View Single Post
Old 12-01-2003, 05:36 PM  
superbonbon
Junior Member
 
Join Date: May 2002
Posts: 5
Default rfc 2228 compliance

Hi

There is a small problem with ssl/tls data connection on flashfxp version 2.1 build 924 and up.

The implementation does not seems to be rfc compliant.

It seems that for implicit connections the is no PROT command issued to determine if the data connection need to be encrypted or not.

Unfortunatly Flash fxp tries to establish an crypted data connection even if the rfc 2288 states that clear connection is the default mode for data channel when no PROT command is sent by the client.

rfc 2228 page 9 :

The default protection level if no other level is specified is
Clear. The Clear protection level indicates that the data channel
will carry the raw data of the file transfer, with no security
applied.

Here is a log of client output during an implicit ssl session
you can notice that no PROT is issued :

Connecting to localhost
Connected to localhost -> IP=127.0.0.1 PORT=21
Negotiating SSL/TLS session...
SSL/TLS negotiation successful...
SSL/TLS connection using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
220-Hello new client the
test
220 system time is : Mon 1 Dec 2003 22:08:24 +0100
USER administrator
331 User administrator accepted send password ( case sensitive ) otp-md5 217 186524
PASS (s/key)
230-User administrator is authenticated
230 The timeout for this account is set to 60 second(s)
SYST
215 Operating System : Windows 2000, Endian : little, File encoding : Cp1252
REST 100
350 REST set to offset 100, use RETR or STOR command
REST 0
350 REST set to offset 0, use RETR or STOR command
PWD
257 "/" is current working directory
TYPE A
200 TYPE command set to ASCII
PASV
227 Entering Passive Mode (127,0,0,1,184,241)
LIST
Negotiating SSL/TLS session...
Connection lost: localhost
125 Data connection already open, transfer starting

Here is a log of an explicit ssl session. PROT command is issued correctly and set to P to encrypt the data connection, everything is allright :

Connecting to localhost
Connected to localhost -> IP=127.0.0.1 PORT=21
220-Hello new client the
test
220 system time is : Mon 1 Dec 2003 22:31:30 +0100
AUTH SSL
234 Starting AUTH
Negotiating SSL/TLS session...
SSL/TLS negotiation successful...
SSL/TLS connection using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
PBSZ 0
200 PROT buffer size set to 0
USER administrator
331 User administrator accepted send password ( case sensitive ) otp-md5 330 1a3a98
PASS (s/key)
230-User administrator is authenticated
230 The timeout for this account is set to 60 second(s)
SYST
215 Operating System : Windows 2000, Endian : little, File encoding : Cp1252
REST 100
350 REST set to offset 100, use RETR or STOR command
REST 0
350 REST set to offset 0, use RETR or STOR command
PWD
257 "/" is current working directory
TYPE A
200 TYPE command set to ASCII
PROT P
200 PROT set to P
PASV
227 Entering Passive Mode (127,0,0,1,184,241)
LIST
Negotiating SSL/TLS session...
SSL/TLS negotiation successful...
SSL/TLS connection using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
125 Data connection already open, transfer starting
226 Transfert ok
List Complete: 919 bytes in 0.09 (0.90 KBps)

Finally during SSl sessions i think that there is no need to send
an otp password even if the challenge is sent by the server since
the connection is allready encrypted.

Regards
superbonbon is offline