[Info-vax] FTP/SSL from OpenVMS (client) to Unix Filezilla (server) failure

[Dirk Munk]

gopalakrishnan wrote:
> Hi Ken
>
> I submitted a reply to Hoff's message and repeated when I did not find my reply here. And still it is not here (I did not get the usual response "message will be reviewd and posted" in those two instances). Hope this gets loaded.
>
> The server truly is FTP over SSL service (the very first line in the SP's documentation). They use "SFTP" to describe the service as being "secure". The service uses port 22 which is not FTP/SSL standard port but SFTP's. Even the server is named "sftp.xxxx.co.nz"
>
> Moreover I can connect to the sevice, view folders and download files using a Windows FilZilla client connecting to "FTPES://sftp.xxx.co.nz", port 22 (and user-id / password)
>
> I have tried SFTP and it does not work
>
> My infrastructure team is now investigating if this has anything to do with our firewall/isa configuration
>
> Regards -tk
>
>
> --http://compgroups.net/comp.os.vms/ftp-ssl-from-openvms-client-to-unix-filezilla-ser/1519815
>
>
With the windows version you are using explicit FTPS, or FTPES, and that 
may point to the problem. From Wikipedia:

Explicit

In explicit mode (also known as FTPES), an FTPS client must "explicitly 
request" security from an FTPS server and then step-up to a mutually 
agreed encryption method. If a client does not request security, the 
FTPS server can either allow the client to continue in unsecure mode or 
refuse/limit the connection.

The mechanism for negotiating authentication and security with FTP was 
added under RFC 2228, which included the new FTP command AUTH. While 
this RFC does not explicitly define any required security mechanisms, 
e.g. SSL or TLS, it does require the FTPS client to challenge the FTPS 
server with a mutually known mechanism. If the FTPS client challenges 
the FTPS server with an unknown security mechanism, the FTPS server will 
respond to the AUTH command with error code 504 (not supported). Clients 
may determine which mechanisms are supported by querying the FTPS server 
with the FEAT command, although servers are not necessarily required to 
be honest in disclosing what levels of security they support. Common 
methods of invoking FTPS security included AUTH TLS and AUTH SSL.

In the later RFC 4217, FTPS compliance required that clients always 
negotiate using the AUTH TLS method. The RFC also recommended FTPS 
servers to accept the draft mechanism AUTH TLS-C.


Th use of port 22 is wrong. For FTPS the normal port numbers are 989 and 
990. However some implications use the standard FTP port 21 for FTP and 
FTPS.

SFTP uses port 22, but as you know SFTP is something very different from 
FTP or FTPS.