Xymon Mailing List Archive search

ftps tests

list Galen Johnson
Fri, 18 Dec 2015 18:19:43 +0000
Message-Id: <user-d6c042f40fb8@xymon.invalid>

Well, I was able to get it to connect using


openssl s_client -starttls ftp -crlf -connect remote.host:21


This dumps the cert as expected...


It should work the same as ftp/ftpd only using implicit ftps.  That said, I would have thought ftps would have worked but I expect under the covers xymonnet is just doing something different.  I doubt adding the following stanza would help:


[ftpstls]
   send "quit\r\n"
   expect "220"
   options ssl,banner
   port 21


Any thoughts on how we might be able to integrate this?


=G=


From: Xymon <xymon-bounces at xymon.com> on behalf of Galen Johnson <user-87f955643e3d@xymon.invalid>
Sent: Friday, December 18, 2015 1:03 PM
To: Jeremy Laidman; Japheth Cleaver; xymon at xymon.com
Subject: Re: [Xymon] ftps tests


Actually, it may not be as bad as all that.  openssl already supports this.  Not 100% sure but I thought Xymon leveraged that for the ssl connections.  I'm looking at https://www.madboa.com/geek/openssl/.  The syntax is not exactly correct there but I'm currently trying to amend it.  Looking at https://www.openssl.org/docs/manmaster/apps/s_client.html, the openssl s_client supports starttls for ftp (Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", and "irc.")


=G=


From: Jeremy Laidman <user-71895fb2e44c@xymon.invalid>
Sent: Thursday, December 17, 2015 10:16 PM
To: Galen Johnson; Japheth Cleaver; xymon at xymon.com
Subject: Re: [Xymon] ftps tests

On Fri, Dec 18, 2015 at 9:06 AM Galen Johnson <user-87f955643e3d@xymon.invalid<mailto:user-87f955643e3d@xymon.invalid>> wrote:

oh...well I guess that would explain it :-).  It seems like it would be a useful function since starttls is a common implementation for various services (like ldaps...I would hope it handles that).

I agree that this would be useful.  However it's probably not trivial to implement.  Each protocol (FTP, LDAP, SMTP, etc) has its own dialogue to go through before the STARTTLS command can be issued, as well as negotiations to determine whether STARTTLS is supported, and how to handle in the negative.  These protocols don't even use the same command (POP uses "STLS", for example).