8000 Warning: --ssl is an insecure option, consider --ssl-reqd instead · Issue #669 · git-ftp/git-ftp · GitHub
[go: up one dir, main page]
Skip to content

Warning: --ssl is an insecure option, consider --ssl-reqd instead #669

New issue
New issue
Open
Open
Warning: --ssl is an insecure option, consider --ssl-reqd instead#669
@bantu

Description

@bantu
bantu
opened on Jan 17, 2025

Hello.

I am seeing this in my log output

Warning: --ssl is an insecure option, consider --ssl-reqd instead

It looks like this is caused by the statement at

git-ftp/git-ftp

Line 944 in db8caeb

REMOTE_CMD_OPTIONS+=("--ssl")
and indeed I am using ftpes.

It looks like the curl option --ssl tries to use TLS while the --ssl-reqd option enforces it or fails, so the recommendation to use --ssl-reqd seems sensible.

From the curl man page:

       --ssl  (FTP IMAP POP3 SMTP LDAP) Warning: this is considered an insecure option. Consider using --ssl-reqd instead to be sure curl upgrades to a secure connection.

              Try  to  use SSL/TLS for the connection. Reverts to a non-secure connection if the server does not support SSL/TLS. See also --ftp-ssl-control and --ssl-reqd for different
              levels of encryption required.

              This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and ignored by the generic ldap backend.

              Please note that a server may close the connection if the negotiation does not succeed.

              This option was formerly known as --ftp-ssl. That option name can still be used but will be removed in a future version.

              Providing --ssl multiple times has no extra effect.  Disable it again with --no-ssl.

              Example:
               curl --ssl pop3://example.com/

              See also --ssl-reqd, -k, --insecure and --ciphers.

       --ssl-reqd
              (FTP IMAP POP3 SMTP LDAP) Require SSL/TLS for the connection. Terminates the connection if the transfer cannot be upgraded to use SSL/TLS.

              This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and rejected by the generic ldap backend if explicit TLS is required.

              This option is unnecessary if you use a URL scheme that in itself implies immediate and implicit use of TLS, like for FTPS, IMAPS, POP3S, SMTPS and LDAPS.  Such  transfers
              will always fail if the TLS handshake does not work.

              This option was formerly known as --ftp-ssl-reqd.

              Providing --ssl-reqd multiple times has no extra effect.  Disable it again with --no-ssl-reqd.

              Example:
               curl --ssl-reqd ftp://example.com

              See also --ssl and -k, --insecure.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0