Opened 14 years ago

Last modified 14 years ago

#2581 closed Feature request

Implicit FTP PBSZ 0 and PROT P optional requirement

Reported by: sstaden Owned by:
Priority: normal Component: FileZilla Server
Keywords: Cc: sstaden, Tim Kosse
Component version: Operating system type:
Operating system version:


When using implicit FTP (PORT 990) it seems that the FileZilla Server (0.9.20) is requiring PBSZ 0 and PROT P to be passed to it for the data connection.

This is defined in the RFC2228 (, but the RFC does not indicate whether it's for Implicit or Explicit. Many clients do not have this by default for implicit mode.

However, I'm not sure whether this might be a bug instead since I didn't have the "force PROT P to encrypt data channel in SSL/TLS mode" option checked.

Change History (4)

comment:1 by Tim Kosse, 14 years ago

I won't change current behaviour. Both RFC 2228 and RFC 4217 define default protection data level as clear (PROT C). Please refrain from using broken clients.

comment:2 by sstaden, 14 years ago

Thank your for your quick response. I was hoping for some clarification, it seems that Implicit mode is REQUIRING PROT P by default with the option to force NOT checked, would that be expected?

I think it's a little premature to assume I'm using a broken client. I'm able to connect just fine when I add the additional commands PROT P and PBSZ 0 when using implicit mode.

comment:3 by Tim Kosse, 14 years ago

Well the implicit part only convers the control connection. I couldn't find any specifications which could clarify this further. Even worse, it is considered bad style to use implicit SSL/TLS at all. It is recommended to use explicit TLS nowadays.

comment:4 by sstaden, 14 years ago

Interesting, I've seen the same advice about using explicit mode instead. However, the nice part about implicit mode is that it's a bit more firewall friendly as firewalls that inspect FTP choke when the AUTH command is sent. I've also read the argument that implicit mode starts off securely which explicit ftp does not until you issue the AUTH command. But that's outside the scope of all this.

That's a good point about implicit being used just for the control connection. So by default does the server require PROT P for the data connection? It seems like force PROT P option would toggle this on or off.

Note: See TracTickets for help on using tickets.