FluentFTP icon indicating copy to clipboard operation
FluentFTP copied to clipboard
verified publisher icon robinrodricks

Add SSL client authentication options configuration for legacy RSA FTPS servers

Open mamuleanu opened this issue 1 month ago • 2 comments

This PR adds a configuration hook that allows users to customize SslClientAuthenticationOptions before the TLS handshake, enabling support for Linux for legacy FTPS servers that only negotiate RSA key-exchange ciphers.

The problem:

On Linux, .NET’s SslStream does not offer RSA key-exchange cipher suites by default. As a result, FluentFTP cannot complete the TLS handshake on these servers unless it exposes SslClientAuthenticationOptions and allows custom CipherSuitesPolicy.

Microsoft documents this behavior here.

The commits added:

  • Added ConfigureSslClientAuthenticationOptions property to FtpConfig that allows users to customize SslClientAuthenticationOptions before authentication
  • Updated TLS handshake code to use SslClientAuthenticationOptions pattern in both synchronous and async methods
  • Added example file demonstrating how to configure FluentFTP for legacy RSA-only servers

I've created a repository with instructions on how to reproduce the handshake error. The repository, including instructions on how to setup the environment, can be found here.

UPDATE:

As per PR feedback, the PR now adds an event handler that allows users to customize SslClientAuthenticationOptions before the TLS handshake, enabling support for legacy FTPS servers

Changes:

  • Added FtpSslClientAuthenticationOptions event delegate and event args class - Infrastructure for the event
  • Added ConfigureSslClientAuthenticationOptions event to BaseFtpClient - Event handler that allows customization of SSL options
  • Added OnConfigureSslClientAuthenticationOptions helper method - Internal method to fire the event (following the same pattern as ValidateCertificate)
  • Added example file - ConnectFTPSLegacyRSA.cs demonstrating how to configure FluentFTP for legacy RSA-only servers

mamuleanu avatar Nov 22 '25 00:11 mamuleanu

Thanks, good work. Event handlers should be added to the ftp client classes and not the config. Config is only for simple properties.

robinrodricks avatar Nov 22 '25 11:11 robinrodricks

@robinrodricks, thank you for the feedback. I have updated the implementation.

mamuleanu avatar Nov 22 '25 21:11 mamuleanu