[jira] [Commented] (FTPSERVER-491) SSLConfigurationFactory.setSslProtocol never actually work

Mon, 20 May 2019 09:04:13 -0700 


    [ 
https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844071#comment-16844071
 ] 

Jonathan Valliere commented on FTPSERVER-491:
---------------------------------------------

Still waiting for validation that this has been fixed.  I found out today that 
GitHub is not updating from Gitbox so I can't point to the branch diff right 
now.  You can always check out the code directly and use [{{git 
diff}}|https://git-scm.com/docs/git-diff] to view differences.

> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
>                 Key: FTPSERVER-491
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-491
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.1.1
>            Reporter: Roy Lu
>            Assignee: Jonathan Valliere
>            Priority: Critical
>              Labels: easyfix
>             Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel. 
> Supported values are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is 
> mentioned 
> [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html]
>  at the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work. 
> Because the ssl protocol set in the +SSLConfiguration+ is never used. Check 
> +NioListener+ you will see this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It 
> seems protocols are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
>     sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>  
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was 
> lost when building sslFilter, so the protocols setting never work.
>  
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>     
> this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>  
> if (this.sslFilter.getEnabledProtocols() != null) {
>    this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>  
> I found this because I scanned FTP with Nmap. I set it to critical because 
> it's a security issue and hope it can be fixed soon.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to