commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erick Lichtas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (NET-408) problem connecting to ProFTPD with FTPES
Date Fri, 09 Jun 2017 17:57:18 GMT

     [ https://issues.apache.org/jira/browse/NET-408?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Erick Lichtas updated NET-408:
------------------------------
    Attachment: FTPSClientWithTLSResumption.zip

Hi everyone, 

I have adjusted the implementation of the FTPSClient to support TLS resumption in a way that
is friendly across all JVMs and security providers.  I've essentially implemented some custom
SSL sockets and socket factories that use the SSLEngine and SocketChannels directly for handling
SSL encryption and decryption. These SocketChannels and the encryption/decryption is encapsulated
in Input and Output streams so the changes to existing Commons NET code is minimal. There's
only a couple updates to the SocketClient and FTPSClient classes in order to swap out the
socket factories. I've also added a flag on the FTPSClient to control whether or not to resume
TLS sessions for data connections.

I have a separate fork of version 3.3 that I've developed this on, but I've applied the changes
to the 3.6 version and ran a couple tests. See the changes attached (FTPSClientWithTLSResumption.zip).

I've tested this against the Apache Mina FTP server project in addition to the FileZilla server.
TLS resumption is working as expected with FileZilla. I've tested the changes for Explicit
and Implicit SSL, Active and Passive data connections, as well as clear command channel which
is working as expected.

I'm hoping that the development team will adopt these changes so that they can be utilized
and tested by the entire community.  If you have any questions, please let me know.

> problem connecting to ProFTPD with FTPES
> ----------------------------------------
>
>                 Key: NET-408
>                 URL: https://issues.apache.org/jira/browse/NET-408
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.2, 3.0
>         Environment: ProFTPD 1.3.3d on SUSE Linux Enterprise Server 10.1 32bit, Kernel
2.6.16.46-0.12-default (config file attached)
> ProFTPD 1.3.3d on OpenSUSE 64bit Linux 2.6.34.8-0.2-desktop
> Java 1.5
>            Reporter: Michael Voigt
>         Attachments: BCFTPSClient.java, ftpes.jpg, FTPSClientWithTLSResumption.zip, proftpd.conf,
PTFTPSClient.java
>
>
> I have a problem with the FTPClient connecting to a ProFTPD server.
> If the server uses the configuration option "TLSProtocol TLSv1", I
> cannot connect to it at all. I recieve the following error message:
> - javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection
> On the server side I see in the log:
> unable to accept TLS connection: protocol error:
> -  (1) error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate unknown
> - TLS/TLS-C negotiation failed on control channel
> If the server uses the configuration option "TLSProtocol SSLv23", I
> can connect to it but I cant transfer any files. In the server log I
> see:
> - starting TLS negotiation on data connection
> - TLSv1/SSLv3 renegotiation accepted, using cipher RC4-MD5 (128 bits)
> - client did not reuse SSL session, rejecting data connection (see
> TLSOption NoSessionReuseRequired)
> - unable to open data connection: TLS negotiation failed
> If I add the NoSessionReuseRequired parameter to the ProFTPD config
> everything works fine.
> Here is my code:
>                FTPClient ftpClient = new FTPClient();
>                ftpClient = new FTPSClient("TLS");
>                // this throws an exception with TLSProtocol TLSv1
>                ftpClient.connect(host, port);
>                int reply = ftpClient.getReplyCode();
>                if (!FTPReply.isPositiveCompletion(reply)) {
>                        ftpClient.disconnect();
>                        log.error("The FTP Server did not return a positive completion
reply!");
>                        throw new FtpTransferException(ECCUtils.ERROR_FTP_CONNECTION);
>                }
>                boolean loginSuccessful = ftpClient.login(userName, password);
>                if (!loginSuccessful) {
>                        log.error("Login to the FTP Server failed! The credentials are
not valid.");
>                        throw new FtpTransferException(ECCUtils.ERROR_FTP_LOGIN);
>                }
>                ftpClient.execPBSZ(0);
>                ftpClient.execPROT("P");
>                boolean success = ftpClient.storeFile(fileName, fis);
>                if (!success) {
>                        // this is false if "NoSessionReuseRequired" is not set
>                }
> Now my question is if it is generally possible to connect to a server
> with "TLSProtocol TLSv1" or "TLSProtocol SSLv23" without the
> "NoSessionReuseRequired" parameter? Could someone provide a piece of
> example code for this?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message