client, and tested with
> multiple FTP client software it works as expected with explicit TLS and
> passive transfers.  Cyberduck has alway been my favourite file transfer
> client and it worked just fine.
>
> Server side is setup with vsftpd and with default settings for
> ssl_request_cert=YES and require_cert=NO.  The latter means (according to
> man page):
>     If set to yes, all SSL client connections are required to present a
> client certificate.
>
> Cyberduck now asks me to point to a local certificate in my login
> keychain and wants to export it.  Without completing this I'm no longer
> able to connect to the FTP server with Cyberduck.  When I test this for
> my client with alternative tools like FileZilla and WinSCP I can still
> connect fine without configuring a client TLS cert.
>
> This appears to be a bug, i think the use of a client cert should not be
> mandatory on the client unless the server requires it.
>
> Best,
> Martinus

New description:

 A few years ago I set up an FTP server for a client, and tested with
 multiple FTP client software it works as expected with explicit TLS and
 passive transfers.  Cyberduck has alway been my favourite file transfer
 client and it worked just fine.

 Server side is setup with vsftpd and with default settings for
 `ssl_request_cert=YES` and `require_cert=NO`.  The latter means (according
 to man page):
     If set to yes, all SSL client connections are required to present a
 client certificate.

 Cyberduck now asks me to point to a local certificate in my login keychain
 and wants to export it.  Without completing this I'm no longer able to
 connect to the FTP server with Cyberduck.  When I test this for my client
 with alternative tools like FileZilla and WinSCP I can still connect fine
 without configuring a client TLS cert.

 This appears to be a bug, i think the use of a client cert should not be
 mandatory on the client unless the server requires it.

 Best,
 Martinus

--

--
Ticket URL: <https://trac.cyberduck.io/ticket/10468#comment:7>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list