Question

Connection to mainframe FTP server gets dropped from windows App using plain text FTP using Rebex FTPS TLS 1.2 tunnel

Answer 1

---

Comments

Hi Lukas,

Can you please point me to a document that has any idea about how to create an FTP aware proxy?

---

Check out the following RFC draft: https://datatracker.ietf.org/doc/html/draft-fordh-ftp-ssl-firewall-01
It's quite old and never made it to a proper RFC, and it discusses firewalls rather than proxies, but the underlying principles apply to proxies as well.

However, please be warned that for an FTP-aware proxy to work with FTP over TLS, you would either have to:
a) Use CCC command to revert to unecrypted control channel.
- or -
b) Make the proxy actually decrypt-and-reencypt all the communication between the client and the server and replace the server's certificate with its own.

I don't know which problem you are trying to solve, but in general both of these solutions are discouraged.

A much better option would be to simply use an SOCKS5 proxy and SOCKS5-capable clients. (You would still have to allow outgoing connections through the proxy to any random ports for FTP to actually work, unless all the FTP servers you intent to use are under your control and you can limit the port range.)

---

There is many FTP aware proxies. It is not needed to write your own. It only depends, which one your FTP client can use. Then setup your selected proxy according to its specification and configure your FTP client appropriately for that proxy.

For example, see list of possible proxies the Rebex FTP client can use: https://www.rebex.net/ftp-ssl.net/features/proxy.aspx

---

Hi Lukas,
thanks for all your inputs, what I am trying here is I have an windows application right now that uses windows function InternetconnectA() plain text FTP (port 21) to connect to a mainframe server. Now, we have a customer where they are moving from plain text ftp to FTPS (FTP over SSL), they want a solution for this and since they are time bound we are thinking of creating a proxy tunnel to change FTP to FTPS using Rebex tls proxy.
Can you pease help me with any application/software that can help me create a FTP aware proxy?
The link that you provided helps but I am looking for some already existing app that can do this.

---

So what you actually need is a proxy that would make it possible for plain FTP clients (with no TLS support) to connect to FTPS (FTP over SSL/TLS) servers? (The communication between the FTP client and the proxy would then be unencrypted, while communication between the proxy and FTP server would be protected by TLS/SSL).

If the FTPS server is under customer's control, and the following conditions are met:

- The FTP server supports FTP/SSL in implicit mode (on port 990)
- FTP clients can be configured to use passive mode
- The customer can limit the port range used by the server for FTP data to (for example) 50000-50099

Then you might actually be able to use Rebex TLS Proxy for that. But in addition to configuring port 21(unsecure)--->port 990(SSL), you would have to do the same for all those 100 ports (separately). That should work, although we have never actually tried that.

Of course, an FTP-aware proxy that does the mapping automatically would be a better solution, because that would make it possible to use FTP clients in active mode, and remove the need to limit the port range. But unfortunately, I'm not aware of any third-party proxy that can do that, and I was not able to find any.
If you are interested, we could add this feature to Rebex TLS Proxy for a one-time fixed fee. Please see https://www.rebex.net/support/services/ for details.