SSL/TLS configuration

[Marc-Antoine Bourgeot <ma...@babelgom.com>]

Dear,

I'm trying to force my ftp users to use SSL/TLS encryption for both
command and data connections but the following happens:

When using implicit-ssl=false, my ftp client (kasablanca with encryption
level3, ie. command and data encryption) connects the server fine and
both connections are encrypted. everything is ok.
When using implicit-ssl=true, the same ftp client hangs saying the
server is occupied and times out saying "connection failed" without
logging me in; the server logs contains:

[DEBUG] [/127.0.0.1:41212]  doHandshake()
[DEBUG] [/127.0.0.1:41212]   initialHandshakeStatus=NEED_UNWRAP
[DEBUG] [/127.0.0.1:41212]  unwrapHandshake()
[DEBUG] [/127.0.0.1:41212]    inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[DEBUG] [/127.0.0.1:41212]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[DEBUG] [/127.0.0.1:41212]  Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[INFO] [/127.0.0.1:41212] CREATED
[INFO] [/127.0.0.1:41212] OPENED
[DEBUG] Launching thread for /127.0.0.1:41212
[INFO] Open connection - 127.0.0.1
[INFO] [/127.0.0.1:41212] WRITE: 220 Service ready for new user.

[DEBUG] [/127.0.0.1:41212]  Filtered Write:
org.apache.mina.filter.support.SSLHandler@1f93ace
[DEBUG] [/127.0.0.1:41212]  Handshaking is not complete yet. Buffering
write request.
[DEBUG] [/127.0.0.1:41212]  Filtered Write:
org.apache.mina.filter.support.SSLHandler@1f93ace
[DEBUG] [/127.0.0.1:41212]  Handshaking is not complete yet. Buffering
write request.
[DEBUG] Exiting since queue is empty for /127.0.0.1:41212
[INFO] Removing idle user null
[INFO] [/127.0.0.1:41212] CLOSE
[DEBUG] [/127.0.0.1:41212]  write outNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
[DEBUG] [/127.0.0.1:41212]  session write: DirectBuffer[pos=0 lim=7
cap=8: 15 03 01 00 02 01 00]
[DEBUG] [/127.0.0.1:41212] Unexpected exception from
SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
    at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1263)
    at
org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
    at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:367)
    at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268)
    at
org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:53)
    at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:631)
    at
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.sessionClosed(AbstractIoFilterChain.java:482)
    at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:268)
    at
org.apache.mina.common.support.AbstractIoFilterChain.fireSessionClosed(AbstractIoFilterChain.java:263)
    at
org.apache.mina.common.support.IoServiceListenerSupport.fireSessionDestroyed(IoServiceListenerSupport.java:231)
    at
org.apache.mina.transport.socket.nio.SocketIoProcessor.doRemove(SocketIoProcessor.java:196)
    at
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$700(SocketIoProcessor.java:44)
    at
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:478)
    at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:39)
    at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
    at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
    at java.lang.Thread.run(Thread.java:595)
[INFO] [/127.0.0.1:41212] CLOSED
[DEBUG] Launching thread for /127.0.0.1:41212
[INFO] Close connection : 127.0.0.1 - <Not logged in>
[DEBUG] Exiting since queue is empty for /127.0.0.1:41212



Here is the ftp.properties SSL section I use:

config.listeners.default.class=org.apache.ftpserver.listener.mina.MinaListener
config.listeners.default.address=127.0.0.1
config.listeners.default.port=20021
config.listeners.default.implicit-ssl=true
config.listeners.default.ssl.class=org.apache.ftpserver.ssl.DefaultSsl
config.listeners.default.ssl.keystore-file=./res/.test.keystore
config.listeners.default.ssl.keystore-password=password
config.listeners.default.ssl.keystore-type=JKS
config.listeners.default.ssl.keystore-algorithm=SunX509
config.listeners.default.ssl.ssl-protocol=TLS
config.listeners.default.ssl.client-authentication=false
config.listeners.default.ssl.key-password=password
config.listeners.default.data-connection.class=org.apache.ftpserver.DefaultDataConnectionConfig
#config.listeners.default.data-connection.idle-time=10
#config.listeners.default.data-connection.active.enable=true
config.listeners.default.data-connection.active.local-address=127.0.0.1
#config.listeners.default.data-connection.active.local-port=20
#config.listeners.default.data-connection.active.ip-check=false
config.listeners.default.data-connection.passive.address=127.0.0.1
config.listeners.default.data-connection.passive.ports=20020-21020
config.listeners.default.data-connection.passive.external-address=127.0.0.1
config.listeners.default.data-connection.ssl.class=org.apache.ftpserver.ssl.DefaultSsl
config.listeners.default.data-connection.ssl.keystore-file=./res/.test.keystore
config.listeners.default.data-connection.ssl.keystore-password=password
config.listeners.default.data-connection.ssl.keystore-type=JKS
config.listeners.default.data-connection.ssl.keystore-algorithm=SunX509
config.listeners.default.data-connection.ssl.ssl-protocol=TLS
config.listeners.default.data-connection.ssl.client-authentication=false
config.listeners.default.data-connection.ssl.key-password=password


Thanks for your help

Marc-Antoine