Skip to content

Comments

Add FTPS with SSL/TLS configuration#1522

Closed
YasanPunch wants to merge 37 commits intoballerina-platform:masterfrom
YasanPunch:add-ftps
Closed

Add FTPS with SSL/TLS configuration#1522
YasanPunch wants to merge 37 commits intoballerina-platform:masterfrom
YasanPunch:add-ftps

Conversation

@YasanPunch
Copy link
Contributor

@YasanPunch YasanPunch commented Dec 16, 2025

Purpose

Fixes: ballerina-platform/ballerina-library/#8489

Adds FTPS (FTP over SSL/TLS) support to the FTP module, enabling secure file transfers using SSL/TLS certificates and encrypted data channels.

Changes:

  • Added FTPS protocol option to the Protocol enum.
  • Added SecureSocket configuration record for FTPS SSL/TLS settings.
  • Added FtpsMode enum to support IMPLICIT and EXPLICIT FTPS modes.
  • Added FtpsDataChannelProtection enum to control data channel encryption (PROT P/C/S/E)

API Changes:

public enum Protocol {
    FTP = "ftp",
    FTPS = "ftps",  // New: Secure File Transfer Protocol
    SFTP = "sftp"
}

# FTPS connection mode
public enum FtpsMode {
    IMPLICIT,   // SSL/TLS established immediately (typically port 990)
    EXPLICIT    // Upgrades to SSL/TLS via AUTH TLS (typically port 21)
}

# FTPS data channel protection level
public enum FtpsDataChannelProtection {
    CLEAR,          // PROT C - Clear/Unencrypted data channel
    PRIVATE,        // PROT P - Encrypted data channel (Default/Recommended)
    SAFE,           // PROT S - Integrity protected
    CONFIDENTIAL    // PROT E - Confidentiality protected
}

# Secure socket configuration for FTPS
public type SecureSocket record {|
    crypto:KeyStore key?;       // Client certificate/key
    crypto:TrustStore cert?;    // Server certificate/truststore
    FtpsMode mode = EXPLICIT;
    FtpsDataChannelProtection dataChannelProtection = PRIVATE;
|};

public type AuthConfiguration record {|
    // ... existing fields ...
    SecureSocket secureSocket?;  // New: For FTPS protocol
|};

(Current) Usage Example:

ftp:ClientConfiguration ftpsConfig = {
    protocol: ftp:FTPS,
    host: "ftps.example.com",
    port: 21,
    auth: {
        credentials: {username: "user", password: "pass"},
        secureSocket: {
            key: {path: "client.p12", password: "keypass"},
            trustStore: {path: "truststore.p12", password: "trustpass"},
            mode: ftp:EXPLICIT
        }
    }
};

Usage Example

ftp:ClientConfiguration ftpsConfig = {
protocol: ftp:FTPS,
host: "ftps.example.com",
port: 21,
auth: {
credentials: {username: "user", password: "pass"},
secureSocket: {
key: {path: "client.p12", password: "keypass"},
cert: {path: "truststore.p12", password: "trustpass"},
mode: ftp:EXPLICIT,
dataChannelProtection: ftp:PRIVATE
}
}
};

Future Enhancements (TODO):

  • [Hostname verification toggle for enhanced security (Currently handled by default VFS/JSSE behavior).

Checklist

  • Linked to an issue
  • Updated the changelog
  • Added tests (Client, Listener, and Configuration tests added.)
  • Updated the spec
  • Checked native-image compatibility

Yasan and others added 30 commits December 7, 2025 14:50
@YasanPunch
[Automated] Update the native jar versions
3c059a8
@YasanPunch
added SecureSocket record for FTPS
c0f3163
@YasanPunch
[Automated] Update the native jar versions
b7147a2
@YasanPunch
Added explicit/implicit modes
c7b5f7f
@YasanPunch
used ftpsconfigbuilder from apache vfs2
457e5af
@YasanPunch
Enhance FTPS support by adding explicit/implicit mode configuration a…
c9770d8 
…nd SSL/TLS certificate handling.
@YasanPunch
[Automated] Update the native jar versions
6fd9e9f
@YasanPunch
updated sftp/ftps validation
db9a99f
@YasanPunch
Added data channel protection and host verification
62a5356
@YasanPunch
fixed vfs config builder usage
e54c65c
@YasanPunch
fixed crypto:keystore integration issue
3903c6b
@YasanPunch
Enhance FTPS configuration and KeyStore handling. Default port set to…
6b9cb26 
… 990 for IMPLICIT FTPS if unspecified. Improved KeyStore loading from Ballerina records and error handling for secure socket configurations.
@YasanPunch
Updated methods to directly call configuration extraction functions, …
0ab1ef0 
…improved error handling for KeyStore loading, and added documentation regarding the limitations of hostname verification support.
@YasanPunch
upated gradle properties
16c12ca
@YasanPunch
Remove FTPS hostname verification configuration from client and serve…
0f73cc0 
…r implementations, as it is not supported by the current version of Apache Commons VFS2. Clean up related code and constants.
@YasanPunch
[Automated] Update the native jar versions
bd1d401
@YasanPunch
initial test for ftps
670f53b
@YasanPunch
Add comprehensive FTPS client and listener tests, enhance FTPS server…
1869cd2 
… configuration

