© 2001 − 2023, Dr. Jürgen Rathlev

Settings for backups on an FTP server

• General settings
• Advanced settings
• Verification of server certificate

You can find more information about FTP on Wikipedia.

• Password: Click the button at the right to enter a fixed password which will be used to establish the FTP server connection automatically. If you leave the password blank for greater security, you must manually enter the password each time on starting the backup.
• Destination directory: The destination directory can be specified manually or, if the connection data (server name, username, etc.) are correct, selected in a dialog after clicking the button . It may contain one or more placeholders for date and time which can be selected from a list by clicking . If a password is specified in the dialog, the connection to the FTP server will be established automatically.
• Secure data connection: Data transfer is encrypted using TLS/SSL (FTPS):
  • None: All data will be transferred unencrypted.
  • If available (explicit): On connecting, the server will be interrogated as to whether it supports TLS/SSL. If so, the data transfer will be encrypted (explicit method), otherwise unencrypted.
  • Require (explicit): It is expected that the server supports TLS/SSL (explicit method). If not, the connection will be canceled.
  • Always (implicit): All data transfers will be encrypted using the special port 990 (implicit method). If the server does not support this method, then connection will fail.
  For a secure connection the option Require is recommended. The FTP server must support one of the TLS versions 1, 1.1 or 1.2 (more infos).
• Options:
  • Use passive mode: Using passive mode, the server will define the port for data transfer, otherwise the client will define this.
  • Force UTF-8 encoding: Some servers support a file transfers using UTF-8 encoding, but do not announce this capability after establishing the connection. This is inconsistent with the specification of RFC2640 Section 3.2 but in this special case you can force the encoding of the client side to UTF-8 by checking this option. If, in addition, the server must also be switched to UTF-8, use the option Send OPTS command for UTF-8 described below.
  • Use IPv6: Some servers require a connection using the IPv6 protocol. Click this option to switch to the IPv6 address mode.
• More options:
  The following options (see screenshot above right) are only required if problems arise from the FTP connection (see here). Unfortunately the available servers do not all follow the recommendations (RFCs) for the FTP protocol consistently. The following options are a workaround for these shortcomings.
  • Send OPTS command for UTF-8: A server supporting UTF-8 must inform the client about this after establishing the connection and automatically switch to this mode (see RFC2640 Section 3.2). Unfortunately there are servers indicating the support of UTF-8, but nevertheless requiring an OPTS command to enable it. If this is the case, this option must be selected.
  • Force EPRT/EPSV for IPv6: If the connection to the FTP server was established using the IPv6 protocol (see above), the data transfer usually requires the EPRT and EPSV commands, instead of PORT and PASV used for IPv4. By default, the server should inform the client about this in reply to the feature request (FEAT command). Unfortunately there are servers that do not follow this recommendation. If this is the case, you must switch over to this manually by clicking this option.
  • Use HOST command: Many Internet providers use the same FTP server IP for all users. The HOST command is used to assign the user's server space.
• Time zone
  On time-zone spanning FTP connections it is sometimes necessary to adjust the time offset manually for reliable timestamp comparisons.
• Write communication log to file:
  For debugging purposes, the communication with the FTP server can be logged. The log is written into the file PbFtp.log located in the same directory as the other log files (see here). Use the Action menu to view or delete this file.

Clicking the Advanced settings button will open the following page.

Advanced settings:

• Filenames:
  • Change to lower/upper case: Unix/Linux systems differentiate between lower- and upper-case characters in filenames. You can specify whether you wish to change all file and directory names to lower or upper case prior to data transfer.
  • Allow quoted filenames: Filenames with spaces will cause errors on an FTP transfer. Some servers allow filenames within quotation marks (as is common under Windows).
  • Character encoding: As there are still FTP servers that do not support UTF-8 encoding, you can specify that certain characters are to be replaced by a numeric code as is usual in URL addresses (e.g. a space = %20).
• Use Proxy server: If a proxy gateway is required to connect to the FTP server, you can specify the desired settings here.
• Establishing the connection:
  • Maximum number of attempts: Specify the maximum number of attempts to connect to the FTP server. If this fails, the backup will be canceled.
  • Maximum waiting time to establish the connection: Specify the maximum time to wait for a reply from the FTP server after sending the connect command. If establishing the connection fails, further attempts will be made until the maximum number is reached (see above).
• Controlling the connection:
  • Maximum waiting time for server response: Specify the maximum time to wait for a response from the FTP server after sending a command.
  • Send keep-alive command during data transfer: With some FTP servers or firewalls it can happen that during lengthy data transfers the control channel will be closed due to inactivity. Enabling this option, a small data packet will be sent periodically to prevent this issue.

If a secure connection is selected (see above), the data transfer is encrypted using the TLS/SSL method. Additional security can be achieved by checking the server's encryption certificate. This can be done either by the user via a visual assessment or automatically by comparing the digital fingerprints.

Procedure

When a secure connection is established, the server certificate (X.509) is downloaded. It contains, among other things, information about the issuer and its validity, as well as a digital MD5 fingerprint. Before the backup starts, the user is shown this information so that he can evaluate whether the certificate is trustworthy. If he knows the digital fingerprint of the server certificate, it can be stored in the program to allow automatic verification when the connection is established by comparing it with the downloaded one.

• Verify server certificate: If this box is checked a certificate verification will be performed on login.
• Interactively by user: On login, a dialog (see Fig. on the right) is opened in which the most important features of the certificate are displayed. The green dot indicates that the certificate is still valid. When the validity time has expired, the color changes to red. Based on these information, the user can decide whether he considers the certificate to be trustworthy. If not, he should cancel the connection by clicking the No button.
  If the certificate is OK, the fingerprint can be copied to the clipboard by clicking the button at the bottom right to paste it into the FTP settings (see below) for automatic verification..
• Automatic comparison of fingerprints: When selecting this option, the digital fingerprint of the server must be known. One way to determine it is described in the previous section. The format must look like in the displayed example (hex values separated by colons). It corresponds to the output of the OpenSSL program with the command
  ...\openssl x509 -noout -fingerprint -md5 -inform pem -in <certificate>.crt.
  If it has been copied to the clipboard as described above, it can be pasted into the field very easily by clicking the corresponding button.