You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Elric V <el...@melnib.one> on 2023/04/27 10:59:35 UTC
Net FTPS client seems to accept invalid certificates?
Hi there,
I'm a bit stumped by strange observed behaviour, which I will try to
describe, and hopefully someone else can help make sense of this.
Server: proftpd with TLS enabled (TLSRequired on).
Certificate: self signed garbage.
Client: FTPSClient in Explicit mode.
Oddly enough, when I connect with commons-net FTPSClient, it connects
without complaining about the obviously self signed certificate. The
server logs tell me that this is happening over TLS.
The certificate is not in my keystore/truststore. And to make completely
sure of that, I retested with a freshly generated one and was still able
to connect.
Other clients, such as Filezilla, alert me of the certificate and ask me
whether or not I want to continue connecting.
I've been trying to debug the mess that is Java's
TrustManager/SSLContext for half a day now, and I still can't figure out
why this is happening.
My best guess is that the certificate is *not* being validated, because
the connection is upgraded (explicit mode) from clear to encrypted using
the FTPS AUTH command. But that's only a guess, and I'm unsure whether
that's a commons-net issue or a JDK issue or whatever.
Could someone be so kind sa to point me in the right direction?
Many thanks,
Elric
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Net FTPS client seems to accept invalid certificates?
Posted by Gary Gregory <ga...@gmail.com>.
It would be easier from here if you could provide a failing test case for
the behavior you expect as a patch in Jira or a PR on GitHub.
Gary
On Thu, Apr 27, 2023, 06:59 Elric V <el...@melnib.one> wrote:
> Hi there,
>
> I'm a bit stumped by strange observed behaviour, which I will try to
> describe, and hopefully someone else can help make sense of this.
>
> Server: proftpd with TLS enabled (TLSRequired on).
> Certificate: self signed garbage.
> Client: FTPSClient in Explicit mode.
>
> Oddly enough, when I connect with commons-net FTPSClient, it connects
> without complaining about the obviously self signed certificate. The
> server logs tell me that this is happening over TLS.
>
> The certificate is not in my keystore/truststore. And to make completely
> sure of that, I retested with a freshly generated one and was still able
> to connect.
>
> Other clients, such as Filezilla, alert me of the certificate and ask me
> whether or not I want to continue connecting.
>
> I've been trying to debug the mess that is Java's
> TrustManager/SSLContext for half a day now, and I still can't figure out
> why this is happening.
>
> My best guess is that the certificate is *not* being validated, because
> the connection is upgraded (explicit mode) from clear to encrypted using
> the FTPS AUTH command. But that's only a guess, and I'm unsure whether
> that's a commons-net issue or a JDK issue or whatever.
>
> Could someone be so kind sa to point me in the right direction?
>
> Many thanks,
>
> Elric
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>