commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mads Lindstrøm <mads.lindstr...@gmail.com>
Subject [net] Hostname verification with FTPSClient
Date Thu, 28 Feb 2013 20:04:56 GMT
Hi

I have implemented an application using
org.apache.commons.net.ftp.FTPSClient. The application connects to the FTPS
server and everything works fine, except that FTPSClient connects to the
FTPS server both when I use the hostname and when I use an IP adresss. That
is when I connect with FTPSClient.connect(<hostname>) it connects fine. And
when I connect with FTPSClient.connect(<IP address>) it connects fine. This
is wrong, as it means no hostname verification is going on. That is, the
server certificate common name does not have to be equal to the hostname.

I have spend hours trying to figure out how I am supposed to do hostname
verification with FTPSClient. Anybody that can help me?

Secondly, it seems very dangerous to me that FTPSClient do not do hostname
verification per default, as many people don't know about hostname
verification and properly use FTPSClient without it. So many people may
feel that their application is secure while having a big security hole.


Regards,

Mads Lindstrøm

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message