[jira] [Created] (NET-448) Self signed cert or ca not installed on client but FTPS still works

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
Self signed cert or ca not installed on client but FTPS still works
-------------------------------------------------------------------

                 Key: NET-448
                 URL: https://issues.apache.org/jira/browse/NET-448
             Project: Commons Net
          Issue Type: Bug
          Components: FTP
    Affects Versions: 3.1, 2.0
         Environment: client: Windows SP sp4, jdk 1.6.0_24
server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
            Reporter: Deepak Pant
            Priority: Trivial


I am using vsftpd ftp server on centos with our own self signed root ca certificate.

I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.

But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
commons-net-2.0.jar
commons-net-3.1.jar
commons-net-2.0-jdk14.jar (from zehon)

I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.

Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221557#comment-13221557 ]

Bogdan Drozdowski commented on NET-448:
---------------------------------------

The current default TrustManager of the FTPSClient only checks if the certificate's dates are valid (if the current date not eariler then the certificate's "valid from" date and not later than the certificate's "valid till" date). It doesn't check the certificate's chain, domains or issuers. Currently, you need to install your own TrustManager (perhaps use a default provided by the JRE, if any) to do that.
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221581#comment-13221581 ]

Sebb commented on NET-448:
--------------------------

Try using

FTPSClient.setTrustManager(null)

This will cause the default JVM implementation to be used.

[Should probably update the Javadoc to make this clearer]
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221606#comment-13221606 ]

Deepak Pant commented on NET-448:
---------------------------------

Thanks for prompt responses. I have tried FTPSClient.setTrustManager(null) and there is no difference in behavior.

Just to clarify the sequence of events:
1. My program establishes connection to FTPS server in explicit mode using SSL or TLS protocol.
2. Server returns the public certificate installed at the server, which happens to be self-signed certificate in my case.
3. The default implementation of TrustManager checks if the public cert returned is valid in terms of dates. I think this is X509Certificate.checkValidity() method call, which only looks at dates.
4. No additional checks are being made to check if public cert was issued by a CA or self signed etc.



               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13221612#comment-13221612 ]

Sebb commented on NET-448:
--------------------------

Are you sure you set the trust manager to null before opening the connection?
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13222360#comment-13222360 ]

Deepak Pant commented on NET-448:
---------------------------------

Thanks. If I do FTPSClient.setTrustManager(null) then I get following exception. So if I really want, I can provide my own implementation of X509TrustManager class, which will write some additional code in checkServerTrusted() method. Besides calling X509Certificate.checkValidity(), it can also do checks for self signed cert authority etc.

===
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available

        at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
===
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13222437#comment-13222437 ]

Sebb commented on NET-448:
--------------------------

I get the response shown below when using the FTP client example to connect to Apache FTP server with a local certificate and using TrustManager = none.

Perhaps the different result is because of the certificate I'm using.

Without the "-T none", the command logs in OK.

{noformat}
set CLASSPATH=commons-net-examples-3.1.jar;commons-net-3.1.jar
java examples/ftp/FTPClientExample -l -p true -T none localhost:990 anonymous password
{noformat}

{noformat}
Could not connect to server.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: una
ble to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
        at org.apache.commons.net.ftp.FTPSClient.sslNegotiation(FTPSClient.java:265)
        at org.apache.commons.net.ftp.FTPSClient._connectAction_(FTPSClient.java:201)
        at org.apache.commons.net.SocketClient.connect(SocketClient.java:172)
        at org.apache.commons.net.SocketClient.connect(SocketClient.java:192)
        at examples.ftp.FTPClientExample.main(FTPClientExample.java:249)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certific
ation path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
        ... 18 more
{noformat}
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[jira] [Resolved] (NET-448) Self signed cert or ca not installed on client but FTPS still works

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

     [ https://issues.apache.org/jira/browse/NET-448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb resolved NET-448.
----------------------

    Resolution: Not A Problem

The current behaviour is by design.
               

> Self signed cert or ca not installed on client but FTPS still works
> -------------------------------------------------------------------
>
>                 Key: NET-448
>                 URL: https://issues.apache.org/jira/browse/NET-448
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.0, 3.1
>         Environment: client: Windows SP sp4, jdk 1.6.0_24
> server: Linux 2.6.32-220.4.2.el6.i686 running vsFTPd 2.2.2
> apache lib: commons-net-2.0.jar or commons-net-3.1.jar or commons-net-2.0-jdk14.jar (from zehon)
>            Reporter: Deepak Pant
>            Priority: Trivial
>
> I am using vsftpd ftp server on centos with our own self signed root ca certificate.
> I have not installed the self signed root certificate on the client machine. Neither am I setting the Trust Manager on the FTPSClient object, using X509TrustManager instance pointing to my physical cert file.
> But I am still able to use the FTPSClient bundled in any of the following jar file and send/receive the files.
> commons-net-2.0.jar
> commons-net-3.1.jar
> commons-net-2.0-jdk14.jar (from zehon)
> I was expecting that I will have to either install the self signed root ca on the client machine Or set Trust Manager etc.
> Can you please explain the behavior?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira