[Bug 58604] New: Plaintext auth broken in any Implicit FTP/AUTH TLS SSL contexts as of 2.4.13

bugzilla Wed, 11 Nov 2015 17:14:29 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=58604


            Bug ID: 58604
           Summary: Plaintext auth broken in any Implicit FTP/AUTH TLS SSL
                    contexts as of 2.4.13
           Product: Apache httpd-2
           Version: 2.4.16
          Hardware: All
                OS: All
            Status: NEW
          Severity: regression
          Priority: P2
         Component: mod_ftp
          Assignee: [email protected]
          Reporter: [email protected]

2.4.13 introduced the following 'regression' in mod_ftp, causing USER/PASS
to always fail for Explicit SSL connections;

  http://svn.apache.org/r1662640

Explicit SSL configuration is described in;

  https://httpd.apache.org/mod_ftp/ftp/ftp_tls.html

<VirtualHost _default_:21>
  FTP On
  SSLEngine on

This works because the SSL filter not added -until- an AUTH TLS command is
given.

Unfortunately I believe that r1662640 is [mostly] correct behavior, and what
should happen here is that we change the recommendation to;

<VirtualHost _default_:21>
  FTP On
  SSLEngine Optional

but this will not behave 'as expected'. We will need to fake the upgrade
exchange to mod_ssl to cause it to trigger the TLS handshake after the filter
is injected (in effect, causing an SSLEngine On behavior in reaction to FTP's
command).

No dirt simple stupid fix, so I'm opening this as a bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 58604] New: Plaintext auth broken in any Implicit FTP/AUTH TLS SSL contexts as of 2.4.13

Reply via email to