SSL data connection enables all supported ciphers
-------------------------------------------------

                 Key: FTPSERVER-97
                 URL: https://issues.apache.org/jira/browse/FTPSERVER-97
             Project: FtpServer
          Issue Type: Bug
          Components: Core
    Affects Versions: 1.0-M1
            Reporter: Steve Jones


The SSL implementation that is used by default for FTP data transfers 
(DefaultSsl) enables all SSL cipher suites:

  String cipherSuites[] = serverSocket.getSupportedCipherSuites();
  serverSocket.setEnabledCipherSuites(cipherSuites);

This is likely to enable ciphers such as:

  SSL_RSA_WITH_NULL_MD5
  SSL_RSA_WITH_NULL_SHA

Which means that there is no confidentiality for the transport (in other words 
authentication will occur but after that communication is in the clear). 

Usually you would not want to allow this, so it is best not to enable all 
ciphers.

Here's a reference to this issue for another apache project:

  http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL 
PROTECTED]

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to