On Tue, Mar 1, 2011 at 10:16 PM, Barry Brimer <lists at brimer.org> wrote: >> On 03/01/11 6:38 PM, Barry Brimer wrote: >>> It is possible to instruct the FTPS client to keep the control channel in the >>> clear so that firewalls that need to adjust to the ports being used can listen >>> in on the conversation. The FTPS server has to agree to allow this to happen. >> >> aren't username/passwords sent in the clear then too? if so, whats the >> point of using ftps ? > > No, they are not. On the FTPS server you can require TLS encryption of > everything, auth, data, control channel, nothing, or combinations of them. > In this case you would require auth+data which would mean that your > control channel is in the clear, but the username/password exchange and > the data would be protected. You could also use an SSL client certificate > as authentication and negate the need for the password to be sent > altogether. *ouch*. Sounds like a lot of painful work and firewall negotiations to get right (which I've run into a few times lately with NAT's and slightly inconsistent NAT/firewall combinations this last year, though that was for FTP). Those sorts of issues are why I've gotten fond of WebDAV over HTTPS.