[
https://issues.apache.org/jira/browse/FTPSERVER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504353
]
Steve Jones commented on FTPSERVER-97:
--------------------------------------
I don't think these ciphers should be enabled by default, the expectation when
using "PROT P" is that the communication of data is "private", which (in the
RFC) is later defined to mean integrity and confidentiality protected.
This doesn't really restrict implict FTPS but I think if people use SSL they
expect data protection.
Here's a section from RFC 2228 related to the "PROT P" command that would be
used to specify SSL for a data connection.
RFC 2228 - FTP Security Extensions - DATA CHANNEL PROTECTION LEVEL (PROT)
This command indicates to the server what type of data channel
protection the client and server will be using. The following
codes are assigned:
C - Clear
S - Safe
E - Confidential
P - Private
The default protection level if no other level is specified is
Clear. The Clear protection level indicates that the data channel
will carry the raw data of the file transfer, with no security
applied. The Safe protection level indicates that the data will
be integrity protected. The Confidential protection level
indicates that the data will be confidentiality protected. The
Private protection level indicates that the data will be integrity
and confidentiality protected.
That said, I certainly agree that it would be a good enhancement to allow
configuration of SSL ciphers. I think by default nothing should be configured
by the FTP server, this allows the SSL provider to be configured in some other
way (e.g. programmatically in an embedded environment, or using provider
specific configuration file)
It could also be useful allow SSL to be required, and for implict SSL to
default protection to on, though currently it is possible to do this using the
Ftplet API.
> SSL data connection enables all supported ciphers
> -------------------------------------------------
>
> Key: FTPSERVER-97
> URL: https://issues.apache.org/jira/browse/FTPSERVER-97
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.0-M1
> Reporter: Steve Jones
>
> The SSL implementation that is used by default for FTP data transfers
> (DefaultSsl) enables all SSL cipher suites:
> String cipherSuites[] = serverSocket.getSupportedCipherSuites();
> serverSocket.setEnabledCipherSuites(cipherSuites);
> This is likely to enable ciphers such as:
> SSL_RSA_WITH_NULL_MD5
> SSL_RSA_WITH_NULL_SHA
> Which means that there is no confidentiality for the transport (in other
> words authentication will occur but after that communication is in the
> clear).
> Usually you would not want to allow this, so it is best not to enable all
> ciphers.
> Here's a reference to this issue for another apache project:
> http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL
> PROTECTED]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
