mina-ftpserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hartnup <john.hart...@gmail.com>
Subject AUTH TLS vs AUTH SSL
Date Mon, 03 Oct 2011 11:21:24 GMT
I've found that ftpserver doesn't handle data connections for old clients
that use the deprecated "AUTH SSL" command.

The reason is that the server treats "AUTH SSL" and "AUTH TLS" exactly the
same.
However clients sending "AUTH SSL" expect data connections to be secured by
default.
"AUTH TLS" does data connections in the clear until the client sends "PROT
P".

This unintuitive nuance isn't mentioned in RFC2417 because the IETF
requested that all mention of AUTH SSL was removed. However it's covered in
previous drafts of the document, e.g.
http://tools.ietf.org/html/draft-murray-auth-ftp-ssl-06

      For backward compatibility and ease of implementation the
      following rules govern the initial expected protection setting of
      the data connection.

         [...]

         Connections accepted on the normal FTP port {FTP-PORT} with
         TLS/SSL negotiated via an 'AUTH SSL' command.
            The initial state of the data connection will be 'Private'
            (Although this does not follow [RFC-2228
<http://tools.ietf.org/html/rfc2228>], this is how such
            clients tend to work today).


I think the following in AUTH.java / secureSession() would fix it.

if("SSL".equals(type)) {
   session.getDataConnection().setSecure(true);
}

I can work out how to submit this as a patch, if I'm asked to -- but I'd be
grateful if someone who already has the workflow set up were to offer to do
it instead!

I appreciate that AUTH SSL is deprecated, so could be deemed unworthy of our
attention -- but implicit SSL is also deprecated but supported, and AUTH SSL
clients are still used in the wild.

Thanks,
John

-- 
"There is no way to peace; peace is the way"

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message