mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Valliere (Jira)" <j...@apache.org>
Subject [jira] [Commented] (FTPSERVER-491) SSLConfigurationFactory.setSslProtocol never actually work
Date Thu, 07 Nov 2019 01:33:00 GMT

    [ https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968844#comment-16968844
] 

Jonathan Valliere commented on FTPSERVER-491:
---------------------------------------------

[~roylu] are you sure that you aren't putting in NULL for setSslProtocol?  The default is
"TLS".  NioListener line 153 uses the default Cipher Suites if none are provided.  AUTH
line 134 and IODataConnectionFactory line 258 are the same.  I updated that branch with some
NULL checks.

> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
>                 Key: FTPSERVER-491
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-491
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.1.1
>            Reporter: Roy Lu
>            Assignee: Jonathan Valliere
>            Priority: Critical
>              Labels: easyfix
>             Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel. Supported values
are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is mentioned
[https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html] at
the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work. Because the
ssl protocol set in the +SSLConfiguration+ is never used. Check +NioListener+ you will see
this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It seems protocols
are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
>     sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>  
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was lost when
building sslFilter, so the protocols setting never work.
>  
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>     this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>  
> if (this.sslFilter.getEnabledProtocols() != null) {
>    this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>  
> I found this because I scanned FTP with Nmap. I set it to critical because it's a security
issue and hope it can be fixed soon.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org


Mime
View raw message