Secure FTP syncronization

Discussions about syncing data via Bluetooth, Dropbox, FTP, and using CSWeb
Mariovaisman
Posts: 80
Joined: February 11th, 2013, 8:26 am

Secure FTP syncronization

Postby Mariovaisman » May 11th, 2018, 4:39 am

Hi,
I am working in a project that for test we are using FTP no encripted and it is working fine.
Now, for the same user we permit also access using FTPS. I tested the access using filezilla client and Total commander and both connections are working fine.
When I tried to connect using FTPS (the same with FTPES) I receive the following message in cspro in an android device:

Error connecting to server:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertPathValidatorException: Trust anchor
for certification path not found.

Then the connection canot be done.

The ftp server for the normal ftp is: ftp_server = "xxxxx.ng";
The ftp server for ftps and for ftpes is: ftp_server = "ftps://xxxxx.ng"; or ftp_server = "ftpes://xxxxx.ng";

if !syncconnect(FTP, ftp_server, ftp_user, ftp_password) then
errmsg("error accessing ftp server");
...

xxxxx.ng is not the real server name (don't bring here for security reasons)

Please let me know which is the issue why I cannot connect to a secure ftp server and/or what I can do to access a secure ftp server.

My equipment is a samsung with android version 7.0

Thanks

Mario

josh
Posts: 1651
Joined: May 5th, 2014, 12:49 pm
Location: Washington DC

Re: Secure FTP syncronization

Postby josh » May 11th, 2018, 6:50 am

That error probably means that you are using a self-signed SSL certificate, a certificate issued from an authority that Android does not know about or that the certificate on the server is not correctly installed. See "Common problems verifying server certificates" on this page for a more detailed explanation: https://developer.android.com/training/ ... curity-ssl

The solution that they propose in Java on that page for creating your own trust store is not supported in CSPro and besides is not a good idea from a security perspective anyway.

For a self-signed certificate, you should be able to add the servers certificate to the trusted certificates on the device. Directions are here: https://cheapsslsecurity.com/blog/insta ... n-android/ I tested this a while back on Android version 4 and it worked but it could have changed in more recent versions. I had to set up a pin code on the device in the security settings in order to be able to add certificates.

The best option, from a security perspective, is not to use a self-signed certificate but to get one from a trusted authority and to make sure that the intermediate CAs are correctly configured on the server. Most certificate issuers charge money although recently the service "lets encrypt" has started offering free certificates if you can install their software on your server.


Return to “Synchronization”