BW> choose to disable the anti-spoofing (IP) check? E.g. for the scenario
 BW> when a user uses fTelnet (an fTelnet proxy somewhere in the world) and
 BW> then wants to download the file via his/her web browser (another IP)?

fTelnet should be responding to a SENDLOC request which allows Mystic to get the non-proxied IP address of the user.  This is either not working or Mystic is accidentally not using that IP for web downloads which is highly possible.

If we can't get that working then I think the trusted proxy IP option is probably the way to go.  I'll try to take a look at that tonight.

 BW> A configuration option for the download URL (e.g. if you have a web
 BW> server in front of MIS for HTTPS support with a "real" SSL certificate)
 BW> would also be a great addition. :)

The web server does support HTTPS but there was a delay when negotiating connections with CryptLib.  I couldn't figure out why at the time so if memory serves me, I disabled SSL and never came back to it.

It is technically possible to import a CA signed cert for the BBS but Cryptlib doesn't have tools to import standard certificate formats (from what I remember) into their proprietary keystore.

I would like to switch to OpenSSL instead because CryptLib has been annoying to work with for me, and that could simplify much of this stuff.  The problem is that I don't believe OpenSSL supports a SSH server which would be something we need to figure out first.

... User Error: Replace user and hit any key to continue...

--- Mystic BBS v1.12 A48 (Windows/64)