Class SSLFTPClient
- All Implemented Interfaces:
FTPClientInterface,ProFTPClientInterface
SSLFTPClient supports standard FTP and the two
types of FTPS, explicit and implicit.
Explicit FTPS is specified by the Internet Draft, "Securing FTP with TLS",
Ford-Hutchinson, et al. As directed by the draft, the FTP client connects
in plain (non-SSL) mode and operates in this mode until the "AUTH" command is
issued by means of the auth(String) method. This will cause
the client and server to negotiate an SSL connection. Once complete
commands sent from the client to the server, and their corresponding replies
will be secure. Below is an example of a simple explicit FTPS session:
// create an explicit FTPS client
SSLFTPClient ftp = new SSLFTPClient("123.123.123.123", 0);
// Turn off server validation (ONLY do this when testing)
ftp.setValidateServer(false);
// connect to the server
ftp.connect();
// switch to secure command channel
ftp.auth(SSLFTPClient.AUTH_SSL);
// log in
ftp.login("test", "test");
// get a file
ftp.get("file.txt", "file.txt");
// close the connection
ftp.quit();
This example uses no client authentication and does not attempt to verify
server certificates (which should be done only when testing).
Implicit FTPS is an older form of FTPS which uses pure SSL connection, i.e. SSL sessions are established immediately upon socket connection for all FTP channels. The following is an example of a simple implicit FTPS session:
// create an implicit FTPS client
SSLFTPClient ftp = new SSLFTPClient("123.123.123.123", SSLFTPClient.ConfigFlags.IMPLICIT_FTPS);
// Turn off server validation (ONLY do this when testing)
ftp.setValidateServer(false);
// connect to the server
ftp.connect();
// log in
ftp.login("test", "test");
// get a file
ftp.get("file.txt", "file.txt");
// close the connection
ftp.quit();
Like the previous example, this example uses no client authentication
and does not attempt to verify server certificates (which should be
done only when testing).
SSL Certificates:
Both the examples above used no server validation. This is only normally
acceptable only when testing. To be secure applications should always
validate the server that they're communicating with. If setValidateServer()
is not called then
SSLFTPClient will attempt to validate the server's certificate. In
explicit FTPS this occurs when the auth(String) method is invoked, whereas
in implicit FTPS, it occurs upon connection.
The server's certificate is matched against the root certificates
in the root certificate-store (accessible via getRootCertificateStore().
Some server certificates are
issued by Certificate Authorities (CAs). In such cases, it is sufficient for the
CA's certificate to be in the root certicate file. If a non-CA certificate is used then
the server certificate itself must be in root certificate file.
If client authentication is required
then a user's private key and certificate must be set using the
loadClientCertificate(String,String),
loadClientCertificate(InputStream,String) or
setClientCertificate(Certificate,PrivateKey) methods.
Configuration flags:There are variations in the
interpretation of the FTPS standard as
implemented in various servers. For this reason non-standard compatibility
options may activated by passing ConfigFlags to the
SSLFTPClient constructor. For example, to communicate
with a GlobalSCAPE (tm) server, the following code would be used:
SSLFTPClient ftp = new SSLFTPClient("123.123.123.123",
SSLFTPClient.ConfigFlags.DISABLE_SSL_CLOSURE
| SSLFTPClient.ConfigFlags.DISABLE_WAIT_ON_CLOSURE);
Cipher-Suites: A cipher-suite is a set of algorithms that is used for various aspects of SSL security. For a client and a server to be able to communicate, they must be able to agree on a particular cipher-suite. Different types of servers recognize different cipher-suites, so it is usually up to the client make sure that it shares at least one cipher-suite with the server that it is trying to communicate securely with. By itself, this fact would imply that the client should simply enable all possible suites in order to increase the chances of overlap. However, this is not necessarily wise since some cipher-suites (esp. those which adhered to the (now defunct) US export restrictions are relatively easy to break, whereas some others are trusted as currently being virtually unbreakable.
This library supports many cipher-suites (see SSLFTPCipherSuite)
so it should be possible to find a suitable cipher-suite in most cases. Cipher-suites
are configured on the client using the disableAllCipherSuites(),
enableCipherSuite(SSLFTPCipherSuite), and getEnabledCipherSuites()
methods.
