[
https://issues.apache.org/jira/browse/WAGON-600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Obernöder updated WAGON-600:
----------------------------------
Attachment: trace_ftp_modified_wagon-ftp.pcapng
> FTP-Upload fails if server enforces data encryption
> ---------------------------------------------------
>
> Key: WAGON-600
> URL: https://issues.apache.org/jira/browse/WAGON-600
> Project: Maven Wagon
> Issue Type: Improvement
> Components: wagon-ftp
> Affects Versions: 2.0
> Reporter: David Obernöder
> Priority: Trivial
> Attachments: trace_ftp_modified_wagon-ftp.pcapng,
> trace_ftp_original_wagon-ftp.pcapng
>
> Original Estimate: 8h
> Remaining Estimate: 8h
>
> We recently deployed stronger encryption rules to a few of our webservers.
> Unfortunately this leads to an issue with the FTP-Upload of wagon plugin for
> FTP. We receive the message "425-Server reqires protected data connection".
> Due to our FTP-Server allows only data transfer with encryption, this error
> arises.
> RFC4217, 9 defines the behaviour of Data Connection Protection and defines
> two available modes for FTPS:
> 'C' - Clear - neither Integrity nor Privacy
> 'P' - Private - Integrity and Privacy
> With 'Clear' protection level, the data connection is made without
> TLS. Thus, the connection is unauthenticated and has no
> confidentiality or integrity. This might be the desired behaviour
> for servers sending file lists, pre-encrypted data, or non-
> sensitive data (e.g., for anonymous FTP servers).
>
> If the data connection security level is 'Private', then a TLS
> negotiation must take place on the data connection to the
> satisfaction of the Client and Server prior to any data being
> transmitted over the connection. The TLS layers of the Client and
> Server will be responsible for negotiating the exact TLS Cipher
> Suites that will be used (and thus the eventual security of the
> connection).
>
> In addition, the PBSZ (protection buffer size) command, as
> detailed in [RFC-2228], is compulsory prior to any PROT command.
> This document also defines a data channel encapsulation mechanism
> for protected data buffers. For FTP-TLS, which appears to the FTP
> application as a streaming protection mechanism, this is not
> required. Thus, the PBSZ command MUST still be issued, but must
> have a parameter of '0' to indicate that no buffering is taking
> place and the data connection should not be encapsulated.
> [...]
> However, it should be noted that using a value of '0' to mean a
> streaming protocol is a reasonable use of '0' for that parameter
> and is not ambiguous.
> Initial Data Connection Security
> The initial state of the data connection MUST be 'Clear' (this is
> the behaviour as indicated by [RFC-2228]).
>
> While inspecting the code I noticed that the plugin does not do any switch to
> "secure data connection" (PBSZ 0 and PROT P). So it looks like the plugin is
> not compatible to servers that enforce a data connection.
> A good behaviour would be that the plugin tries to switch to protected data
> connections and continue if the server can't handle the PROT Command. Many
> clients switch to data encryption too when a TLS encrypted FTP was started.
> I'm pretty sure this is also an issue in the current version.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
