Re: Extent of SSL support in libcurl?

On Thu, 31 Oct 2002, Dave Halbakken wrote:

> I just noticed this in the 7.10 TODO document:
>
> "* Add FTPS support with SSL for the data connection too.  This should
> be made according to the specs written in
> draft-murray-auth-ftp-ssl-08.txt, "Securing FTP with TLS""
>
> Does this mean libcurl's data connection when using SSL is all in the clear?

It means that when you use 'FTPS' with curl, it only uses SSL for the first,
the control, connection. FTPS is not a name of any standard protocol and the
approach curl currently supports is a rather quick hack to make it work with
a ftps server that offerered exactly this mode of operation.

I know this is rather limited and the TODO item was added there since most
(or at least many) people who want a full and secure FTP server connection
want a full implementation.

> I also noticed that the current version of that ftp-ssl draft is
> draft-murray-auth-ftp-ssl-10.txt. In that draft, the use of AUTH TLS is
> recommended over the now-deprecated implicit SSL.

TLSv1 is basicly SSLv3, they're very similar. In curl terms we often talk
about SSL as a general term and it often means "SSL or TLS". The OpenSSL
library supports SSLv2, SSLv3 and TLSv1 fine.

> Does anyone know whether there is support in libcurl for AUTH TLS?

I know that there is none. I would of course like to see it added.