maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Obernöder (Jira) <j...@apache.org>
Subject [jira] [Created] (WAGON-600) FTP-Upload fails if server enforces data encryption
Date Fri, 04 Sep 2020 19:20:00 GMT
David Obernöder created WAGON-600:
-------------------------------------

             Summary: FTP-Upload fails if server enforces data encryption
                 Key: WAGON-600
                 URL: https://issues.apache.org/jira/browse/WAGON-600
             Project: Maven Wagon
          Issue Type: Improvement
          Components: wagon-ftp
    Affects Versions: 2.0
            Reporter: David Obernöder


We recently deployed stronger encryption rules to a few of our webservers. Unfortunately this
leads to an issue with the FTP-Upload of wagon plugin for FTP. We receive the message "425-Server
reqires protected data connection".
Due to our FTP-Server allows only data transfer with encryption, this error arises.

RFC4217, 9 defines the behaviour of Data Connection Protection and defines two available modes
for FTPS:
'C' - Clear - neither Integrity nor Privacy
'P' - Private - Integrity and Privacy

With 'Clear' protection level, the data connection is made without
 TLS. Thus, the connection is unauthenticated and has no
 confidentiality or integrity. This might be the desired behaviour
 for servers sending file lists, pre-encrypted data, or non-
 sensitive data (e.g., for anonymous FTP servers).
 
 If the data connection security level is 'Private', then a TLS
 negotiation must take place on the data connection to the
 satisfaction of the Client and Server prior to any data being
 transmitted over the connection. The TLS layers of the Client and
 Server will be responsible for negotiating the exact TLS Cipher
 Suites that will be used (and thus the eventual security of the
 connection).
 
In addition, the PBSZ (protection buffer size) command, as
 detailed in [RFC-2228], is compulsory prior to any PROT command.
 This document also defines a data channel encapsulation mechanism
 for protected data buffers. For FTP-TLS, which appears to the FTP
 application as a streaming protection mechanism, this is not
 required. Thus, the PBSZ command MUST still be issued, but must
 have a parameter of '0' to indicate that no buffering is taking
 place and the data connection should not be encapsulated.
[...]
However, it should be noted that using a value of '0' to mean a
 streaming protocol is a reasonable use of '0' for that parameter
 and is not ambiguous.

Initial Data Connection Security

The initial state of the data connection MUST be 'Clear' (this is
 the behaviour as indicated by [RFC-2228]).
 
While inspecting the code I noticed that the plugin does not do any switch to "secure data
connection" (PBSZ 0 and PROT P). So it looks like the plugin is not compatible to servers
that enforce a data connection.

A good behaviour would be that the plugin tries to switch to protected data connections and
continue if the server can't handle the PROT Command. Many clients switch to data encryption
too when a TLS encrypted FTP was started.

I'm pretty sure this is also an issue in the current version.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message