Found an missing return in org.apache.ftpserver.command.AUTH.java.
Around line 55 there is the following code:-
// check SSL configuration
IFtpConfig fconfig = handler.getConfig();
Log log = fconfig.getLogFactory().getInstance(getClass());
if(fconfig.getSocketFactory().getSSL() == null) {
out.send(431, "AUTH", null);
}
A return or an else is needed after sending the 431 response,
otherwise it drops into the rest of the code and gets out of sync.
Also, following on from that we have:-
handler.createSecureSocket("SSL");
And in RequestHandler.createSecureSocket() it gets the SSL from the
DataConnectionConfig.
ISsl ssl = m_fconfig.getDataConnectionConfig().getSSL();
Should this be the normal socket config because we're dealing with
the Control channel initially? Otherwise you cannot configure the
system to only secure the control channel (not that you would want
to), but it means that in the config youhave to set the
socket-factory.ssl stuff as well as the data-connection.ssl stuff.
- Dave.
