[ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221606#comment-13221606 ]
Deepak Pant commented on NET-448: --------------------------------- Thanks for prompt responses. I have tried FTPSClient.setTrustManager(null) and there is no difference in behavior. Just to clarify the sequence of events: 1. My program establishes connection to FTPS server in explicit mode using SSL or TLS protocol. 2. Server returns the public certificate installed at the server, which happens to be self-signed certificate in my case. 3. The default implementation of TrustManager checks if the public cert returned is valid in terms of dates. I think this is X509Certificate.checkValidity() method call, which only looks at dates. 4. No additional checks are being made to check if public cert was issued by a CA or self signed etc. > Self signed cert or ca not installed on client but FTPS still works > ------------------------------------------------------------------- > > Key: NET-448 > URL: https://issues.apache.org/jira/browse/NET-448 > Project: Commons Net > Issue Type: Bug > Components: FTP > Affects Versions: 2.0, 3.1 > Environment: client: Windows SP sp4, jdk 1.6.0_24 > server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2 > apache lib: commons-net-2.0.jar or commons-net-3.1.jar or > commons-net-2.0-jdk14.jar (from zehon) > Reporter: Deepak Pant > Priority: Trivial > > I am using vsftpd ftp server on centos with our own self signed root ca > certificate. > I have not installed the self signed root certificate on the client machine. > Neither am I setting the Trust Manager on the FTPSClient object, using > X509TrustManager instance pointing to my physical cert file. > But I am still able to use the FTPSClient bundled in any of the following jar > file and send/receive the files. > commons-net-2.0.jar > commons-net-3.1.jar > commons-net-2.0-jdk14.jar (from zehon) > I was expecting that I will have to either install the self signed root ca on > the client machine Or set Trust Manager etc. > Can you please explain the behavior? -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira