Roy Lu created FTPSERVER-491:
--------------------------------
Summary: SSLConfigurationFactory.setSslProtocol never actually work
Key: FTPSERVER-491
URL: https://issues.apache.org/jira/browse/FTPSERVER-491
Project: FtpServer
Issue Type: Bug
Components: Core
Affects Versions: 1.1.1
Reporter: Roy Lu
It says in the document: Set the SSL protocol used for this channel. Supported
values are "SSL" and "TLS". Defaults to "TLS".
Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is
mentioned
[https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html]
at the bottom.
But the things is, the +setSslProtocol+ method here actually doesn't work.
Because the ssl protocol set in the +SSLConfiguration+ is never used. Check
+NioListener+ you will see this:
Configuration of cipher suites was set into +sslFilter+ but no protocol. It
seems protocols are missing.
|if (ssl.getEnabledCipherSuites() != null) {
sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
}
|
This leads to a problem:
In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was
lost when building sslFilter, so the protocols setting never work.
|if (this.sslFilter.getEnabledCipherSuites() != null) {
this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
}
if (this.sslFilter.getEnabledProtocols() != null) {
this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
}|
I found this because I scanned FTP with Nmap. I set it to critical because it's
a security issue and hope it can be fixed soon.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
