[jira] Commented: (FTPSERVER-97) SSL data connection enables all supported ciphers

["Niklas Gustavsson (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/FTPSERVER-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12504201 ] 

Niklas Gustavsson commented on FTPSERVER-97:
--------------------------------------------

The current setting leaves it up to the client to decide on the security level it wants. We should probably provide a way to enforce this on the server side (like we allow a way to enforce SSL/TLS at all). How about providing a configuration option where you can set the allowed ciphers? If we do, what value should we use default?

> SSL data connection enables all supported ciphers
> -------------------------------------------------
>
>                 Key: FTPSERVER-97
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-97
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.0-M1
>            Reporter: Steve Jones
>
> The SSL implementation that is used by default for FTP data transfers (DefaultSsl) enables all SSL cipher suites:
>   String cipherSuites[] = serverSocket.getSupportedCipherSuites();
>   serverSocket.setEnabledCipherSuites(cipherSuites);
> This is likely to enable ciphers such as:
>   SSL_RSA_WITH_NULL_MD5
>   SSL_RSA_WITH_NULL_SHA
> Which means that there is no confidentiality for the transport (in other words authentication will occur but after that communication is in the clear). 
> Usually you would not want to allow this, so it is best not to enable all ciphers.
> Here's a reference to this issue for another apache project:
>   http://mail-archives.apache.org/mod_mbox/avalon-apps-dev/200209.mbox/%3C86u1kpsiqh.fsf_-_@home.nest.cx%3E

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.