[
https://issues.apache.org/jira/browse/FTPSERVER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504379
]
Niklas Gustavsson commented on FTPSERVER-97:
--------------------------------------------
Agreed on the need for encryption (after reading the RFC excerpt). I think that
means that we should try to deactivate any ciphers that only give signing.
Anyone got a suggestion for how to do that? We could of course disable those
above specifically, but that will break as soon as a new hashing algorithm is
introduced (something quite likely at the moment as both MD5 ans SHA1 is pretty
much broken).
> SSL data connection enables all supported ciphers
> -------------------------------------------------
>
> Key: FTPSERVER-97
> URL: https://issues.apache.org/jira/browse/FTPSERVER-97
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.0-M1
> Reporter: Steve Jones
>
> The SSL implementation that is used by default for FTP data transfers
> (DefaultSsl) enables all SSL cipher suites:
> String cipherSuites[] = serverSocket.getSupportedCipherSuites();
> serverSocket.setEnabledCipherSuites(cipherSuites);
> This is likely to enable ciphers such as:
> SSL_RSA_WITH_NULL_MD5
> SSL_RSA_WITH_NULL_SHA
> Which means that there is no confidentiality for the transport (in other
> words authentication will occur but after that communication is in the
> clear).
> Usually you would not want to allow this, so it is best not to enable all
> ciphers.
> Here's a reference to this issue for another apache project:
> http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/[EMAIL
> PROTECTED]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
