Does .Net Ftpwebrequest Support Both Implicit (Ftps) and Explicit (Ftpes)

Does .NET FtpWebRequest Support both Implicit (FTPS) and explicit (FTPES)?

as far as I know the current (.NET 2.0 and 3.5) version of FtpWebRequest supports Explicit SSL only.

Actually, .NET 2.0 does not currently
support implicit SSL, only explicit.
We will consider adding this for a
future release.

JonCole - MSFTModerator at MSDN forum post

If you need to use both Implict and Explicit TLS/SSL you have to try one of third-party FTP/SSL components. Following code uses our Rebex FTP/SSL and is taken from the tutorial page.

Explicit TLS/SSL

Client connects to FTP server in a usual non-protected way, usually to port 21 was assigned to FTP protocol. When it is desired to protect the connection using SSL, an SSL negotiation is initialized, control connection is secured and all following communication is being protected.

// Create an instance of the Ftp class. 
Ftp ftp = new Ftp();

// Connect securely using explicit SSL. 
// Use the third argument to specify additional SSL parameters. 
ftp.Connect(hostname, 21, null, FtpSecurity.Explicit);

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

Explicit protection means that it is possible to secure the connection at any moment. If you don't know whether you will need the protection on not at the connection time, you might want to connect using the ordinary unencrypted FTP protocol and secure the connection later.

Ftp ftp = new Ftp();

// Connect to the server with no protection. 
ftp.Connect(hostname, 21);

// Upgrade connection to SSL. 
// This method also accepts an argument to specify SSL parameters. 
ftp.Secure();

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

Implicit SSL protection of the FTP session

FTPS protocol was originally assigned a separate port by the IANA. Upon connection to this port, an SSL negotiation starts immediately and the control connection is secured. All data connections are also secured implicitly in the same way. This is similar to the approach used by HTTPS.

This approach is not favored by the IETF and is deprecated. It is supported by Rebex FTP/SSL for interoperability with older servers, but it is strongly recommended to use the explicit protection instead whenever possible.

Ftp ftp = new Ftp();

// Connect securely using implicit SSL. 
// Use the third argument to specify additional SSL parameters. 
ftp.Connect(hostname, 990, null, FtpSecurity.Implicit);

// Connection is protected now, we can log in safely. 
ftp.Login(username, password);

You may download the component at rebex.net/ftp-ssl.net/

C# FTPS FtpWebRequest set passive mode to use port range

The FTP passive port range is a server-side configuration.

You do not set the passive port range on client side – FileZilla nor Total Commander do not have such configuration option either. FTP client uses the port chosen by the server.

---

Your actual problem is rather that .NET/FtpWebRequest does not support implicit TLS/SSL:

Does .NET FtpWebRequest Support both Implicit (FTPS) and explicit (FTPES)?

Upload file to implicit FTPS server in C# with TLS session reuse

You can use WinSCP .NET assembly.

It supports implicit TLS (port 990). And uses OpenSSL TLS implementation (not .NET Framework), so it should not have the problem that FluentFTP has. It definitely works for me against FileZilla FTP server, even with session resumption requirement turned on.

SessionOptions sessionOptions = new SessionOptions
{
    Protocol = Protocol.Ftp,
    HostName = "ftp.example.com",
    UserName = "username",
    Password = "password",
    FtpSecure = FtpSecure.Implicit,
    TlsHostCertificateFingerprint = "xx:xx:xx:...",
};

using (Session session = new Session())
{
    session.Open(sessionOptions);

    session.PutFiles(localPath, remotePath).Check();
}

(I'm the author of WinSCP)

For more references about the problem, see also Can connect to FTP using FileZilla or WinSCP, but not with FtpWebRequest or FluentFTP.

FtpWebRequest working with Explicit TLS/SSL

there are multiple questions, let's try to address them one by one:

Why delete works but upload, download and list doesn't?

FTP protocol uses two separate connections. First (called control connection) is used for commands with simple response - such as login, delete, make directory etc. Usually it runs on port 21.

When FTP client requests data transfer operation another connection (called data connection) is established. In active mode the FTP server connects to the client, and in passive mode the client connects to the server. If this connection is blocked by a firewall the data transfer operation fails. Data transfer operations are upload, download and also directory listing. This is why delete works while list does not.

The server returned an address in response to the PASV command that is different than the address to which the FTP connection was made

In passive mode FTP conversation goes as follows:

client: PASV
(i would like to transfer files. Tell me which port and ip address should I use)

server: 227 Entering Passive Mode (172,16,3,4,204,173)
(ok, use port 52397 on IP address 172.16.3.4.)

client: connects to this IP address/port and starts data transfer.

It can cause problem on FTP servers with multiple IP addresses. I've encountered some FTP servers which have public IP address (let's say 1.2.3.4) and a private one (192.168.2.3).

When FTP client connected to public IP address (1.2.3.4) and requested data transfer operation server instructed him to use the private IP address (192.168.2.3). It is impossible because it was NATed.

Solution

Switching to Active mode.

In active mode FTP server connects to FTP client for data transfers. It would solve this issue, but is not firewall friendly. It will not work when incomming commections are blocked (very common).

Ignoring IP address send as response to PASV command

If the public ftp server IP address is a public one, and IP address returned as a response for PASV command is from private range (such as 10., 192.168.). In such case the FTP client should use the public IP address.

This is exactly what does our Rebex FTP do in such situation. It works well (this behavior can be switched off). I don't know whether similar workaround is possible with FtpWebRequest.

You can download trial and check whether it solves your problem.

C# FTPS freeze/timeout when connecting to port 990

The .NET framework (FtpWebRequest) does not support an implicit TLS/SSL. Only explicit, see:

Does .NET FtpWebRequest Support both Implicit (FTPS) and explicit (FTPES)?

So, you cannot connect to the port 990 (implicit TLS/SSL).

---

Though as your FTP server most likely supports the explicit TLS/SSL too, just use it. You already set the EnableSsl (what is explicit TLS/SSL). So just connect to the default port 21 and it's done:

var ftpServerIP = "Ftp.company1.company2.nl"; 

(no explicit port needs to be specified, as the 21 is the default)

---

In rare situation that your server does not support the explicit TLS/SSL, you need to use a 3rd party FTP client library. Some are mentioned in the question linked above. My WinSCP .NET assembly supports the implicit FTPS too. As you have already made the connection working with WinSCP GUI, using the implicit TLS/SSL, you can have a code template generated.

---

Related Topics