[ https://issues.apache.org/jira/browse/FTPSERVER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504201 ]
Niklas Gustavsson commented on FTPSERVER-97: -------------------------------------------- The current setting leaves it up to the client to decide on the security level it wants. We should probably provide a way to enforce this on the server side (like we allow a way to enforce SSL/TLS at all). How about providing a configuration option where you can set the allowed ciphers? If we do, what value should we use default? > SSL data connection enables all supported ciphers > ------------------------------------------------- > > Key: FTPSERVER-97 > URL: https://issues.apache.org/jira/browse/FTPSERVER-97 > Project: FtpServer > Issue Type: Bug > Components: Core > Affects Versions: 1.0-M1 > Reporter: Steve Jones > > The SSL implementation that is used by default for FTP data transfers > (DefaultSsl) enables all SSL cipher suites: > String cipherSuites[] = serverSocket.getSupportedCipherSuites(); > serverSocket.setEnabledCipherSuites(cipherSuites); > This is likely to enable ciphers such as: > SSL_RSA_WITH_NULL_MD5 > SSL_RSA_WITH_NULL_SHA > Which means that there is no confidentiality for the transport (in other > words authentication will occur but after that communication is in the > clear). > Usually you would not want to allow this, so it is best not to enable all > ciphers. > Here's a reference to this issue for another apache project: > http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL > PROTECTED] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.