[Cyberduck-trac] [Cyberduck] #9257: FTPES (FTP-SSL) SNI support

Cyberduck trac at cyberduck.io
Thu Jul 30 21:53:51 UTC 2020

#9257: FTPES (FTP-SSL) SNI support
 Reporter:  andreas7           |         Owner:  dkocher
     Type:  enhancement        |        Status:  reopened
 Priority:  normal             |     Milestone:
Component:  ftp-tls            |       Version:  7.4.1
 Severity:  normal             |    Resolution:
 Keywords:  SNI FTPES FTP-SSL  |  Architecture:  Intel
 Platform:  macOS 10.13        |
Changes (by rlaager):

 * status:  closed => reopened
 * platform:  Mac OS X 10.10 => macOS 10.13
 * version:  4.7.3 => 7.4.1
 * arch:   => Intel
 * resolution:  worksforme =>


 When using Cyberduck 7.4.1 (33065) on both macOS High Sierra (10.13.6) and
 Windows 10, Cyberduck is not sending SNI.

 ProFTPD as of 1.3.7 (1.3.7rc3) supports SNI. The release notes say,
 "mod_tls now honors client-provided SNI as part of the TLS handshake, for
 implementing name-based virtual hosts via TLS SNI."

 Now that ProFTPD supports SNI and free certificates are trivially
 available via Let's Encrypt, it is feasible to configure named-based
 virtual hosts for FTP. A shared hosting server that supports example1.com,
 customer2.com, and site3.com can serve the three different certificates
 based on what the client sends as SNI. That way, each customer can
 configure their FTP client using their own site's domain. Traditionally,
 they would need to know the server name, which might be
 something.myhostingcompany.com. The SNI named-based configuration is more
 user-friendly. This is the same model used for HTTPS, so it's something
 that administrators are already familiar with.

 Other clients already support SNI. lftp, the command line client on Linux,
 supports SNI. FileZilla supports SNI. (FileZilla doesn't do certificate
 validation at all; users always have to approve the certificate. That is
 less than ideal.) WinSCP is adding SNI right now. (The developer added it
 last night at my suggestion and I have verified it works for explicit
 FTPS; that support should be in the next release.)

 I tested this against my website: coderich.net Feel free to test against
 that site. If you send SNI, you'll get a coderich.net cert. If you don't
 send SNI, you'll get a bison.wiktel.com cert. You don't need working
 credentials to test the TLS negotiation, so just make up a username and
 password. On that server, both explicit (on port 21) and implicit FTS (on
 port 990) are supported. Though I don't think Cyberduck supports implicit

Ticket URL: <https://trac.cyberduck.io/ticket/9257#comment:2>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list