You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-users@mina.apache.org by Sai Pullabhotla <sa...@jmethods.com> on 2008/12/12 13:11:40 UTC
SSL Configuration
It appears that the SSL Configuration needs to be done separately on
the control connection (listener) and the data connections. Is this
true? If so, why can't we automatically use the SSL Configuration that
is setup on the Listener with the Data Connection as well? Just
looking for the thoughts that went through in designing this way.
Thanks.
Sai Pullabhotla
Phone: (402) 408-5753
Fax: (402) 408-6861
www.jMethods.com
Re: SSL Configuration
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Dec 12, 2008 at 3:58 PM, Sai Pullabhotla
<sa...@jmethods.com> wrote:
> The client, FileZilla, ignored the error on PROT P and continued on.
> Things go a little too fast to be noticed.
That's pretty bad as it "silently" puts the user in danger.
> I think it is not a bad
> idea to automatically use the same SSL configuration. I can't think of
> any thing where an API caller wants different SSL configurations for
> control and data connections. Can you?
Well, you can always think of cases if you try hard enough :-) But, I
certainly thinks it makes sense to default to using the same
configuration but allow for overriding. I've added a JIRA issue for
this.
/niklas
Re: SSL Configuration
Posted by Sai Pullabhotla <sa...@jmethods.com>.
The client, FileZilla, ignored the error on PROT P and continued on.
Things go a little too fast to be noticed. I think it is not a bad
idea to automatically use the same SSL configuration. I can't think of
any thing where an API caller wants different SSL configurations for
control and data connections. Can you?
Sai Pullabhotla
Phone: (402) 408-5753
Fax: (402) 408-6861
www.jMethods.com
On Fri, Dec 12, 2008 at 8:11 AM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> On Fri, Dec 12, 2008 at 2:58 PM, Sai Pullabhotla
> <sa...@jmethods.com> wrote:
>> Yes, I was programmatically setting up the FtpServer using the factory
>> classes. I thought I got SSL connections working, but when I watched
>> it closely, data was being sent in clear as I did not set
>> SSLConfiguration on the data connection. Once, I set this up,
>> everything worked as expected.
>
> Hmm, did the client swallow the error reply that PROT returned, or do
> we have a bug where we don't send an error if SSL is not configured
> for the data connection?
>
>> So, just to confirm, if I set up the server using the XML
>> configuration, then I do not need to have a nested <ssl> element in
>> the <data-connection>, right?
>
> Right. Maybe we should enable the same thing for the API?
>
> /niklas
>
Re: SSL Configuration
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Dec 12, 2008 at 2:58 PM, Sai Pullabhotla
<sa...@jmethods.com> wrote:
> Yes, I was programmatically setting up the FtpServer using the factory
> classes. I thought I got SSL connections working, but when I watched
> it closely, data was being sent in clear as I did not set
> SSLConfiguration on the data connection. Once, I set this up,
> everything worked as expected.
Hmm, did the client swallow the error reply that PROT returned, or do
we have a bug where we don't send an error if SSL is not configured
for the data connection?
> So, just to confirm, if I set up the server using the XML
> configuration, then I do not need to have a nested <ssl> element in
> the <data-connection>, right?
Right. Maybe we should enable the same thing for the API?
/niklas
Re: SSL Configuration
Posted by Sai Pullabhotla <sa...@jmethods.com>.
Yes, I was programmatically setting up the FtpServer using the factory
classes. I thought I got SSL connections working, but when I watched
it closely, data was being sent in clear as I did not set
SSLConfiguration on the data connection. Once, I set this up,
everything worked as expected.
So, just to confirm, if I set up the server using the XML
configuration, then I do not need to have a nested <ssl> element in
the <data-connection>, right?
Thanks.
Sai Pullabhotla
Phone: (402) 408-5753
Fax: (402) 408-6861
www.jMethods.com
On Fri, Dec 12, 2008 at 7:33 AM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> On Fri, Dec 12, 2008 at 1:11 PM, Sai Pullabhotla
> <sa...@jmethods.com> wrote:
>> It appears that the SSL Configuration needs to be done separately on
>> the control connection (listener) and the data connections. Is this
>> true? If so, why can't we automatically use the SSL Configuration that
>> is setup on the Listener with the Data Connection as well? Just
>> looking for the thoughts that went through in designing this way.
>
> That is no longer the case when using the XML config, the data
> connection now inherits the the control connection SSL settings. Or,
> are you talking about using the API directly?
>
> /niklas
>
Re: SSL Configuration
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Dec 12, 2008 at 1:11 PM, Sai Pullabhotla
<sa...@jmethods.com> wrote:
> It appears that the SSL Configuration needs to be done separately on
> the control connection (listener) and the data connections. Is this
> true? If so, why can't we automatically use the SSL Configuration that
> is setup on the Listener with the Data Connection as well? Just
> looking for the thoughts that went through in designing this way.
That is no longer the case when using the XML config, the data
connection now inherits the the control connection SSL settings. Or,
are you talking about using the API directly?
/niklas