commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [net] Hostname verification with FTPSClient
Date Fri, 01 Mar 2013 01:54:40 GMT
On 28 February 2013 20:04, Mads Lindstrøm <mads.lindstroem@gmail.com> wrote:
> Hi
>
> I have implemented an application using
> org.apache.commons.net.ftp.FTPSClient. The application connects to the FTPS
> server and everything works fine, except that FTPSClient connects to the
> FTPS server both when I use the hostname and when I use an IP adresss. That
> is when I connect with FTPSClient.connect(<hostname>) it connects fine. And
> when I connect with FTPSClient.connect(<IP address>) it connects fine. This
> is wrong, as it means no hostname verification is going on. That is, the
> server certificate common name does not have to be equal to the hostname.

It's not clear to me what you think is wrong.

Are you saying that it should reject connections by IP address?

Or are you saying that the server certificate common name is different
from the hostname you are using, yet the connection is still accepted?

> I have spend hours trying to figure out how I am supposed to do hostname
> verification with FTPSClient. Anybody that can help me?
>
> Secondly, it seems very dangerous to me that FTPSClient do not do hostname
> verification per default, as many people don't know about hostname
> verification and properly use FTPSClient without it. So many people may
> feel that their application is secure while having a big security hole.
>
>
> Regards,
>
> Mads Lindstrøm

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message