(Note: GlobalSCAPE is a registered trademark of GlobalSCAPE)
- Version:
- $Revision$
- Author:
- Hans Andersen
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classConfigFlagscontains various static integers which are used to configure clients.static class -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringDeprecated - use AUTH_TLS.static final StringMay be passed to theauth(java.lang.String)method to request a TLS connection.static final StringSynonym forAUTH_TLSthat may be used by some older servers.static final charMay be passed to theprot(char)method to specify that data-transfers should be done WITHOUT security.static final charMay be passed to theprot(char)method to specify that data-transfers should be done WITH security.Fields inherited from class com.enterprisedt.net.ftp.pro.ProFTPClient
cvsId, proxySettingsFields inherited from class com.enterprisedt.net.ftp.FTPClient
CARRIAGE_RETURN, control, controlEncoding, controlPort, data, dataChannelCallback, dataReceiveBufferSize, dataSendBufferSize, DEFAULT_BUFFER_SIZE, DEFAULT_ENCODING, DEFAULT_LISTING_LOCALES, DEFAULT_MONITOR_INTERVAL, DEFAULT_RETRY_COUNT, DEFAULT_RETRY_DELAY, DEFAULT_TCP_BUFFER_SIZE, DEFAULT_TIMEOUT, dirEmptyStrings, fileLockingEnabled, fileNotFoundStrings, FTP_LINE_SEPARATOR, id, lastReply, lastValidReply, LINE_FEED, LINE_SEPARATOR, messageListener, monitor, monitorEx, monitorInterval, password, remoteAddr, remoteHost, serverWakeupInterval, throttler, timeout, transferBufferSize, transferCompleteStrings, transferType, useNOOP, userFields inherited from interface com.enterprisedt.net.ftp.pro.ProFTPClientInterface
cvsId -
Constructor Summary
ConstructorsConstructorDescriptionConstructs an FTPS client for the given remote host.SSLFTPClient(String remoteHost, int configFlags) Deprecated.use setter methods to set propertiesSSLFTPClient(String remoteHost, int controlPort, int configFlags) Deprecated.use setter methods to set propertiesSSLFTPClient(String remoteHost, int controlPort, int timeout, int configFlags) Deprecated.use setter methods to set propertiesSSLFTPClient(InetAddress remoteAddr, int configFlags) Deprecated.use setter methods to set propertiesSSLFTPClient(InetAddress remoteAddr, int controlPort, int configFlags) Deprecated.use setter methods to set propertiesSSLFTPClient(InetAddress remoteAddr, int controlPort, int timeout, int configFlags) Deprecated.use setter methods to set properties -
Method Summary
Modifier and TypeMethodDescriptionbooleanIndicates whether custom diffie-helman groups are permittedvoidauth(char command) Required for certain implementations of implicit SSL.voidSwitches the control-channel (the connection which carries commands) to secure mode.voidccc()Clears the control channel, setting it back to plain text.voidconnect()Connects to the server at the address and port number defined in the constructor.voidDisables all cipher-suites.voiddisableSSL3(boolean disable) Deprecated.use @see setMinSSLVersionvoidenableCipherSuite(SSLFTPCipherSuite cipherSuite) Enables the given cipher-suite.voidenableCipherSuites(SSLFTPCipherSuite[] cipherSuites) Enables the given cipher-suites.Returns a vector containing the certificates (SSLFTPCertificate) presented by the server with the Certificate Authority's certificate first and the server's certificate last.intGet the set configuration flags.Returns an array of all currently enabled cipher-suites.intGet the max SSL version that is permittedintGet the minimum SSL version that is permittedReturns a reference to theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.static SSLFTPCertificategetServerCertificate(String hostName) Connects to the given explicit FTPS server and retrieves its certificate.static SSLFTPCertificategetServerCertificate(String hostName, int remotePort) Connects to the given explicit FTPS server and retrieves its certificate.static SSLFTPCertificategetServerCertificate(String hostName, int remotePort, boolean isImplicit) Connects to the given implicit or explicit FTPS server and retrieves its certificate.static StringgetServerSecurityMechanism(String remoteHost) Returns the safest explicit FTPS security mechanism supported by the server.static StringgetServerSecurityMechanism(String remoteHost, int remotePort) Returns