search

cschlosser / drone-ftps

Deploy to FTPS server from Drone CI build
https://hub.docker.com/r/cschlosser/drone-ftps/
Apache License 2.0
20 stars 16 forks source link

connect to FTP host without SSL #2

Closed servusoft closed 6 years ago

servusoft commented 6 years ago

I have a issue to connent to FTP host without SSL.

it needed to be set a addition parameter: set ftp:ssl-allow $PLUGIN_SSL_ALLOW;

francoishill and harriswan9a have a sotution: https://github.com/francoishill/drone-ftps/blob/master/upload.sh#L41 https://github.com/harriswan9a/drone-ftps/blob/master/upload.sh#L41

would your extend the plugin like this?

cschlosser commented 6 years ago

May I ask why you want to connect without SSL? SSL is cheap (self or Letsencrypt)

servusoft commented 6 years ago

some webhoster not supports SSL for FFT and in there is no options to change the behavior. the SSL connect may be exist, but can have the root access of the server. I must use another pluguns, because your plugin fails.

it would be nice, if your plugin support trannsfer without SSL too.

divadsn commented 6 years ago

I can confirm that the plugin works without SSL by using secure: false, see here: https://github.com/LawnchairLauncher/lawnchair.info/blob/master/.drone.yml#L6

cschlosser commented 6 years ago

See https://lftp.yar.ru/lftp-man.html for documentation. I still stand by my point that SSL should be used for transfers on the web. You can use my plugin with common FTP but there's a reason why I set the default value for secure to true.

servusoft commented 6 years ago

for me cschlosser/drone-ftps fails with error: mirror: Fatal error: Certificate verification: unable to get local issuer certificate (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE) but hwan9/drone-ftps or francoishill/drone-ftps works fine.

    image: cschlosser/drone-ftps # SSL Error!
#    image: hwan9/drone-ftps
#    image: francoishill/drone-ftps

    hostname: ftp.host.cc:21
    username: user
    secrets: [ ftp_password ]

    secure: false
    ssl_allow: false
divadsn commented 6 years ago

@servusoft you are using it wrong, username is a secret now.

servusoft commented 6 years ago

same behavior with ftp_username as secret:

    image: cschlosser/drone-ftps # SSL Error!
    hostname: ftp.host.cc:21
    secrets:
     - ftp_username
     - ftp_password

    secure: false

I think, the hosting provider not support SSL (FTPS) and it can only be overrun with SSL_ALLOW=false and set ftp:ssl-allow $PLUGIN_SSL_ALLOW; like https://github.com/harriswan9a/drone-ftps

I agree, SSL should be used wherever possible. but it should also be possible to use the plugin if it does not work.

cschlosser commented 6 years ago

From what I can gather from your info is that your hosts FTP server configuration is broken. The host accepts secure connections but the certificate provided is invalid (missing intermediate cert, expired, ...). You should contact your host about this problem.

Regardless I will add your requested option because insecure is insecure anyway.

divadsn commented 6 years ago

I think, the hosting provider not support SSL (FTPS) and it can only be overrun with SSL_ALLOW=false and set ftp:ssl-allow $PLUGIN_SSL_ALLOW; like

I am running the plugin and connecting to a ProFTP server without SSL (have not setup FTPS) and it works for me, what does your hoster exactly use?

servusoft commented 6 years ago

@divadsn: my provider is https://www.netcup.eu/hosting/ I create a FTP test account: Details removed by @christophschlosser: Never post username and password combinations on the internet.

and test it on image: cschlosser/drone-ftps

with secure: true I get: mirror: Fatal error: Certificate verification: subjectAltName does not match ‘hosting10923.af93d.netcup.net’ (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE)

with secure: false it works fine. big thanx to christophschlosser !

@christophschlosser: one more (addition) option would be to use a (wrong configured) SSL certificat, but the verifycation error wiil be suppressed: https://serverfault.com/questions/411970/how-to-avoid-lftp-certificate-verification-error

I think, if SSL is wrong configured a FTPS file transfer with wrong Certificate makes more sense, then a file tranfer wothot SSL.

divadsn commented 6 years ago

with secure: true I get: mirror: Fatal error: Certificate verification: subjectAltName does not match ‘hosting10923.af93d.netcup.net’ (C2:5D:5B:C0:2F:6E:5E:2F:9A:BB:79:1D:19:E4:1E:42:84:C9:20:DE)

So your hoster accepts and uses secure connections, but it rather fails on checking the certificate.

Ok, now I get it. Unlike on my setup, I have secure connections disabled and my FTP server isn't asking the client to use a secure connection, while on your hosters that's the case why it failed.

Rather ask your hoster why they are forcing FTP clients to connect via invalid SSL.

cschlosser commented 6 years ago

@servusoft Never post username and password combinations on the internet.

Suppressing invalid certs or connecting without security is essentially the same.

Even though I fixed this, please contact your hoster and demand a reason why his FTP config is broken. If he does‘t provide one, I highly advice to switch your hoster.

servusoft commented 6 years ago

@christophschlosser: about user and pass I am aware. the FTP root was not in the/httpdocs folder, there are no security hole. the test account is now deleted.

the invalid certs may be an security issue, but with transfer over SSL there is significantly fewer attack options.

I have a valid LE certeficat for my web, but the FTP server on my hoster uses ProFTPD with a wildcard certeficat like CN=*.provider.net.

I thing the most hoster uses a separate FTP server and its not possible to configute the SSL certs from all customer for all hosted domains. with another hoster I have possible the same issue.

I crete a new issue, for me it works fine: https://github.com/christophschlosser/drone-ftps/issues/3