You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Roy Lu (Jira)" <ji...@apache.org> on 2019/10/09 06:45:00 UTC

[jira] [Commented] (FTPSERVER-491) SSLConfigurationFactory.setSslProtocol never actually work

    [ https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16947397#comment-16947397 ] 

Roy Lu commented on FTPSERVER-491:
----------------------------------

Hi [~johnnyv],
Any update? Is it fixed?

> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
>                 Key: FTPSERVER-491
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-491
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.1.1
>            Reporter: Roy Lu
>            Assignee: Jonathan Valliere
>            Priority: Critical
>              Labels: easyfix
>             Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel. Supported values are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is mentioned [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html] at the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work. Because the ssl protocol set in the +SSLConfiguration+ is never used. Check +NioListener+ you will see this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It seems protocols are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
>     sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>  
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was lost when building sslFilter, so the protocols setting never work.
>  
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>     this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>  
> if (this.sslFilter.getEnabledProtocols() != null) {
>    this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>  
> I found this because I scanned FTP with Nmap. I set it to critical because it's a security issue and hope it can be fixed soon.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org