You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/11/12 02:13:16 UTC
[Bug 58604] New: Plaintext auth broken in any Implicit FTP/AUTH TLS
SSL contexts as of 2.4.13
https://bz.apache.org/bugzilla/show_bug.cgi?id=58604
Bug ID: 58604
Summary: Plaintext auth broken in any Implicit FTP/AUTH TLS SSL
contexts as of 2.4.13
Product: Apache httpd-2
Version: 2.4.16
Hardware: All
OS: All
Status: NEW
Severity: regression
Priority: P2
Component: mod_ftp
Assignee: bugs@httpd.apache.org
Reporter: wrowe@apache.org
2.4.13 introduced the following 'regression' in mod_ftp, causing USER/PASS
to always fail for Explicit SSL connections;
http://svn.apache.org/r1662640
Explicit SSL configuration is described in;
https://httpd.apache.org/mod_ftp/ftp/ftp_tls.html
<VirtualHost _default_:21>
FTP On
SSLEngine on
This works because the SSL filter not added -until- an AUTH TLS command is
given.
Unfortunately I believe that r1662640 is [mostly] correct behavior, and what
should happen here is that we change the recommendation to;
<VirtualHost _default_:21>
FTP On
SSLEngine Optional
but this will not behave 'as expected'. We will need to fake the upgrade
exchange to mod_ssl to cause it to trigger the TLS handshake after the filter
is injected (in effect, causing an SSLEngine On behavior in reaction to FTP's
command).
No dirt simple stupid fix, so I'm opening this as a bug.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58604] Plaintext auth broken in any Explicit FTP/AUTH TLS SSL
contexts as of 2.4.13
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58604
juniorolalde55@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|mod_ftp |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58604] Plaintext auth broken in any Explicit FTP/AUTH TLS SSL
contexts as of 2.4.13
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58604
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Plaintext auth broken in |Plaintext auth broken in
|any Implicit FTP/AUTH TLS |any Explicit FTP/AUTH TLS
|SSL contexts as of 2.4.13 |SSL contexts as of 2.4.13
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58604] Plaintext auth broken in any Explicit FTP/AUTH TLS SSL
contexts as of 2.4.13
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58604
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|All |mod_ftp
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org