the safest explicit FTPS security mechanism supported by the server.booleanReturns a flag indicating whether or not this client will attempt to validate server certificates.booleanAre we in secure mode on the control socket?booleanIs implicit FTPS being used?booleanDeprecated.use @see getMinSSLVersionvoidloadClientCertificate(InputStream inputStream, String password) Loads the client's private key and certificate in PEM format from the given input-stream.voidloadClientCertificate(String path, String password) Loads the client's private key and certificate in PEM format from the given file.voidloadClientKeyFile(InputStream inputStream, String password) Deprecated.UseloadClientCertificate(inputStream, password).voidloadClientKeyFile(String path, String password) Deprecated.UseloadClientCertificate(path, password).voidloadRootCertificates(InputStream inputStream) voidloadRootCertificates(String path) voidpbsz(int bufferSize) Defines the buffer-size to be used on data-connections.voidprot(char command) Defines the security-level of subsequent data-transfers.protected intAttempts to read a single character from the givenInputStream.intreadChunk(BufferedInputStream in, byte[] chunk, int chunksize) Attempts to read a specified number of bytes from the givenInputStreamand place it in the given byte-array.protected StringAttempts to read a single line from the givenInputStream.protected voidReconnect to the servervoidsetAllowCustomDHGroups(boolean allowCustomDHGroups) Allows custom diffie-helman groups to be permittedvoidsetClientCertificate(Certificate[] certificateChain, PrivateKey privateKey) Sets the client's certificate chain and private key given standard JavaCertificateandPrivateKeyobjects.voidsetClientCertificate(Certificate certificate, PrivateKey privateKey) Sets the client's certificate and private key given standard JavaCertificateandPrivateKeyobjects.voidsetConfigFlags(int configFlags) Set the configuration flags which control various compatibility features.voidsetCustomValidator(SSLFTPValidator newValidator) Sets the validator.voidsetImplicitFTPS(boolean implicitFTPS) Set implicit FTPS on or off.voidsetMaxSSLVersion(int maxVersion) Set the max SSL version that is permittedvoidsetMinSSLVersion(int minVersion) Set the minimum SSL version that is permittedvoidSets theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.voidsetValidateServer(boolean validate) Determines whether or not this client will attempt to validate server certificates.toString()String representationMethods inherited from class com.enterprisedt.net.ftp.pro.ProFTPClient
enableModeZCompression, getCountBeforeSleep, getInputStream, getLocalCRC, getLocalCRC, getMaxTransferRate, getOutputStream, getProxySettings, getRemoteCRC, getSleepTime, integrityCheckTransferCRC, integrityCheckTransferCRC, integrityCheckTransferSize, isModeZCompressionEnabled, isSleepEnabled, isTransferIntegrityCheck, mdelete, mdelete, mdelete, mdelete, mget, mget, mget, mget, mput, mput, mput, mput, postTransferChecks, postTransferChecks, rmdir, setCountBeforeSleep, setMaxTransferRate, setSleepEnabled, setSleepTime, setTransferIntegrityCheckMethods inherited from class com.enterprisedt.net.ftp.FTPClient
abort, account, cancelResume, cancelTransfer, cdup, chdir, checkConnection, chooseTransferMode, clearSOCKS, closeDataSocket, closeDataSocket, configureDataSocket, connected, createDataSocket, debugResponses, delete, dir, dir, dir, dirDetails, dirDetails, dirDetailsM, executeCommand, exists, existsDirectory, existsFile, features, fileDetails, forceResumeOff, get, get, get, getActiveHighPort, getActiveIPAddress, getActiveLowPort, getBuildTimestamp, getConnectMode, getControlEncoding, getControlPort, getDataReceiveBufferSize, getDataSendBufferSize, getDeleteCount, getDetectTransferMode, getDirectoryEmptyMessages, getDownloadCount, getFileLockingEnabled, getFileNotFoundMessages, getId, getLastReply, getLastValidReply, getListenOnAllInterfaces, getMessageListener, getMonitorInterval, getNetworkBufferSize, getProgressMonitor, getProgressMonitorEx, getRemoteAddr, getRemoteHost, getRemotePort, getRetryCount, getRetryDelay, getServerWakeupInterval, getTimeout, getTransferBufferSize, getTransferCompleteMessages, getType, getUploadCount, getVersion, help, initGet, initialize, initPut, initSOCKS, initSOCKSAuthentication, isAutoPassiveIPSubstitution, isDeleteOnFailure, isStrictReturnCodes, isTransferCancelled, keepAlive, list, list, login, login, mkdir, modtime, noOp, noOperation, password, put, put, put, put, put, put, pwd, quit, quitImmediately, quote, quote, readChunk, rename, resetDeleteCount, resetDownloadCount, resetTransferMode, resetUploadCount, restart, resume, resumeNextDownload, rmdir, sendCommand, sendServerWakeup, setActiveIPAddress, setActivePortRange, setAutoPassiveIPSubstitution, setConnectMode, setControlEncoding, setControlPort, setDataChannelCallback, setDataReceiveBufferSize, setDataSendBufferSize, setDeleteOnFailure, setDetectTransferMode, setDirectoryEmptyMessages, setFileLockingEnabled, setFileNotFoundMessages, setForceUniqueNames, setFTPFileFactory, setId, setListenOnAllInterfaces, setMessageListener, setModTime, setMonitorInterval, setNetworkBufferSize, setParserLocale, setParserLocales, setPORTIP, setProgressMonitor, setProgressMonitor, setProgressMonitorEx, setRemoteAddr, setRemoteHost, setRemotePort, setRetryCount, setRetryDelay, setServerWakeupInterval, setStrictReturnCodes, setTimeout, setTransferBufferSize, setTransferCompleteMessages, setType, site, size, stat, system, user, validateReply, validateReply, validateTransfer, validateTransferOnErrorMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitMethods inherited from interface com.enterprisedt.net.ftp.FTPClientInterface
cancelResume, cancelTransfer, cdup, chdir, connected, delete, dir, dir, dir, dirDetails, dirDetails, executeCommand, exists, get, get, get, getDeleteCount, getDetectTransferMode, getDownloadCount, getFileLockingEnabled, getId, getMonitorInterval, getNetworkBufferSize, getRemoteHost, getRemotePort, getTimeout, getType, getUploadCount, keepAlive, mkdir, modtime, put, put, put, put, put, put, pwd, quit, quitImmediately, rename, resetDeleteCount, resetDownloadCount, resetUploadCount, resume, resumeNextDownload, rmdir, setControlEncoding, setDetectTransferMode, setFileLockingEnabled, setId, setModTime, setNetworkBufferSize, setProgressMonitor, setProgressMonitor, setRemoteHost, setRemotePort, setTimeout, setType, size, systemMethods inherited from interface com.enterprisedt.net.ftp.pro.ProFTPClientInterface
getCountBeforeSleep, getMaxTransferRate, getProgressMonitorEx, getProxySettings, getSleepTime, isSleepEnabled, mdelete, mdelete, mdelete, mdelete, mget, mget, mget, mget, mput, mput, mput, mput, rmdir, setCountBeforeSleep, setMaxTransferRate, setMonitorInterval, setProgressMonitorEx, setSleepEnabled, setSleepTime
-
Field Details
-
AUTH_TLS
May be passed to theauth(java.lang.String)method to request a TLS connection.- See Also:
-
AUTH_TLS_C
Synonym forAUTH_TLSthat may be used by some older servers.- See Also:
-
AUTH_SSL
Deprecated - use AUTH_TLS. May be passed to theauth(java.lang.String)method to request an SSL connection.- See Also:
-
PROT_CLEAR
public static final char PROT_CLEARMay be passed to theprot(char)method to specify that data-transfers should be done WITHOUT security.- See Also:
-
PROT_PRIVATE
public static final char PROT_PRIVATEMay be passed to theprot(char)method to specify that data-transfers should be done WITH security.- See Also:
-
-
Constructor Details
-
SSLFTPClient
Constructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.All other constructors are deprecated. This constructor should be used, and then setter methods used (most inherited from FTPClient) to set the control port, remote host etc
- Throws:
FTPException
-
SSLFTPClient
Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteHost- Remote FTP server to connect to.configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.- Throws:
UnknownHostException- Thrown if the remoteHost argument does not resolved to a known host.
-
SSLFTPClient
public SSLFTPClient(String remoteHost, int controlPort, int configFlags) throws UnknownHostException Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteHost- Remote FTP server to connect to.controlPort- Port on remote FTP server to connect to.configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.- Throws:
UnknownHostException- Thrown if the remoteHost argument does not resolved to a known host.
