[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

Sat, 03 Mar 2012 07:18:20 -0800 

    [ 
https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221606#comment-13221606
 ] 

Deepak Pant commented on NET-448:
---------------------------------

Thanks for prompt responses. I have tried FTPSClient.setTrustManager(null) and 
there is no difference in behavior.

Just to clarify the sequence of events:
1. My program establishes connection to FTPS server in explicit mode using SSL 
or TLS protocol.
2. Server returns the public certificate installed at the server, which happens 
to be self-signed certificate in my case.
3. The default implementation of TrustManager checks if the public cert 
returned is valid in terms of dates. I think this is 
X509Certificate.checkValidity() method call, which only looks at dates.
4. No additional checks are being made to check if public cert was issued by a 
CA or self signed etc.



                
> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or 
> commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca 
> certificate.
> I have not installed the self signed root certificate on the client machine. 
> Neither am I setting the Trust Manager on the FTPSClient object, using 
> X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar 
> file and send/receive the files.
> commons-net-2.0.jar 
> commons-net-3.1.jar 
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on 
> the client machine Or set Trust Manager etc.
> Can you please explain the behavior? 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to