Windows FTP clients

I’ve recently been setting up a new FTP server, and I wanted it to support FTPS. However, I ran into a few problems when I tested it, which turned out to be partly due to the client software I was using. I’ve been using CuteFTP for several years: I registered for version 1.0 back in 2001, and I’ve been using version 8 since 2007. However, I’m now abandoning that in favour of FileZilla.

I connected to the FTP site using CuteFTP Pro 8.3.3, and it worked fine using plain FTP (no encryption). However, I got an error message when I tried to use explicit FTP over TLS:
CuteFTP 8: Error in negotiating SSL connection.

There was no more detail about the actual error, which wasn’t very helpful. I then installed FileZilla (3.24.1), and tried it there. This gave a much more informative error message:
FileZilla: The server's certificate is unknown.

I’d configured the FTP server to use a certificate from an internal CA, but the FTP clients don’t trust it, presumably because they don’t use the Windows certificate store. That’s good to know, and now that I know the cause I can focus on that (rather than wasting my time looking at firewall settings). I also have the option to continue.

As a basis for comparison, I then installed the trial version of CuteFTP 9. This is definitely an improvement over CuteFTP 8, with similar info to FileZilla:
CuteFTP 9: Accept certificate?

However, it falls down in a few areas. The organisation, unit, and country shouldn’t be blank; I know for a fact that both certificates (FTP server and issuing CA) include that information. Also, the valid from/to dates are in American format (mm/dd/yy). I’m in the UK, and I’ve configured my PC to use the ISO 8601 date format (yyyy-mm-dd). FileZilla picks up my regional settings, rather than hard-coding the USA settings, which I appreciate.

I then updated the FTP server to use a GoDaddy certificate instead. Since this is an established CA, I expected the FTP clients to connect without any errors or warnings (much like a web browser). However, I still got the same response as before:

  • CuteFTP Pro 8 won’t connect at all. (“Error in negotiating SSL connection.”)
  • CuteFTP 9 displays the certificate, asking me to accept or reject it.
  • FileZilla displays the entire certificate chain, asking me whether I want to trust it (either permanently or just for this session).

Within CuteFTP (8 or 9), you can go to:
Tools | Global Options…
In the Global Options window, under Security, select SSL Security.
SSL Security options

If you tick the Accept certificates in Windows Trusted Root Certificate Authority store box, CuteFTP 9 will connect to the site without any prompt. However, CuteFTP Pro 8 still gives the same error message as before! It might be possible to explicitly import the server’s certificate, but that relies on you having a copy of the file, which typically won’t be the case. In practical terms, I would say that CuteFTP Pro 8 is unusable with FTPS.

Looking at FileZilla, I found a discussion from 2011 in the support forum. According to that:
“Note that FileZilla NEVER automatically trust any certificate. So you cannot install root certificates into it, and client certificates are not supported.”
There’s a similar discussion from November 2016, where they said:
“Remember, it does not use the OS certificate store at all.”
Personally, I would like to trust all certificates from a particular CA rather than having to review the fingerprints every time I connect to a new server, so I think that CuteFTP 9 comes out ahead here. However, it’s no worse than checking SSH keys for SFTP sites.

Another issue is IPv6 support (or the lack thereof). For the purposes of this test, I’m specifying a literal IPv6 address, but the same issue applies if I disable IPv4 on my internet connection and then use FQDNs. I’m also connecting to a different server which uses SFTP rather than FTPS.

In FileZilla, I had to put square brackets around the IPv6 address, but then it worked fine:
FileZilla IPv6

However, CuteFTP Pro 8 and CuteFTP 9 just say that they can’t resolve the address:
CuteFTP IPv6

The IPv6 RFCs were published in 1996, so this protocol has now been around for 20 years, and it’s high time that software developers supported it. Looking around GlobalScape’s website, the only mention I’ve found is this (archived) page: Transfer Settings.
“EPRT and EPSV were designed for communicating IP and data port information for IPv6 addresses. Until IPv6 is supported in CuteFTP this feature is primarily used for improving firewall traversal of NAT firewalls for secure (FTPS) connections.”
So, they’re aware of IPv6, but haven’t implemented it.

As a minor point, I also noticed that CuteFTP is only available as 32-bit software, whereas FileZilla has 32-bit and 64-bit options. Realistically, I don’t think an FTP client should ever need to access more than 4 GiB of RAM, but I’d say that it’s worth compiling an extra version anyway.

Finally, the most obvious difference between the two clients is that FileZilla is freeware, whereas you have to pay for CuteFTP. In my case, that’s not actually much of a motivation; I’m willing to pay for software that I use on a regular basis. However, given the difference in functionality, it makes more sense for me to donate some money to the FileZilla project rather than paying to upgrade CuteFTP.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.