Roy Lu created FTPSERVER-491: -------------------------------- Summary: SSLConfigurationFactory.setSslProtocol never actually work Key: FTPSERVER-491 URL: https://issues.apache.org/jira/browse/FTPSERVER-491 Project: FtpServer Issue Type: Bug Components: Core Affects Versions: 1.1.1 Reporter: Roy Lu
It says in the document: Set the SSL protocol used for this channel. Supported values are "SSL" and "TLS". Defaults to "TLS". Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is mentioned [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html] at the bottom. But the things is, the +setSslProtocol+ method here actually doesn't work. Because the ssl protocol set in the +SSLConfiguration+ is never used. Check +NioListener+ you will see this: Configuration of cipher suites was set into +sslFilter+ but no protocol. It seems protocols are missing. |if (ssl.getEnabledCipherSuites() != null) { sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites()); } | This leads to a problem: In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was lost when building sslFilter, so the protocols setting never work. |if (this.sslFilter.getEnabledCipherSuites() != null) { this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites()); } if (this.sslFilter.getEnabledProtocols() != null) { this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols()); }| I found this because I scanned FTP with Nmap. I set it to critical because it's a security issue and hope it can be fixed soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)