Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Explicit FTPS on port 989/990?

631 views
Skip to first unread message

Cray

unread,
Feb 16, 2010, 10:06:40 AM2/16/10
to
I realize that the default ports for explicit FTPS is 20/21, and
implicit FTPS on ports 989/990 has been deprecate. However, I am
wondering if anyone chooses to run explicit FTPS (w/ Start TLS) on
ports 989/990 for situational awareness or any other reasons? Is this
possible, and if so - are people doing it? I realize this would
require port modifications for FTPS on firewalls (and perhaps
additional mods for application aware firewalls).

Tecknode

unread,
Feb 16, 2010, 5:05:03 PM2/16/10
to

Looking here...
http://en.wikipedia.org/wiki/List_of_well-known_ports_%28computing%29

I note that Ports 989/990 are FTP over *TLS/SSL*

So what's the question?

Cray

unread,
Feb 26, 2010, 1:31:42 PM2/26/10
to
On Feb 16, 5:05 pm, Tecknode <teckn...@NOSPAM.com> wrote:
> Cray wrote:
> > I realize that the default ports for explicit FTPS is 20/21, and
> > implicit FTPS on ports 989/990 has been deprecate.  However, I am
> > wondering if anyone chooses to run explicit FTPS (w/ Start TLS) on
> > ports 989/990 for situational awareness or any other reasons? Is this
> > possible, and if so - are people doing it?  I realize this would
> > require port modifications for FTPS on firewalls (and perhaps
> > additional mods for application aware firewalls).
>
> Looking here...http://en.wikipedia.org/wiki/List_of_well-known_ports_%28computing%29

>
> I note that Ports 989/990 are FTP over *TLS/SSL*
>
> So what's the question?

For FTPS, Ports 989/990 was reserved for the deprecated Implicit
method. My question is, although the Explicit method (current adopted
method) is meant to run on ports 20/21, does anyone choose to change
the default ports and run the Explicit method on ports 989/990
instead? This may be a silly question, but my colleague seems to
think people are going against IETF and RFC recommendation and running
Explicit FTPES on ports 989/990. I will like to know if anyone is
doing this, and if so - why?

Antoine EMERIT

unread,
Feb 28, 2010, 6:45:00 AM2/28/10
to

Stop ! there is a little miss-understanding about FTPS !

There is in fact 2 FTPS : FTPS and FTPES.


FTPS is FTP overs SSL/TLS which use an encrypted connecion BEFORE
dealing with the FTP protocol, and so the connecion is made to
differents ports (989/990) because standard FTP can't deal with this.

One of the common method to create a such service is to use then OpenSLL
port redirection on the server : port 989/990 are encrypted tunnel on
the server to the 20/21 port on the same server.

You muse understand that in this case, the encryptation is not part of
the FTP protocol, it's a socket encryptation.


Now, there the official, not deprecated, FTPES (explicite FTPS) that use
the AUTH command to start an ecnrypted authentification an stream. It
requested by the client after the connection to the FTP server.

In this case, the client and the server negociate the authentifcation
and encryptation method at the start of the communication AFTER the
socket is opened.

The server mays answer and error which mean it doesn't support
encryptation. The server may alos refuse not encrypt communication.

But in this officiel, not deprecated way, the FTP port can only the
official one, because the negociation is part of the FTP procotocol.


Regards

0 new messages