From 3a3b202a96c7b828554e5ecd4e654a6f062f83de Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Thu, 26 Mar 2026 12:02:24 +0200
Subject: [PATCH] Add safe explicit TLS fallback for FTP backups for fsdump
 module

https://github.com/webmin/webmin/pull/2646
---
 fsdump/ftp.pl | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/fsdump/ftp.pl b/fsdump/ftp.pl
index a582e4774..969b7e569 100755
--- a/fsdump/ftp.pl
+++ b/fsdump/ftp.pl
@@ -4,6 +4,16 @@
 $no_acl_check++;
 require './fsdump-lib.pl';
 
+sub start_tls
+{
+my ($fh, $what) = @_;
+eval { require IO::Socket::SSL; IO::Socket::SSL->import(); 1; } ||
+	&error_exit("FTP server requires TLS, but IO::Socket::SSL is not installed");
+IO::Socket::SSL->start_SSL($fh, SSL_verify_mode => 0) ||
+	&error_exit("FTP $what TLS handshake failed : ".
+		    IO::Socket::SSL::errstr());
+}
+
 # Parse args, and get password
 select(STDERR); $| = 1; select(STDOUT);
 $host = $ARGV[0];
@@ -36,6 +46,15 @@ while(1) {
 		&error_exit("FTP connection failed : $err") if ($err);
 		&ftp_command("", 2, \$err) ||
 			&error_exit("FTP prompt failed : $err");
+		$ssl_enabled = 0;
+		if (&ftp_command("AUTH TLS", 2, \$err)) {
+			&start_tls(\*SOCK, "control");
+			&ftp_command("PBSZ 0", 2, \$err) ||
+				&error_exit("FTP TLS setup failed : $err");
+			&ftp_command("PROT P", 2, \$err) ||
+				&error_exit("FTP TLS setup failed : $err");
+			$ssl_enabled = 1;
+			}
 
 		# Login to server
 		@urv = &ftp_command("USER $user", [ 2, 3 ], \$err);
@@ -174,5 +193,8 @@ elsif ($mode == 2) {
 else {
 	$opened = 0;
 	}
+if ($opened && $ssl_enabled) {
+	&start_tls(\*CON, "data");
+	}
 }