Add FTP Support for the TLS/SSL Inspector
reviewed
R
Roar Support
Currently, the SSL Inspector tied to an FTP site returns an error indicating a failure to load the certificate. For example:
Timed Out. Details: Error: Command failed: openssl s_client -connect recordings.redeo.com:21 -servername recordings.redeo.com 2>/dev/null | openssl x509
unable to load certificate
139920370834304:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:pem/pem_lib.c:694:Expecting: TRUSTED CERTIFICATE
We suspect this is because the inspector does not support the FTP protocol or the STARTTLS mechanism required for retrieving SSL/TLS certificates from FTP servers.
This is important because FTP over TLS/SSL is a common protocol for secure file transfers, and its certificate information is vital for ensuring secure communications. Without support for this protocol, the SSL Inspector is unable to provide critical certificate data for FTP servers, which is a gap in its functionality.
Modify the SSL Inspector to support retrieving certificates from FTP servers using the STARTTLS mechanism.
For reference, the following command executed on a Linux device successfully retrieves the SSL certificate from an FTP server:
openssl s_client -starttls FTP -connect sales.redeo.com:21
By implementing this enhancement, the SSL Inspector would be able to handle FTP servers, broadening its utility and ensuring compatibility with common secure communication protocols.
Merged in a post:
FTPS SSL Certificate Monitoring
N
Neil Groulx
I really appreciate how Liongard can automatically monitor SSL certificates for our websites—it's been a huge help. However, we also rely on FTPS (FTP over TLS) for secure file transfers, and we'd love to manage those certificates in Liongard too. Being able to see certificate expirations and validity for all our services in one place, rather than juggling separate tools, would make our workflow much smoother and help ensure nothing slips through the cracks.
Ideally, Liongard would detect and handle both Explicit and Implicit FTPS connections. For Explicit FTPS (on port 21), it would upgrade the connection with an AUTH TLS command, and for Implicit FTPS (on port 990), it would connect directly over SSL/TLS. Then, just like with HTTPS monitoring, Liongard would collect the certificate chain details, track expiration dates, and alert us before any issues occur. That unified dashboard for all SSL/TLS certificates—websites and FTPS alike—would be a big win for our team.