Your best friend for file transfer.

Fetch application logoFetch

FTP with TLS/SSL (FTPS) and the new Airport Extreme Base Station by Jim Matthews

At the recent Macworld Expo in January we introduced Fetch 5.2, which adds FTP with TLS/SSL (FTPS) support, and Apple introduced its new Airport Extreme Base Station (AEBS) with 802.11n support. Unfortunately, a bug in the AEBS keeps it from working with Fetch’s new TLS/SSL feature. Our research has determined that it is not possible for Fetch (or any other secure FTP client) to make FTP with TLS/SSL connections through the new AEBS.

We have reported the bug to Apple, and the Airport engineers are aware of it, but they have not given us a date when it will be fixed. In the meantime affected customers may want to use SFTP instead of FTP with TLS/SSL (if the server supports SFTP), turn off the “distribute addresses” feature of their Airport Extreme Base Station (if there is only one computer on the local network, or if there is another device that can distribute addresses), or switch to a different wireless base station. The previous, flying-saucer-shaped Airport Extreme Base Stations did not have this problem.

The bug appears to be in the base station’s FTP inspection code. When the base station is in Network Address Translation (NAT) mode, distributing private IP addresses to computers on the local network, it has to listen in on FTP sessions in order to translate between private and public addresses. When an FTP client tries to use TLS/SSL encryption (also known as FTPS, AUTH TLS, or FTP with Explicit SSL), the AEBS simply drops the connection. This bug affects any FTP client making TLS/SSL connections to a server on port 21 (it does not affect the less common port 990 connections, sometimes called FTP with Implicit SSL, or SSL connect, because the base station does not inspect that traffic).

Update: The bug discussed above was present in firmware versions 7.0 to 7.1.1. On August 29, 2007, Apple released version 7.2.1 of the Airport Extreme Base Station with 802.11n firmware, which fixes this problem.

In other news:


  • Howdy,

    Just curious, has there been any progress on this issue?


    Zoltan Der July 31, 2007
  • We believe that Apple has been working on this issue, but so far they have not released a software update. We will be sure to post a follow up when they do.


    Jim Matthews July 31, 2007
  • Hi, I have the Firmware 7.2.1 and I have a ftp-server that is not able to get ssl working through the AEBS. I run GeneFtp on Windows XP (maybe thats the problem). My client is a MBP.

    Clean transfers work like a charm, but with implicit or explicit ssl I get a time out error on either the exchange of keys or on the MLSD/LIST.

    Hope they will solve this issue soon.

    Per S September 17, 2007
  • Sorry, I double checked and I was using ssl over port 21… So the trouble seems to be there still. I changed to another port and it worked.

    Per S September 17, 2007
  • Hi Per S., it sounds like you might be running into a different bug. Could you email support at fetchsoftworks dot com so we can learn more about the problem? Thanks.

    Jim Matthews September 17, 2007
  • Oh, sorry, I have not been on this page for awhile since I got it to work. I am able to use the SSL implicit och explicit on other ports than 21.

    I don’t think that it is Fetch that is the trouble.

    Maybe Geneftp is using sftp and the AEBS 7.2.1 is only fixed for ftps or the otherway around?

    I have not tried the “distribute addresses” workaround, since I can use another port than 21 I didn’t delve in to it further…

    /Per S

    Per S December 20, 2007
  • hmm, to me it seems this bug still exists (i have posted on the apple forum: Do you have reason to believe it reappeared?

    rblon April 14, 2011
  • Hi rblon,

    I am able to make FTP with TLS/SSL connections from behind an Airport Extreme base station running firmware 7.5.2 (I believe that’s the latest).

    Unfortunately I could not read your post on Apple’s discussion forums, do to work Apple is doing on that site.

    Jim Matthews April 19, 2011
  1. Page 1

Leave a comment

If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.

  • We will never post or share your email address.

Fetch visitor is writing…