Dear, I'm trying to force my ftp users to use SSL/TLS encryption for both command and data connections but the following happens:
When using implicit-ssl=false, my ftp client (kasablanca with encryption level3, ie. command and data encryption) connects the server fine and both connections are encrypted. everything is ok. When using implicit-ssl=true, the same ftp client hangs saying the server is occupied and times out saying "connection failed" without logging me in; the server logs contains: [DEBUG] [/127.0.0.1:41212] doHandshake() [DEBUG] [/127.0.0.1:41212] initialHandshakeStatus=NEED_UNWRAP [DEBUG] [/127.0.0.1:41212] unwrapHandshake() [DEBUG] [/127.0.0.1:41212] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665] [DEBUG] [/127.0.0.1:41212] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330] [DEBUG] [/127.0.0.1:41212] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 0 [INFO] [/127.0.0.1:41212] CREATED [INFO] [/127.0.0.1:41212] OPENED [DEBUG] Launching thread for /127.0.0.1:41212 [INFO] Open connection - 127.0.0.1 [INFO] [/127.0.0.1:41212] WRITE: 220 Service ready for new user. [DEBUG] [/127.0.0.1:41212] Filtered Write: [EMAIL PROTECTED] [DEBUG] [/127.0.0.1:41212] Handshaking is not complete yet. Buffering write request. [DEBUG] [/127.0.0.1:41212] Filtered Write: [EMAIL PROTECTED] [DEBUG] [/127.0.0.1:41212] Handshaking is not complete yet. Buffering write request. [DEBUG] Exiting since queue is empty for /127.0.0.1:41212 [INFO] Removing idle user null [INFO] [/127.0.0.1:41212] CLOSE [DEBUG] [/127.0.0.1:41212] write outNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665] [DEBUG] [/127.0.0.1:41212] session write: DirectBuffer[pos=0 lim=7 cap=8: 15 03 01 00 02 01 00] [DEBUG] [/127.0.0.1:41212] Unexpected exception from SSLEngine.closeInbound(). javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1263) at org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165) at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:367) at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268) at org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:53) at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:631) at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:482) at org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268) at org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:263) at org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:231) at org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:196) at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44) at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:478) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:39) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690) at java.lang.Thread.run(Thread.java:595) [INFO] [/127.0.0.1:41212] CLOSED [DEBUG] Launching thread for /127.0.0.1:41212 [INFO] Close connection : 127.0.0.1 - <Not logged in> [DEBUG] Exiting since queue is empty for /127.0.0.1:41212 Here is the ftp.properties SSL section I use: config.listeners.default.class=org.apache.ftpserver.listener.mina.MinaListener config.listeners.default.address=127.0.0.1 config.listeners.default.port=20021 config.listeners.default.implicit-ssl=true config.listeners.default.ssl.class=org.apache.ftpserver.ssl.DefaultSsl config.listeners.default.ssl.keystore-file=./res/.test.keystore config.listeners.default.ssl.keystore-password=password config.listeners.default.ssl.keystore-type=JKS config.listeners.default.ssl.keystore-algorithm=SunX509 config.listeners.default.ssl.ssl-protocol=TLS config.listeners.default.ssl.client-authentication=false config.listeners.default.ssl.key-password=password config.listeners.default.data-connection.class=org.apache.ftpserver.DefaultDataConnectionConfig #config.listeners.default.data-connection.idle-time=10 #config.listeners.default.data-connection.active.enable=true config.listeners.default.data-connection.active.local-address=127.0.0.1 #config.listeners.default.data-connection.active.local-port=20 #config.listeners.default.data-connection.active.ip-check=false config.listeners.default.data-connection.passive.address=127.0.0.1 config.listeners.default.data-connection.passive.ports=20020-21020 config.listeners.default.data-connection.passive.external-address=127.0.0.1 config.listeners.default.data-connection.ssl.class=org.apache.ftpserver.ssl.DefaultSsl config.listeners.default.data-connection.ssl.keystore-file=./res/.test.keystore config.listeners.default.data-connection.ssl.keystore-password=password config.listeners.default.data-connection.ssl.keystore-type=JKS config.listeners.default.data-connection.ssl.keystore-algorithm=SunX509 config.listeners.default.data-connection.ssl.ssl-protocol=TLS config.listeners.default.data-connection.ssl.client-authentication=false config.listeners.default.data-connection.ssl.key-password=password Thanks for your help Marc-Antoine