You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Specifically, conn->ssl[FIRSTSOCKET].use is set to true, despite the fact that the destination is an insecure FTP server.
After libcurl authenticates on the control connection, it sends the PBSZ command followed by PROT. This is in violation of RFC 4217, which states:
Note: In line with [RFC-2228], there is no facility for securing
the Data connection with an insecure Control connection.
Specifically, the PROT command MUST be preceded by a PBSZ command,
and a PBSZ command MUST be preceded by a successful security data
exchange (the TLS negotiation in this case).
Normally, this would not be an issue, but in one bizarre case, the FTP server was responding with "200" in response to the PROT command, which leads to curl attempting a TLS handshake on the data connection, even though the destination server was not prepared for it.