You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-dev@incubator.apache.org by Marc-Antoine Bourgeot <ma...@babelgom.com> on 2007/10/09 09:52:27 UTC
SSL/TLS configuration
Dear,
I'm trying to force my ftp users to use SSL/TLS encryption for both
command and data connections but the following happens:
When using implicit-ssl=false, my ftp client (kasablanca with encryption
level3, ie. command and data encryption) connects the server fine and
both connections are encrypted. everything is ok.
When using implicit-ssl=true, the same ftp client hangs saying the
server is occupied and times out saying "connection failed" without
logging me in; the server logs contains:
[DEBUG] [/127.0.0.1:41212] doHandshake()
[DEBUG] [/127.0.0.1:41212] initialHandshakeStatus=NEED_UNWRAP
[DEBUG] [/127.0.0.1:41212] unwrapHandshake()
[DEBUG] [/127.0.0.1:41212] inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[DEBUG] [/127.0.0.1:41212] appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[DEBUG] [/127.0.0.1:41212] Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[INFO] [/127.0.0.1:41212] CREATED
[INFO] [/127.0.0.1:41212] OPENED
[DEBUG] Launching thread for /127.0.0.1:41212
[INFO] Open connection - 127.0.0.1
[INFO] [/127.0.0.1:41212] WRITE: 220 Service ready for new user.
[DEBUG] [/127.0.0.1:41212] Filtered Write:
org.apache.mina.filter.support.SSLHandler@1f93ace
[DEBUG] [/127.0.0.1:41212] Handshaking is not complete yet. Buffering
write request.
[DEBUG] [/127.0.0.1:41212] Filtered Write:
org.apache.mina.filter.support.SSLHandler@1f93ace
[DEBUG] [/127.0.0.1:41212] Handshaking is not complete yet. Buffering
write request.
[DEBUG] Exiting since queue is empty for /127.0.0.1:41212
[INFO] Removing idle user null
[INFO] [/127.0.0.1:41212] CLOSE
[DEBUG] [/127.0.0.1:41212] write outNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
[DEBUG] [/127.0.0.1:41212] session write: DirectBuffer[pos=0 lim=7
cap=8: 15 03 01 00 02 01 00]
[DEBUG] [/127.0.0.1:41212] Unexpected exception from
SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1263)
at
org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:367)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:53)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:631)
at
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:482)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268)
at
org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:263)
at
org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:231)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:196)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:478)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:39)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:595)
[INFO] [/127.0.0.1:41212] CLOSED
[DEBUG] Launching thread for /127.0.0.1:41212
[INFO] Close connection : 127.0.0.1 - <Not logged in>
[DEBUG] Exiting since queue is empty for /127.0.0.1:41212
Here is the ftp.properties SSL section I use:
config.listeners.default.class=org.apache.ftpserver.listener.mina.MinaListener
config.listeners.default.address=127.0.0.1
config.listeners.default.port=20021
config.listeners.default.implicit-ssl=true
config.listeners.default.ssl.class=org.apache.ftpserver.ssl.DefaultSsl
config.listeners.default.ssl.keystore-file=./res/.test.keystore
config.listeners.default.ssl.keystore-password=password
config.listeners.default.ssl.keystore-type=JKS
config.listeners.default.ssl.keystore-algorithm=SunX509
config.listeners.default.ssl.ssl-protocol=TLS
config.listeners.default.ssl.client-authentication=false
config.listeners.default.ssl.key-password=password
config.listeners.default.data-connection.class=org.apache.ftpserver.DefaultDataConnectionConfig
#config.listeners.default.data-connection.idle-time=10
#config.listeners.default.data-connection.active.enable=true
config.listeners.default.data-connection.active.local-address=127.0.0.1
#config.listeners.default.data-connection.active.local-port=20
#config.listeners.default.data-connection.active.ip-check=false
config.listeners.default.data-connection.passive.address=127.0.0.1
config.listeners.default.data-connection.passive.ports=20020-21020
config.listeners.default.data-connection.passive.external-address=127.0.0.1
config.listeners.default.data-connection.ssl.class=org.apache.ftpserver.ssl.DefaultSsl
config.listeners.default.data-connection.ssl.keystore-file=./res/.test.keystore
config.listeners.default.data-connection.ssl.keystore-password=password
config.listeners.default.data-connection.ssl.keystore-type=JKS
config.listeners.default.data-connection.ssl.keystore-algorithm=SunX509
config.listeners.default.data-connection.ssl.ssl-protocol=TLS
config.listeners.default.data-connection.ssl.client-authentication=false
config.listeners.default.data-connection.ssl.key-password=password
Thanks for your help
Marc-Antoine