ftp: make TLS config default to global TLS config - Fixes #6671

This allows --ca-cert, --client-cert, --no-check-certificate etc to be used. This also allows `override.ca_cert = XXX` to be used in the config file.
2025-12-12 06:24:14 +01:00 · 2025-08-19 17:25:07 +01:00
parent d3a0805a2b
commit e7a2b322ec
2 changed files with 39 additions and 3 deletions
--- a/backend/ftp/ftp.go
+++ b/backend/ftp/ftp.go
@@ -283,6 +283,7 @@ type Fs struct {
 	user     string
 	pass     string
 	dialAddr string
+	tlsConf  *tls.Config // default TLS client config
 	poolMu   sync.Mutex
 	pool     []*ftp.ServerConn
 	drain    *time.Timer // used to drain the pool when we stop using the connections
@@ -408,9 +409,14 @@ func shouldRetry(ctx context.Context, err error) (bool, error) {
 func (f *Fs) tlsConfig() *tls.Config {
 	var tlsConfig *tls.Config
 	if f.opt.TLS || f.opt.ExplicitTLS {
-		tlsConfig = &tls.Config{
-			ServerName:         f.opt.Host,
-			InsecureSkipVerify: f.opt.SkipVerifyTLSCert,
+		if f.tlsConf != nil {
+			tlsConfig = f.tlsConf.Clone()
+		} else {
+			tlsConfig = new(tls.Config)
+		}
+		tlsConfig.ServerName = f.opt.Host
+		if f.opt.SkipVerifyTLSCert {
+			tlsConfig.InsecureSkipVerify = true
 		}
 		if f.opt.TLSCacheSize > 0 {
 			tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(f.opt.TLSCacheSize)
@@ -671,6 +677,7 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (ff fs.Fs
 		dialAddr: dialAddr,
 		tokens:   pacer.NewTokenDispenser(opt.Concurrency),
 		pacer:    fs.NewPacer(ctx, pacer.NewDefault(pacer.MinSleep(minSleep), pacer.MaxSleep(maxSleep), pacer.DecayConstant(decayConstant))),
+		tlsConf:  fshttp.NewTransport(ctx).TLSClientConfig,
 	}
 	f.features = (&fs.Features{
 		CanHaveEmptyDirectories: true,
--- a/docs/content/ftp.md
+++ b/docs/content/ftp.md
@@ -134,6 +134,35 @@ be enabled in the FTP backend config for the remote, or with
 [`--ftp-tls`](#ftp-tls). The default FTPS port is `990`, not `21` and
 can be set with [`--ftp-port`](#ftp-port).

+## TLS Options
+
+TLS options for Implicit and Explicit TLS can be set using the
+following flags which are specific to the FTP backend:
+
+```
+--ftp-no-check-certificate     Do not verify the TLS certificate of the server
+--ftp-disable-tls13            Disable TLS 1.3 (workaround for FTP servers with buggy TLS)
+--ftp-tls-cache-size int       Size of TLS session cache for all control and data connections (default 32)
+```
+
+However any of the global TLS flags can also be used such as:
+
+```
+--ca-cert stringArray          CA certificate used to verify servers
+--client-cert string           Client SSL certificate (PEM) for mutual TLS auth
+--client-key string            Client SSL private key (PEM) for mutual TLS auth
+--no-check-certificate         Do not verify the server SSL certificate (insecure)
+```
+
+If these need to be put in the config file so they apply to just the
+FTP backend then use the `override` syntax, eg
+
+```
+override.ca_cert = XXX
+override.client_cert = XXX
+override.client_key = XXX
+```
+
 ### Restricted filename characters

 In addition to the [default restricted characters set](/overview/#restricted-characters)