commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: [net] Hostname verification with FTPSClient
Date Mon, 04 Mar 2013 12:37:29 GMT
Mads
 
>keytool -printcert -v -file CertificateIssuedByVerisignToVolvo.cer
Owner: O=Nokia
Issuer=Versign

If FTPSclient certificate hostname verification accepts any hostname other than the owner
while you are attempting SSL transmission to Nokia then the "certificate hostname verification"
is not working

If this is case please file JIRA for "certificate hostname verification enhancement"
https://issues.apache.org/jira/browse/NET
 
In the meanwhile 
1)request VPN access to the client which you can pass credentials with provided certificate
2)ssh with provided certificate
the validation of the provided cert will get you behind the firewall..in which case you will
be able to execute ftp, scp,rcp
 
Tak,
Martin-
------------------------------------------------
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.

  


> To: user@commons.apache.org
> From: mads.lindstroem@gmail.com
> Subject: Re: [net] Hostname verification with FTPSClient
> Date: Fri, 1 Mar 2013 09:09:48 +0000
> 
> sebb <sebbaz <at> gmail.com> writes:
> 
> > 
> > On 28 February 2013 20:04, Mads Lindstrøm <mads.lindstroem <at> gmail.com>

> wrote:
> > > Hi
> > >
> > > I have implemented an application using
> > > org.apache.commons.net.ftp.FTPSClient. The application connects to the FTPS
> > > server and everything works fine, except that FTPSClient connects to the
> > > FTPS server both when I use the hostname and when I use an IP adresss. That
> > > is when I connect with FTPSClient.connect(<hostname>) it connects fine.
And
> > > when I connect with FTPSClient.connect(<IP address>) it connects fine.
This
> > > is wrong, as it means no hostname verification is going on. That is, the
> > > server certificate common name does not have to be equal to the hostname.
> > 
> > It's not clear to me what you think is wrong.
> > 
> > Are you saying that it should reject connections by IP address?
> 
> I would expect it to. If FTPSClient performs hostname verification (checking 
> that a certificate common name = hostname) how can it accepts connections by 
> IP address?
> 
> I also tried adding:
> 
> foobar <an IP address>
> 
> to my hosts file and then I could also connect using "foobar" as hostname. The 
> server certificate do not have "foobar" as common name.
> 
> > 
> > Or are you saying that the server certificate common name is different
> > from the hostname you are using, yet the connection is still accepted?
> 
> I am saying both. Well, now that I mentioned the "foobar" example I am saying 
> both.
> 
> 
> Regards,
> 
> Mads Lindstrøm
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message