Return-Path: X-Original-To: apmail-mina-ftpserver-users-archive@minotaur.apache.org Delivered-To: apmail-mina-ftpserver-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 18EEE915F for ; Mon, 3 Oct 2011 11:21:52 +0000 (UTC) Received: (qmail 29931 invoked by uid 500); 3 Oct 2011 11:21:52 -0000 Delivered-To: apmail-mina-ftpserver-users-archive@mina.apache.org Received: (qmail 29853 invoked by uid 500); 3 Oct 2011 11:21:51 -0000 Mailing-List: contact ftpserver-users-help@mina.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ftpserver-users@mina.apache.org Delivered-To: mailing list ftpserver-users@mina.apache.org Received: (qmail 29838 invoked by uid 99); 3 Oct 2011 11:21:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2011 11:21:51 +0000 X-ASF-Spam-Status: No, hits=1.8 required=5.0 tests=FREEMAIL_FROM,HTML_FONT_FACE_BAD,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of john.hartnup@gmail.com designates 74.125.82.51 as permitted sender) Received: from [74.125.82.51] (HELO mail-ww0-f51.google.com) (74.125.82.51) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2011 11:21:45 +0000 Received: by wwf10 with SMTP id 10so3900089wwf.32 for ; Mon, 03 Oct 2011 04:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=c0W67VxKYlghiv3dRnKDvTdQ8bHi2dvxHQ4I1Dc+uLU=; b=bWoc9+Ukd4sWJOypLqpb5cxzGUp0+3TNjAofWwLSJA09LsilLFVnF8nAgnmk/qUhHp xmvO69Jj97abukw3OZ6OxU8mdMFECjGUmCtixSYp9ZcA+cdD3Y5lGx9dcQ/JFmV2nsuM 2+7ISOwrN1/2MonsRiR4rr1M2R3xDUvnDG5Ww= MIME-Version: 1.0 Received: by 10.216.132.194 with SMTP id o44mr575477wei.101.1317640884280; Mon, 03 Oct 2011 04:21:24 -0700 (PDT) Received: by 10.216.82.207 with HTTP; Mon, 3 Oct 2011 04:21:24 -0700 (PDT) Date: Mon, 3 Oct 2011 12:21:24 +0100 Message-ID: Subject: AUTH TLS vs AUTH SSL From: John Hartnup To: ftpserver-users@mina.apache.org Content-Type: multipart/alternative; boundary=0016e6d64667d95d2804ae632cc1 --0016e6d64667d95d2804ae632cc1 Content-Type: text/plain; charset=ISO-8859-1 I've found that ftpserver doesn't handle data connections for old clients that use the deprecated "AUTH SSL" command. The reason is that the server treats "AUTH SSL" and "AUTH TLS" exactly the same. However clients sending "AUTH SSL" expect data connections to be secured by default. "AUTH TLS" does data connections in the clear until the client sends "PROT P". This unintuitive nuance isn't mentioned in RFC2417 because the IETF requested that all mention of AUTH SSL was removed. However it's covered in previous drafts of the document, e.g. http://tools.ietf.org/html/draft-murray-auth-ftp-ssl-06 For backward compatibility and ease of implementation the following rules govern the initial expected protection setting of the data connection. [...] Connections accepted on the normal FTP port {FTP-PORT} with TLS/SSL negotiated via an 'AUTH SSL' command. The initial state of the data connection will be 'Private' (Although this does not follow [RFC-2228 ], this is how such clients tend to work today). I think the following in AUTH.java / secureSession() would fix it. if("SSL".equals(type)) { session.getDataConnection().setSecure(true); } I can work out how to submit this as a patch, if I'm asked to -- but I'd be grateful if someone who already has the workflow set up were to offer to do it instead! I appreciate that AUTH SSL is deprecated, so could be deemed unworthy of our attention -- but implicit SSL is also deprecated but supported, and AUTH SSL clients are still used in the wild. Thanks, John -- "There is no way to peace; peace is the way" --0016e6d64667d95d2804ae632cc1--