Return-Path: X-Original-To: apmail-commons-user-archive@www.apache.org Delivered-To: apmail-commons-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4BF9BD1E5 for ; Mon, 4 Mar 2013 12:38:12 +0000 (UTC) Received: (qmail 87046 invoked by uid 500); 4 Mar 2013 12:38:11 -0000 Delivered-To: apmail-commons-user-archive@commons.apache.org Received: (qmail 86395 invoked by uid 500); 4 Mar 2013 12:38:05 -0000 Mailing-List: contact user-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Users List" Delivered-To: mailing list user@commons.apache.org Received: (qmail 85636 invoked by uid 99); 4 Mar 2013 12:38:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Mar 2013 12:38:03 +0000 X-ASF-Spam-Status: No, hits=3.2 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mgainty@hotmail.com designates 65.55.116.102 as permitted sender) Received: from [65.55.116.102] (HELO blu0-omc3-s27.blu0.hotmail.com) (65.55.116.102) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Mar 2013 12:37:50 +0000 Received: from BLU002-W34 ([65.55.116.74]) by blu0-omc3-s27.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 4 Mar 2013 04:37:30 -0800 X-EIP: [GszDtMYnUz7zkstCiawXeiLOXZnztAPj] X-Originating-Email: [mgainty@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="_b49d1f25-b73c-4f0f-905c-3b75815c5472_" From: Martin Gainty To: Commons Users List Subject: RE: [net] Hostname verification with FTPSClient Date: Mon, 4 Mar 2013 07:37:29 -0500 Importance: Normal In-Reply-To: References: , MIME-Version: 1.0 X-OriginalArrivalTime: 04 Mar 2013 12:37:30.0014 (UTC) FILETIME=[091A43E0:01CE18D5] X-Virus-Checked: Checked by ClamAV on apache.org --_b49d1f25-b73c-4f0f-905c-3b75815c5472_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mads =20 >keytool -printcert -v -file CertificateIssuedByVerisignToVolvo.cer Owner: O=3DNokia Issuer=3DVersign If FTPSclient certificate hostname verification accepts any hostname other = than the owner while you are attempting SSL transmission to Nokia then the = "certificate hostname verification" is not working If this is case please file JIRA for "certificate hostname verification enh= ancement" https://issues.apache.org/jira/browse/NET =20 In the meanwhile=20 1)request VPN access to the client which you can pass credentials with prov= ided certificate 2)ssh with provided certificate the validation of the provided cert will get you behind the firewall..in wh= ich case you will be able to execute ftp=2C scp=2Crcp =20 Tak=2C Martin- ------------------------------------------------ Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit= =E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng= er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter= leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l= ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin= dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w= ir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes= pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat= isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e= ou la copie de ceci est interdite. Ce message sert =E0 l'information seule= ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d= onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation= =2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni= . =20 > To: user@commons.apache.org > From: mads.lindstroem@gmail.com > Subject: Re: [net] Hostname verification with FTPSClient > Date: Fri=2C 1 Mar 2013 09:09:48 +0000 >=20 > sebb gmail.com> writes: >=20 > >=20 > > On 28 February 2013 20:04=2C Mads Lindstr=F8m gma= il.com>=20 > wrote: > > > Hi > > > > > > I have implemented an application using > > > org.apache.commons.net.ftp.FTPSClient. The application connects to th= e FTPS > > > server and everything works fine=2C except that FTPSClient connects t= o the > > > FTPS server both when I use the hostname and when I use an IP adresss= . That > > > is when I connect with FTPSClient.connect() it connects fin= e. And > > > when I connect with FTPSClient.connect() it connects fine= . This > > > is wrong=2C as it means no hostname verification is going on. That is= =2C the > > > server certificate common name does not have to be equal to the hostn= ame. > >=20 > > It's not clear to me what you think is wrong. > >=20 > > Are you saying that it should reject connections by IP address? >=20 > I would expect it to. If FTPSClient performs hostname verification (check= ing=20 > that a certificate common name =3D hostname) how can it accepts connectio= ns by=20 > IP address? >=20 > I also tried adding: >=20 > foobar >=20 > to my hosts file and then I could also connect using "foobar" as hostname= . The=20 > server certificate do not have "foobar" as common name. >=20 > >=20 > > Or are you saying that the server certificate common name is different > > from the hostname you are using=2C yet the connection is still accepted= ? >=20 > I am saying both. Well=2C now that I mentioned the "foobar" example I am = saying=20 > both. >=20 >=20 > Regards=2C >=20 > Mads Lindstr=F8m >=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe=2C e-mail: user-unsubscribe@commons.apache.org > For additional commands=2C e-mail: user-help@commons.apache.org >=20 = --_b49d1f25-b73c-4f0f-905c-3b75815c5472_--