You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Roy Lu (Jira)" <ji...@apache.org> on 2020/02/06 02:20:00 UTC

[jira] [Commented] (FTPSERVER-491) SSLConfigurationFactory.setSslProtocol never actually work

    [ https://issues.apache.org/jira/browse/FTPSERVER-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17031203#comment-17031203 ] 

Roy Lu commented on FTPSERVER-491:
----------------------------------

[~johnnyv] No I didn't set NULL for it. I just didn't call setSslProtocol function. Well this is not a big problem. If you mean to make it behave like this I'm ok. As long as the security issue could be fixed. Hope this fix could be released as soon as possible. 

> SSLConfigurationFactory.setSslProtocol never actually work
> ----------------------------------------------------------
>
>                 Key: FTPSERVER-491
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-491
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.1.1
>            Reporter: Roy Lu
>            Assignee: Jonathan Valliere
>            Priority: Critical
>              Labels: easyfix
>             Fix For: 1.1.2
>
>
> It says in the document: Set the SSL protocol used for this channel. Supported values are "SSL" and "TLS". Defaults to "TLS".
> Actually the available value could be TLSv1, TLSv1.1, TLSv1.2, SSLv3. This is mentioned [https://mina.apache.org/mina-project/userguide/ch11-ssl-filter/ch11-ssl-filter.html] at the bottom.
> But the things is, the +setSslProtocol+ method here actually doesn't work. Because the ssl protocol set in the +SSLConfiguration+ is never used. Check +NioListener+ you will see this:
> Configuration of cipher suites was set into +sslFilter+ but no protocol. It seems protocols are missing.
> |if (ssl.getEnabledCipherSuites() != null) {
>     sslFilter.setEnabledCipherSuites(ssl.getEnabledCipherSuites());
> }
>  
> |
> This leads to a problem:
> In +SSLHandler+ protocols will be set into +sslEngine+. Because protocol was lost when building sslFilter, so the protocols setting never work.
>  
> |if (this.sslFilter.getEnabledCipherSuites() != null) {
>     this.sslEngine.setEnabledCipherSuites(this.sslFilter.getEnabledCipherSuites());
> }
>  
> if (this.sslFilter.getEnabledProtocols() != null) {
>    this.sslEngine.setEnabledProtocols(this.sslFilter.getEnabledProtocols());
> }|
>  
> I found this because I scanned FTP with Nmap. I set it to critical because it's a security issue and hope it can be fixed soon.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org