-
SSLFTPClient
public SSLFTPClient(String remoteHost, int controlPort, int timeout, int configFlags) throws UnknownHostException Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteHost- Remote FTP server to connect to.controlPort- Port on remote FTP server to connect to.timeout- Time-out of connections (0 means no time-out).configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.- Throws:
UnknownHostException- Thrown if the remoteHost argument does not resolved to a known host.
-
SSLFTPClient
Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteAddr- Address of remote FTP server to connect to.configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.
-
SSLFTPClient
Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteAddr- Address of remote FTP server to connect to.controlPort- Port on remote FTP server to connect to.configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.
-
SSLFTPClient
Deprecated.use setter methods to set propertiesConstructs an FTPS client for the given remote host.IMPORTANT NOTE: This constructor does NOT connect to the server. The
connect()method must be called to do this.- Parameters:
remoteAddr- Address of remote FTP server to connect to.controlPort- Port on remote FTP server to connect to.timeout- Time-out of connections (0 means no time-out).configFlags- Combination of flags used to configure the client for implicit FTPS or compatibility with servers that don't fully comply with standards (seeSSLFTPClient.ConfigFlags). For servers that comply with standards this value may be set to 0.
-
-
Method Details
-
setConfigFlags
Set the configuration flags which control various compatibility features. The configuration flag constants are inSSLFTPClient.ConfigFlags. They are integers so they should be OR'd together if more than one is required. For example,ftpClient.setConfigFlags(SSLFTPClient.ConfigFlags.DISABLE_SESSION_RESUMPTION | SSLFTPClient.ConfigFlags.DISABLE_SSL_CLOSURE);Note that implicit FTPS should not longer be set via, which is now deprecated. Instead, useinvalid reference
ConfigFlags.IMPLICIT_FTPSsetImplicitFTPS(boolean). Ifis supplied, implicit FTPS will be enabled for backward compatibility. However if it is not supplied, the implicit FTPS mode will be unaltered, i.e. if implicit FTPS is currently enabled, it will not be disabled by not supplyinginvalid reference
ConfigFlags.IMPLICIT_FTPS.invalid reference
ConfigFlags.IMPLICIT_FTPS- Parameters:
configFlags- Configuration flags to set (seeSSLFTPClient.ConfigFlags)- Throws:
FTPException- Thrown if the client is already connected to the server.
-
getConfigFlags
public int getConfigFlags()Get the set configuration flags.- Returns:
- configuration flags
-
isControlSecure
public boolean isControlSecure()Are we in secure mode on the control socket?- Returns:
- true if secure mode
-
connect
Connects to the server at the address and port number defined in the constructor. Must be performed before login() or user() is called. If connecting in implicit FTPS mode (i.e. seeSSLFTPClient.ConfigFlags.IMPLICIT_FTPS) then the client and server will negotiate a secure connection upon connection.- Specified by:
connectin interfaceFTPClientInterface- Overrides:
connectin classProFTPClient- Throws:
IOException- Thrown if there is a TCP/IP-related error.FTPException- Thrown if there is an error related to the FTP protocol.SSLFTPCertificateException- If connecting in implicit FTPS mode (i.e. seeSSLFTPClient.ConfigFlags.IMPLICIT_FTPS) then theSSLFTPCertificateExceptionmay be thrown if there's a certificate validation error. In this case,SSLFTPCertificateException.getCertificates()returns the server's certificate(s).
-
reconnect
Reconnect to the server- Overrides:
reconnectin classFTPClient- Parameters:
cwd- current working dir- Throws:
IOExceptionFTPException
-
readChar
Description copied from class:FTPClientAttempts to read a single character from the givenInputStream. The purpose of this method is to permit subclasses to execute any additional code necessary when performing this operation.- Overrides:
readCharin classFTPClient- Parameters:
in- TheLineNumberReaderto read from.- Returns:
- The character read.
- Throws:
IOException- Thrown if there was an error while reading.
-
readLine
Description copied from class:FTPClientAttempts to read a single line from the givenInputStream. The purpose of this method is to permit subclasses to execute any additional code necessary when performing this operation.- Overrides:
readLinein classFTPClient- Parameters:
in- TheLineNumberReaderto read from.- Returns:
- The string read.
- Throws:
IOException- Thrown if there was an error while reading.
