[jira] Commented: (NET-326) A KeyManager is required when the protection level is set to 'P' with FTPSClient on active mode

[Sebb (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NET-326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13006217#comment-13006217
 ] 

Sebb commented on NET-326:
--------------------------

OK, thanks, that's cleared it up.

Any certificate can provide encryption, but if the private key is known by a 
3rd party, then in theory they can intercept the transmission and decrypt it. 

This can be avoided by ensuring that the certificates are trusted, i.e. we 
trust the issuer to protect it,

So I think we should provide some different levels of validation:
- none (as per your patch)
- certificate must be valid (as per FTPSTrustManager, POP3S, SMTPS)
- full (i.e. use the defaults, don't override).

I'll add a TMFactory utility class that provides these.

This would allow the user to choose the appropriate level for their application.

> A KeyManager is required when the protection level is set to 'P' with 
> FTPSClient on active mode
> -----------------------------------------------------------------------------------------------
>
>                 Key: NET-326
>                 URL: https://issues.apache.org/jira/browse/NET-326
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0
>         Environment: Windows XP profesional service pack 2, Java Java 
> 1.6.0_12-b04 
>            Reporter: Terence Dudouit
>         Attachments: SSLContextsFactory.java
>
>
> Using a simple FTPS client that list a directory, when execPROT("P") is set 
> and the active mode is on, the following exception is thrown :
> javax.net.ssl.SSLException: No available certificate or key corresponds to 
> the SSL cipher suites which are enabled.
>       at 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:303)
>       at 
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
>       at 
> org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:489)
>       at 
> org.apache.commons.net.ftp.FTPSClient._openDataConnection_(FTPSClient.java:494)
>       at org.apache.commons.net.ftp.FTPClient.listNames(FTPClient.java:1950)
>       at org.apache.commons.net.ftp.FTPClient.listNames(FTPClient.java:1996)
>       at 
> fr.enovacom.eai.actions.dynamiques.protocole.ftp.FTPGet.testFTPS(FTPGet.java:379)
>       at 
> fr.enovacom.eai.actions.dynamiques.protocole.ftp.FTPGet.main(FTPGet.java:401)
> This doesn't occur on passive mode.
> The only way to make it work is to set a keyManager although there is no need 
> for a client authentication.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira