[NET-689] Hostname is not set on the SSLSocket causing isEndpointCheckingEnabled to fail - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.7
Fix Version/s: 3.7.2
Component/s: None
Labels:
None

Description

When connecting with ssl to an ftps server, the hostname used to connect to the server is not copied to the SSLSocket, instead the sockets ip address is used. This applies to both with `AUTH TLS` and implicit SSL.

The problem seems to be line 912 in FTPSclient.java:

return f.createSocket(socket, socket.getInetAddress().getHostAddress(), socket.getPort(), false);

which forces the new SSLSocket to have the ip address as peer hostname, which makes it impossible to use `isEndpointCheckingEnabled` as the hostname is the ip address, not the hostname that appears in the certificate.

LFTP https://lftp.yar.ru/ correctly connects to the hostname if the name matches, and disconnects if the name doesn't match the hostname, as does OpenSSL.

The fix would be very easy. Just change the line into

return f.createSocket(socket, _hostname_, socket.getPort(), false);

and it works. I tested this by simply debugging the code

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Charlie

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Oct/20 22:39

Updated:: 03/Oct/20 15:18

Resolved:: 03/Oct/20 13:45