-
readChunk
Description copied from class:FTPClientAttempts to read a specified number of bytes from the givenInputStreamand place it in the given byte-array. The purpose of this method is to permit subclasses to execute any additional code necessary when performing this operation.- Overrides:
readChunkin classFTPClient- Parameters:
in- TheInputStreamto read from.chunk- The byte-array to place read bytes in.chunksize- Number of bytes to read.- Returns:
- Number of bytes actually read.
- Throws:
IOException- Thrown if there was an error while reading.
-
getCertificateChain
Returns a vector containing the certificates (SSLFTPCertificate) presented by the server with the Certificate Authority's certificate first and the server's certificate last. It allows you to inspect the certificates that the server presented to the client during the establishment of a secure connection. There should be one or more certificates in this chain. The last one in the chain is the server's certificate. Any preceding certificates are certificates of issuers. For example, if there are three: A, B, and C. Then C is the server certificate. C was issued by B, and B was issued by A. At least one of these three certificates must be in the root certificate store for the server to be validated.- Returns:
- Vector containing
SSLFTPCertificateobjects.
-
getValidateServer
public boolean getValidateServer()Returns a flag indicating whether or not this client will attempt to validate server certificates. For a certificate to be valid, the certificate of the Certificate Authority (CA) which issued it must be in the set of root certificates. The root certificates managed by means of the root certificate-store (accessible throughgetRootCertificateStore()). Setting this method to false makes it trivial for an attacker to impersonate a server, so it should be done only for testing purposes.- Returns:
- True if servers are to be validated.
-
setValidateServer
Determines whether or not this client will attempt to validate server certificates. For a certificate to be valid, the certificate of the Certificate Authority (CA) which issued it must be in the set of root certificates. The root certificates are loaded using theloadRootCertificates(String)method. Setting this method to false makes it trivial for an attacker to impersonate a server, so it should be done only for testing purposes.- Parameters:
validate- True if servers are to be validated.- Throws:
FTPException
-
setCustomValidator
Sets the validator. Validators are used for validating server certificates. If this method is not called then the standard validatorSSLFTPStandardValidatorwill be used.Custom validators may be used to provide user interaction, such as allowing the user view a server's certificate before accepting the connection. See SSLFTPValidator and SSLFTPStandardValidator.
Note that this method must be called before
authis called, otherwise the standard validator will be used.- Parameters:
newValidator- Custom validator to use.- Throws:
FTPException
-
getEnabledCipherSuites
Returns an array of all currently enabled cipher-suites.- Returns:
- Array of all currently enabled cipher-suites.
-
disableAllCipherSuites
Disables all cipher-suites.- Throws:
FTPException
-
enableCipherSuite
Enables the given cipher-suite.- Parameters:
cipherSuite- Cipher-suite to enable.- Throws:
SSLFTPException- Thrown if the given cipher-suite is not valid.FTPException
-
enableCipherSuites
Enables the given cipher-suites.- Parameters:
cipherSuites- Cipher-suites to enable.- Throws:
SSLFTPException- Thrown if a cipher-suite is not valid.FTPException
-
disableSSL3
public void disableSSL3(boolean disable) Deprecated.use @see setMinSSLVersionSet whether to disable SSL3. The default is true/yes.- Parameters:
disable- true to disable SSL3
-
isSSL3Disabled
public boolean isSSL3Disabled()Deprecated.use @see getMinSSLVersionreturn if SSL3 is disabled- Returns:
- true if SSL3 is disabled (the default)
-
setMaxSSLVersion
Set the max SSL version that is permitted- Parameters:
maxVersion- one of SSLVersion values- Throws:
SSLFTPException
-
getMaxSSLVersion
public int getMaxSSLVersion()Get the max SSL version that is permitted- Returns:
- SSLVersion
-
setMinSSLVersion
Set the minimum SSL version that is permitted- Parameters:
minVersion- one of SSLVersion values- Throws:
SSLFTPException
-
getMinSSLVersion
public int getMinSSLVersion()Get the minimum SSL version that is permitted- Returns:
- SSLVersion
-
allowCustomDHGroups
public boolean allowCustomDHGroups()Indicates whether custom diffie-helman groups are permitted- Returns:
- true if custom diffie-helman groups are permitted, otherwise false
-
setAllowCustomDHGroups
public void setAllowCustomDHGroups(boolean allowCustomDHGroups) Allows custom diffie-helman groups to be permitted- Parameters:
allowCustomDHGroups- if true, custom diffie-helman groups are permitted
-
loadClientKeyFile
public void loadClientKeyFile(InputStream inputStream, String password) throws FileNotFoundException, IOException, FTPException Deprecated.UseloadClientCertificate(inputStream, password).Loads the client's private key and certificate from the given input-stream. -
loadClientKeyFile
public void loadClientKeyFile(String path, String password) throws FileNotFoundException, IOException, FTPException Deprecated.UseloadClientCertificate(path, password).Loads the client's private key and certificate from the given file. -
loadClientCertificate
public void loadClientCertificate(InputStream inputStream, String password) throws FileNotFoundException, IOException, FTPException Loads the client's private key and certificate in PEM format from the given input-stream. The stream must be formatted as follows:-----BEGIN xxx PRIVATE KEY----- ... client's private key ... -----END xxx PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... client's certificate ... -----END CERTIFICATE-----
wherexxxdefines the keytype which must be either RSA or DSA.A chain of keys (ordered from client's certificate to the root) may be placed in the file. Each certificate must be bracketed as shown above.
