[
https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16833196#comment-16833196
]
Roy Lu commented on FTPSERVER-491:
----------------------------------
Hi [~johnnyv],
Check NioListener you will see Configuration of cipher suites was set into
sslFilter but no protocol. It seems protocols are missing.
if (ssl.getEnabledCipherSuites() != null) {
sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites()); }
The sslconfiguration actually take affect in SslFilter sslFilter. And it's
constructed in NioListener. Ciphersuites is set into sslFilter at line 101-103.
But no enabledProtocols. Set this enabledProtocols will solve the issue.
You can debug it and you will see finally the setsslprotocols doesn't work. You
can scan the apache server with security tool you will also find the
setsslprotocols doesn't work.
> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
> Key: FTPSERVER-491
> URL: https://issues.apache.org/jira/browse/FTPSERVER-491
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.1.1
> Reporter: Roy Lu
> Assignee: Jonathan Valliere
> Priority: Critical
> Labels: easyfix
> Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel.
> Supported values are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is
> mentioned
> [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html]
> at the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work.
> Because the ssl protocol set in the +SSLConfiguration+ is never used. Check
> +NioListener+ you will see this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It
> seems protocols are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
> sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was
> lost when building sslFilter, so the protocols setting never work.
>
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>
> this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>
> if (this.sslFilter.getEnabledProtocols() != null) {
> this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>
> I found this because I scanned FTP with Nmap. I set it to critical because
> it's a security issue and hope it can be fixed soon.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
