[jira] Commented: (FTPSERVER-97) SSL data connection enables all supported ciphers

Wed, 13 Jun 2007 22:32:47 -0700 

    [ 
https://issues.apache.org/jira/browse/FTPSERVER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504543
 ] 

Steve Jones commented on FTPSERVER-97:
--------------------------------------

The approach used by Tomcat is to allow users to enable a subset of the default 
cipher suites.

Here's where the set of cipher suites to enable is calculated (see 
getEnabledCiphers):

http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?view=markup

Here's the changeset where they switched from allowing selection from all 
available cipher suites to just from those enabled by default:

http://svn.apache.org/viewvc?view=rev&revision=385160

I don't know of any way to deactivate cipher suites that only support 
authentication but there's a comprehensive list here (Appendix B) to choose 
from ....

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE

If you use this (blacklist) approach, I would recommend avoiding any anonymous 
cipher suites also (due to the possibility of man-in-the-middle attacks)



> SSL data connection enables all supported ciphers
> -------------------------------------------------
>
>                 Key: FTPSERVER-97
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-97
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.0-M1
>            Reporter: Steve Jones
>
> The SSL implementation that is used by default for FTP data transfers 
> (DefaultSsl) enables all SSL cipher suites:
>   String cipherSuites[] = serverSocket.getSupportedCipherSuites();
>   serverSocket.setEnabledCipherSuites(cipherSuites);
> This is likely to enable ciphers such as:
>   SSL_RSA_WITH_NULL_MD5
>   SSL_RSA_WITH_NULL_SHA
> Which means that there is no confidentiality for the transport (in other 
> words authentication will occur but after that communication is in the 
> clear). 
> Usually you would not want to allow this, so it is best not to enable all 
> ciphers.
> Here's a reference to this issue for another apache project:
>   http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL 
> PROTECTED]

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to