maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Obernöder (Jira) <>
Subject [jira] [Updated] (WAGON-600) FTP-Upload fails if server enforces data encryption
Date Thu, 17 Sep 2020 21:09:00 GMT


David Obernöder updated WAGON-600:
    Attachment: trace_ftp_modified_wagon-ftp.pcapng

> FTP-Upload fails if server enforces data encryption
> ---------------------------------------------------
>                 Key: WAGON-600
>                 URL:
>             Project: Maven Wagon
>          Issue Type: Improvement
>          Components: wagon-ftp
>    Affects Versions: 2.0
>            Reporter: David Obernöder
>            Priority: Trivial
>         Attachments: trace_ftp_modified_wagon-ftp.pcapng, trace_ftp_original_wagon-ftp.pcapng
>   Original Estimate: 8h
>  Remaining Estimate: 8h
> We recently deployed stronger encryption rules to a few of our webservers. Unfortunately
this leads to an issue with the FTP-Upload of wagon plugin for FTP. We receive the message
"425-Server reqires protected data connection".
> Due to our FTP-Server allows only data transfer with encryption, this error arises.
> RFC4217, 9 defines the behaviour of Data Connection Protection and defines two available
modes for FTPS:
> 'C' - Clear - neither Integrity nor Privacy
> 'P' - Private - Integrity and Privacy
> With 'Clear' protection level, the data connection is made without
>  TLS. Thus, the connection is unauthenticated and has no
>  confidentiality or integrity. This might be the desired behaviour
>  for servers sending file lists, pre-encrypted data, or non-
>  sensitive data (e.g., for anonymous FTP servers).
>  If the data connection security level is 'Private', then a TLS
>  negotiation must take place on the data connection to the
>  satisfaction of the Client and Server prior to any data being
>  transmitted over the connection. The TLS layers of the Client and
>  Server will be responsible for negotiating the exact TLS Cipher
>  Suites that will be used (and thus the eventual security of the
>  connection).
> In addition, the PBSZ (protection buffer size) command, as
>  detailed in [RFC-2228], is compulsory prior to any PROT command.
>  This document also defines a data channel encapsulation mechanism
>  for protected data buffers. For FTP-TLS, which appears to the FTP
>  application as a streaming protection mechanism, this is not
>  required. Thus, the PBSZ command MUST still be issued, but must
>  have a parameter of '0' to indicate that no buffering is taking
>  place and the data connection should not be encapsulated.
> [...]
> However, it should be noted that using a value of '0' to mean a
>  streaming protocol is a reasonable use of '0' for that parameter
>  and is not ambiguous.
> Initial Data Connection Security
> The initial state of the data connection MUST be 'Clear' (this is
>  the behaviour as indicated by [RFC-2228]).
> While inspecting the code I noticed that the plugin does not do any switch to "secure
data connection" (PBSZ 0 and PROT P). So it looks like the plugin is not compatible to servers
that enforce a data connection.
> A good behaviour would be that the plugin tries to switch to protected data connections
and continue if the server can't handle the PROT Command. Many clients switch to data encryption
too when a TLS encrypted FTP was started.
> I'm pretty sure this is also an issue in the current version.

This message was sent by Atlassian Jira

View raw message