Steve Jones commented on FTPSERVER-97:

The approach used by Tomcat is to allow users to enable a subset of the default 
cipher suites.

Here's where the set of cipher suites to enable is calculated (see 


Here's the changeset where they switched from allowing selection from all 
available cipher suites to just from those enabled by default:


I don't know of any way to deactivate cipher suites that only support 
authentication but there's a comprehensive list here (Appendix B) to choose 
from ....


If you use this (blacklist) approach, I would recommend avoiding any anonymous 
cipher suites also (due to the possibility of man-in-the-middle attacks)

> SSL data connection enables all supported ciphers
> -------------------------------------------------
>                 Key: FTPSERVER-97
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-97
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.0-M1
>            Reporter: Steve Jones
> The SSL implementation that is used by default for FTP data transfers 
> (DefaultSsl) enables all SSL cipher suites:
>   String cipherSuites[] = serverSocket.getSupportedCipherSuites();
>   serverSocket.setEnabledCipherSuites(cipherSuites);
> This is likely to enable ciphers such as:
> Which means that there is no confidentiality for the transport (in other 
> words authentication will occur but after that communication is in the 
> clear). 
> Usually you would not want to allow this, so it is best not to enable all 
> ciphers.
> Here's a reference to this issue for another apache project:
>   http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL 

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Reply via email to