You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Gary D. Gregory (Jira)" <ji...@apache.org> on 2020/10/02 23:21:00 UTC

[jira] [Commented] (NET-689) Hostname is not set on the SSLSocket causing isEndpointCheckingEnabled to fail

    [ https://issues.apache.org/jira/browse/NET-689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17206554#comment-17206554 ] 

Gary D. Gregory commented on NET-689:
-------------------------------------

Hi [~ck1962]

Thank you for your report. May you please create a PR on [GitHub|https://github.com/apache/commons-net/] with your proposed change along with a unit test?

Gary

> Hostname is not set on the SSLSocket causing isEndpointCheckingEnabled to fail
> ------------------------------------------------------------------------------
>
>                 Key: NET-689
>                 URL: https://issues.apache.org/jira/browse/NET-689
>             Project: Commons Net
>          Issue Type: Bug
>    Affects Versions: 3.7
>            Reporter: Charlie
>            Priority: Major
>
> When connecting with ssl to an ftps server, the hostname used to connect to the server is not copied to the SSLSocket, instead the sockets ip address is used. This applies to both with `AUTH TLS` and implicit SSL.
>  
> The problem seems to be line 912 in FTPSclient.java:
> {code:java}
> return f.createSocket(socket, socket.getInetAddress().getHostAddress(), socket.getPort(), false);{code}
>  
> which forces the new SSLSocket to have the ip address as peer hostname, which makes it impossible to use `isEndpointCheckingEnabled` as the hostname is the ip address, not the hostname that appears in the certificate.
> LFTP [https://lftp.yar.ru/|https://lftp.yar.ru/)] correctly connects to the hostname if the name matches, and disconnects if the name doesn't match the hostname, as does OpenSSL.
> The fix would be very easy. Just change the line into
> {code:java}
> return f.createSocket(socket, _hostname_, socket.getPort(), false);
> {code}
> and it works. I tested this by simply debugging the code 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)