I apologize for replying to myself but I have some more thoughts. To me, the "implied" part of "implicit SSL" means that at the application level, the user isn't aware that the FTP session is being conducted over SSL. Having to issue a PROT command to set the data protection level violates the spirit of that assumption.
Perhaps this is just my limited imagination, but I'm having a hard time envisioning a scenario with implicit SSL where you would always want the control channel to be encrypted but not the data channel. Isn't that what explicit FTPS is for? I have a patch ready that will force the data channel to "secure" mode if the Listener is in "implicit" mode but I'm not sure of the implications of making that switch. Would it be permissible to at least have this available as a configuration option? Thanks On Tue, Dec 16, 2008 at 4:46 PM, Kevin Conaway <[email protected]>wrote: > Although the definition of "FTP with implicit SSL" varies depending on who > you ask, its my understanding that it means that the entire FTP session is > conducted over TLS/SSL. > > If thats true, shouldn't the data channel default to the "P" or private > setting? As of now, it defaults to clear (which is the specified behavior > in RFC 2228). > > I have FTP clients that are connecting over implicit SSL without issuing > the PROT command. When they go to transfer a file, FtpServer sets up a > plain socket for the data channel instead of an SSL one and the transfer > never completes. > > Would it be appropriate for the ServerDataConnectionFactory to have the > "secure" property set to true by default if the session is using implicit > SSL? > > Thanks > > Kevin Conaway >
