[
https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468807#comment-17468807
]
Alla Gofman edited comment on FTPSERVER-491 at 1/4/22, 7:53 PM:
----------------------------------------------------------------
The setSslProtocol method accepts String parameter, but should accept String
array.
This eventually causes negotiation with this particular version setted and
doesn't allow negotiate lower version that client may support.
+For example:+
server supports TLSv1.3 and TLSv1.2
client only supports TLSv1.2
I expect the negotiated version will be TLS1.2 then I set the server side with
SSLContext.getInstance("TLSv1.3")
JVM run with -Djdk.tls.server.protocols=TLSv1.3,TLSv1.2
If I try to set server with SSLContext.getInstance("TLSv1.2")
then client which supports TLSv1.3 and lower versions connects only with
TLSv1.2.
*The protocol requirement that client and server negotiate the higher algorithm
they both support doesn't happening.*
SSLContext.getInstance("TLS") - fails on AUTH because of SSLFilter after this
fix!
the previous behavior worked good from negotiation perspective.
Please consider to use other logic for SslFilter checks.
[https://github.com/apache/mina-ftpserver/blob/92fbe586b61c9a75dbf057be4b42e5f255932e83/core/src/main/java/org/apache/ftpserver/ssl/SslConfigurationFactory.java#L171]
/**
* Set the SSL protocol used for this channel. Supported values are "SSL" and
"TLS". Defaults to "TLS".
*
* @param sslProtocol
* The SSL protocol
*/
public void setSslProtocol(String sslProtocol) \{ if (sslProtocol == null ||
sslProtocol.length() == 0) throw new
FtpServerConfigurationException("SslProcotol must not be null or zero length");
this.sslProtocol = sslProtocol; }
was (Author: allag):
The setSslProtocol method accepts String sslProtocol parameter, this eventually
causes negotiation set only with this particular version and doesn't allow
negotiate lower version that client may be supports.
For example:
if server supports TLSv1.3 and TLSv1.2
and client only supports TLSv1.2
I expect the negotiated version will be TLS1.2 then I set the server side with
SSLContext.getInstance("TLSv1.3")
and JVM run with
-Djdk.tls.server.protocols=TLSv1.3,TLSv1.2
SSLContext.getInstance("TLS") - fails on AUTH because of SSLFilter after this
fix!
the previous behavior worked good from negotiation perspective.
Please consider to use other logic for SslFilter checks.
[https://github.com/apache/mina-ftpserver/blob/92fbe586b61c9a75dbf057be4b42e5f255932e83/core/src/main/java/org/apache/ftpserver/ssl/SslConfigurationFactory.java#L171]
/**
* Set the SSL protocol used for this channel. Supported values are "SSL" and
"TLS". Defaults to "TLS".
*
* @param sslProtocol
* The SSL protocol
*/
public void setSslProtocol(String sslProtocol) \{ if (sslProtocol == null ||
sslProtocol.length() == 0) throw new
FtpServerConfigurationException("SslProcotol must not be null or zero length");
this.sslProtocol = sslProtocol; }
> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
> Key: FTPSERVER-491
> URL: https://issues.apache.org/jira/browse/FTPSERVER-491
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.1.1
> Reporter: Roy Lu
> Assignee: Jonathan Valliere
> Priority: Critical
> Labels: easyfix
> Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel.
> Supported values are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is
> mentioned
> [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html]
> at the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work.
> Because the ssl protocol set in the +SSLConfiguration+ is never used. Check
> +NioListener+ you will see this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It
> seems protocols are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
> sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was
> lost when building sslFilter, so the protocols setting never work.
>
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>
> this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>
> if (this.sslFilter.getEnabledProtocols() != null) {
> this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>
> I found this because I scanned FTP with Nmap. I set it to critical because
> it's a security issue and hope it can be fixed soon.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
