daniel:// stenberg://May 29

Circa five years ago the browsers dropped FTP support.

#curl still supports it. In 2024, 23% of curl users said they used FTP within the past two years.

My post from April 2020:

https://daniel.haxx.se/blog/2020/04/15/curl-is-not-removing-ftp/

curl is not removing FTP

FTP is going out of style. The Chrome team has previously announced that they are deprecating and removing support for FTP. Mozilla also announced their plan for the deprecation of FTP in Firefox. Both browsers have paused or conditioned their efforts to not take the final steps during the Covid-19 outbreak, but they will continue … Continue reading curl is not removing FTP →

daniel.haxx.se
Gerald CombsMay 29
Show threaddaniel:// stenberg://

FTP is quite unique in the #curl collection of protocols due to its (weird) mandatory use of a separate TCP connection for the data transfer (and the fact that it can be setup in either direction, client to server or server to client) . It is complicated for users, for sysadmins and it is a complication in source code and internal curl TCP management as well.

So yeah, it also keeps causing us headaches to this day.

May 29 at 9:11pmWeb
Show threadNuxMay 29
@bagder thanks for not removing FTP support!
Show threadTariqMay 29
@bagder I remember linux firewall fun with ftp back in the 2000s ... ipchains ...
Show threadciaraMay 29
@bagder you’re a true soldier 🫡
Show threadRäucherkäseMay 29
@bagder Add TLS session reuse across the two TCP connections to the mix (to reduce the hijacking risk of FTPS data connections) and it gets even more complicated.
Does curl support this? This old mailing list post suggests it doesn't: https://curl.se/mail/lib-2017-05/0048.html
Curl: Re: TLS session re-use for FTPS data connection?

Show threadEl Pamplina 🇺🇦 🇵🇸 May 29
@bagder I remember me using it in the 90s, and it was a mess with firewalled clients, setting up "passive" mode, and so on.
Show threadThibaultMay 29
@bagder So, if I'm reading this right I can send a FTP request, in which case the server might do the TCP setup for me... or not ? Is it a random choice or is there a flowchart for which party starts talking first ?
Show threaddaniel:// stenberg://May 29
@thibault the client decides by sending the correct command, PASV or PORT (or EPSV/EPRT in more modern FTP)
Show threadgabriele renziMay 30
@thibault @bagder
It's client controlled, in the '00s abusing this was a way to get P2P working from inside firewalled/NAT'ed networks (universities, some ISPs).
Show threadChris O'BrienMay 30
@bagder As someone who is implementing ftp support using libcurl *right now*, THANK YOU!
Show threadjjMay 30
@bagder It's also older than TCP/IP, which shows when looking at rules like that.