On Tue, Mar 1, 2011 at 10:16 PM, Barry Brimer lists@brimer.org wrote:
On 03/01/11 6:38 PM, Barry Brimer wrote:
It is possible to instruct the FTPS client to keep the control channel in the clear so that firewalls that need to adjust to the ports being used can listen in on the conversation. The FTPS server has to agree to allow this to happen.
aren't username/passwords sent in the clear then too? if so, whats the point of using ftps ?
No, they are not. On the FTPS server you can require TLS encryption of everything, auth, data, control channel, nothing, or combinations of them. In this case you would require auth+data which would mean that your control channel is in the clear, but the username/password exchange and the data would be protected. You could also use an SSL client certificate as authentication and negate the need for the password to be sent altogether.
*ouch*. Sounds like a lot of painful work and firewall negotiations to get right (which I've run into a few times lately with NAT's and slightly inconsistent NAT/firewall combinations this last year, though that was for FTP).
Those sorts of issues are why I've gotten fond of WebDAV over HTTPS.