- Introduced tests for FTPS client operations including explicit and implicit modes, file handling, and error scenarios.
- Added tests for FTPS listener functionality, ensuring correct event handling for file changes.
- Improved error handling for secure socket configurations in both client and server implementations.
- Updated mock server utilities to include FTPS server initialization for testing purposes.
@YasanPunch
Refactor FTPS configuration: rename 'trustStore' to 'cert' across all…
1e47dc5 
… relevant files for consistency,

, remove hardcoded credentials and enhance password handling for improved security.
@YasanPunch
Enhance FTPS client and listener tests:
3512b14 
- Refactored test structure for better isolation and clarity.
- Introduced helper functions for state management and event handling.
- Improved file handling in tests, ensuring robust cleanup and setup.
- Updated mock server utilities to ensure isolated test environments for FTPS operations.
@niveathika @YasanPunch
Implement onFileDeleted->onFileDelete method name change
702326f
@niveathika @YasanPunch
Fix depreciation warning
5f1d525
@niveathika @YasanPunch
Update spec
d126044
@niveathika @YasanPunch
Update changelog
36d04e1
@niveathika @YasanPunch
Fix grammer
138bb45
@niveathika @YasanPunch
[Automated] Update the native jar versions
97cbb54
@niveathika @YasanPunch
Upgrade task dependency
4b91caa
@niveathika @YasanPunch
Add license headers
afdd8d8
@niveathika @YasanPunch
Revert cron support temporality for relase
0d278a1
@YasanPunch
Add FTPS implicit default port configuration and cleanup test enhance…
8b66188 
…ments

- Introduced a new configuration for testing the default port logic, ensuring that port 21 is correctly swapped to 990 for implicit mode.
- Added a cleanup function to manage test environment state after execution.
- Enhanced existing test cases to validate the new configuration and ensure robust error handling during FTPS operations.
@YasanPunch
Enhance FTPS client tests and improve error handling
cd1002b 
- Updated the FTPS client test to use a more descriptive variable name for error handling.
- Increased the wait count in listener tests to ensure proper event detection.
- Improved error message clarity for invalid truststore scenarios in tests.
- Adjusted the FtpClient to default to port 990 when port 21 is specified for implicit FTPS mode.
@YasanPunch
Remove FTPS secure publisher example files and resources
3668001
@YasanPunch
[Automated] Update the native jar versions
ab70b56
@YasanPunch
[Automated] Update the native jar versions
d757247
@YasanPunch
Add FTPS test cases for advanced configurations and validation includ…
37e9e6c 
…ing age filtering and timeout handling.
@YasanPunch
[Automated] Update the native jar versions
7ba8f5a
@YasanPunch
Merge remote-tracking branch 'upstream/master' into add-ftps
95ef169
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 16, 2025

Quality Gate Passed Quality Gate passed

Issues
17 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.5% Duplication on New Code

See analysis details on SonarQube Cloud

@YasanPunch YasanPunch closed this Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThisaruGuruge ThisaruGuruge Awaiting requested review from ThisaruGuruge ThisaruGuruge will be requested when the pull request is marked ready for review ThisaruGuruge is a code owner

@MohamedSabthar MohamedSabthar Awaiting requested review from MohamedSabthar MohamedSabthar will be requested when the pull request is marked ready for review MohamedSabthar is a code owner

@DimuthuMadushan DimuthuMadushan Awaiting requested review from DimuthuMadushan DimuthuMadushan will be requested when the pull request is marked ready for review DimuthuMadushan is a code owner

@shafreenAnfar shafreenAnfar Awaiting requested review from shafreenAnfar shafreenAnfar will be requested when the pull request is marked ready for review shafreenAnfar is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Expose FTPS as separate protocol when connecting to FTP server

2 participants

@YasanPunch @niveathika