I apologize for replying to myself but I have some more thoughts.
To me, the implied part of implicit SSL means that at the application
level, the user isn't aware that the FTP session is being conducted over
SSL. Having to issue a PROT command to set the data protection level
violates the
There are cases where a client/server just want a secure channel on
the control connection (encrypt user name and password), but not the
data itself. I don't think it is a good idea to change the default,
but it would be nice to add a new option to the dataConnection to
force SSL.
Sai Pullabhotla
Hello Kevin,
As you already said we are following the RFC here and -although I admit that
makes little sense in these days- Sai is right that it is quite common to
have only the control channel encrypted: I even saw a client (gFtp maybe?)
that didn't support SSL for the data channel. And there
Is that even necessary? The DataConnectionConfig already has an
SslConfiguration property. If that property is set, doesn't that imply that
the data channel should use SSL?
The SSL Configuration for the data connection tells the server that if
a Client wants to use a secure channel, use the
Fair enough.
I could add a new parameter called forceSsl to the DataConnectionConfig.
The IoDataConnectionFactory would then use SSL for the data channel if
forceSsl is true. Does that sound appropriate?
On Wed, Dec 17, 2008 at 4:43 PM, Sai Pullabhotla
sai.pullabho...@jmethods.com wrote:
Is