Support SNI

Advertisement

dhales
Joined:
Posts:
1

Support SNI

Just looking to get confirmation that Winscp supports SNI. Can't find any reference within the documentation provided

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: Support SNI

WinSCP does not support SNI atm.
It should not be a problem to add it, though.
Do you have a server, where we can test it?

Reply with quote

sample_size_one
Joined:
Posts:
1

WinSCP FTP with SNI

An update for an old thread:
WinSCP *does* currently support SNI, as of the creation of this reply. Use the following items (which might need to be tweaked, based on the webserver you are using, the port, etc). The following should work with sites created with IIS 10 requiring TLS.

File protocol: FTP
Encryption: Explicit (appropriate for using Port 21 ---- might need to be adjusted if using 990)
Host name: ftp.yoursitename.com (replace with the appropriate SNI for your site)
User name: ftp.yoursitename.com|login_username (see note below if you are using the command-line)

***Using WinSCP.com***
If you can log in using the GUI, simply go to Session -> Generate Session URL/code, and choose PowerShell from the dropdown. This will perform the necessary character-escaping for you. Some examples of characters that need escaping: the pipe-character (from the Username), double-quotes (by using the "tic" mark (`), most "special characters".

Reply with quote

rlaager
Joined:
Posts:
1

SNI Not Supported

When using FTP with either explicit or implicit TLS, in the TLS ClientHello, WinSCP 5.7.17 on Windows 10 is not sending SNI (server name indication). I would like it to do so.

ProFTPD as of 1.3.7 (1.3.7rc3) supports SNI. The release notes say, "mod_tls now honors client-provided SNI as part of the TLS handshake, for implementing name-based virtual hosts via TLS SNI." http://www.proftpd.org/docs/RELEASE_NOTES-1.3.7a

Now that ProFTPD supports SNI and free certificates are trivially available via Let's Encrypt, it is feasible to configure named-based virtual hosts for FTP. A shared hosting server that supports example1.com, customer2.com, and site3.com can serve the three different certificates based on what the client sends as SNI. That way, each customer can configure their FTP client using their own site's domain. Traditionally, they would need to know the server name, which might be something.myhostingcompany.com. The SNI named-based configuration is more user-friendly. This is the same model used for HTTPS, so it's something that administrators are already familiar with.

Having SNI support in WinSCP would be really nice. Other clients already support SNI. lftp, the command line client on Linux, supports SNI. FileZilla supports SNI. (FileZilla doesn't do certificate validation at all; users always have to approve the certificate. That is less than ideal.)

The previous comment suggests that WinSCP supports SNI: https://winscp.net/forum/viewtopic.php?t=27515#96729 It suggests adding the hostname to the front of the username with a pipe as the separator. That doesn't seem to change anything regarding SNI. Even if it did, I would like to see the SNI support be automatic. WinSCP should automatically send the configured Site's "Host name" as the SNI.

Hopefully this is easy to implement. In theory, this should be one call from the application layer into the TLS library. I think WinSCP might use OpenSSL. If so, use SSL_set_tlsext_host_name(). The right place to add it might be InitSSLConnection() in source/filezilla/AsyncSslSocketLayer.cpp, in the "if (clientMode)" block around line 683.

If you need a server to test with, please get in touch: rlaager@wiktel.com

Reply with quote

Advertisement

You can post new topics in this forum