mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Latorre (JIRA)" <j...@apache.org>
Subject [jira] Commented: (FTPSERVER-215) Secured data channel in active mode would require the server to have a public certificate for every client.
Date Fri, 07 Nov 2008 10:16:44 GMT

    [ https://issues.apache.org/jira/browse/FTPSERVER-215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645732#action_12645732
] 

David Latorre commented on FTPSERVER-215:
-----------------------------------------

>>>> Secured data channel in active mode would require the server to have a public
certificate for every client. 

>This is not true, it would be verified against the signer, which might very well be a
known CA certificate (like Verisign) 

Sure. But in most common scenarios, people don't buy a Versign certificate just to connect
to a HTTPS/FTPS server.  So that was the worst-case scenario.

Anyway, never mind my post I realized that my problem was with a bug in commons net ftp  I
am going to report(provide a fix for) now. FTPServer correctly creates the socket with useClientMode=false.
So, if clients do not use SSL client mode themselves, that should be their fault.  Do you
agree? So this issue can be closed.

  
Sorry!
 



> Secured data channel in active mode would require the server to have a public certificate
for every client.
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: FTPSERVER-215
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-215
>             Project: FtpServer
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.0-M1, 1.0-M2, 1.0-M3, 1.0-M4
>            Reporter: David Latorre
>             Fix For: 1.0-M4
>
>
> In "active mode" , the FtpServer itself will try to open a connection to a client-reported
host and port.  
> In this case, if we were using a  SSL connection, the server opens a connection to the
client so it will receive the client's public certificate and will try and check it against
its TrustStore. 
> To my mind, when we are not checking the client certificate we shouldn't check it in
Active data connections either. So we should provide our own TrustManager for this.
>  

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message