- Parameters:
inputStream- InputStream to read from.password- Pass-phrase for accessing the key.- Throws:
FileNotFoundException- Thrown if the file could not be found.IOException- Thrown if there was an error reading the key.FTPException
-
loadClientCertificate
public void loadClientCertificate(String path, String password) throws FileNotFoundException, IOException, FTPException Loads the client's private key and certificate in PEM format from the given file. The file must be formatted as follows:-----BEGIN xxx PRIVATE KEY----- ... client's private key ... -----END xxx PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... client's certificate ... -----END CERTIFICATE-----
wherexxxdefines the keytype which must be either RSA or DSA.A chain of keys (ordered from client's certificate to the root) may be placed in the file. Each certificate must be bracketed as shown above.
- Parameters:
path- Path of the filepassword- Pass-phrase for accessing the key.- Throws:
FileNotFoundException- Thrown if the file could not be found.IOException- Thrown if there was an error reading the key.FTPException
-
setClientCertificate
public void setClientCertificate(Certificate certificate, PrivateKey privateKey) throws SSLFTPCertificateException Sets the client's certificate and private key given standard JavaCertificateandPrivateKeyobjects. To load a certificate and a private key from a Java keystore, code similar to the following should be used:KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(new FileInputStream(keyStoreFileName), keyStorePassword.toCharArray()); Certificate certificate = keyStore.getCertificate(alias); PrivateKey privateKey = (PrivateKey)keyStore.getKey(alias, privateKeyPassword.toCharArray()); ftp.setClientCertificate(certificate, privateKey);- Parameters:
certificate- The client's certificate.privateKey- The client's private key.- Throws:
SSLFTPCertificateException- Thrown if there was a problem accessing the key or the private key.
-
setClientCertificate
public void setClientCertificate(Certificate[] certificateChain, PrivateKey privateKey) throws SSLFTPCertificateException Sets the client's certificate chain and private key given standard JavaCertificateandPrivateKeyobjects.- Parameters:
certificateChain- The client's certificate.chainprivateKey- The client's private key.- Throws:
SSLFTPCertificateException- Thrown if there was a problem accessing the key or the private key.
-
loadRootCertificates
public void loadRootCertificates(InputStream inputStream) throws FileNotFoundException, IOException, FTPException Loads a set of acceptable root certificates from an input-stream. These are used to verify the server's certificate. The certificates in the file must be of the OpenSSL PEM format and be bracketed as follows:-----BEGIN CERTIFICATE----- ... first certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... second certificate ... -----END CERTIFICATE----- etc
The ca-root package of FreeBSD has a file, ca-roots.crt, which contains a list of root certificates. It may be downloaded from the FreeBSD website (search for "ca-root") It is important to be aware that the root certificates file is a potential point of attack since an errant entry in this file may allow attackers obtain access to secured resources.
- Parameters:
inputStream- InputStream to read from.- Throws:
FileNotFoundException- Thrown if the file could not be found.IOException- Thrown if there was an error reading the certificates.FTPException
-
loadRootCertificates
Loads a set of acceptable root certificates from a file. These are used to verify the server's certificate. The certificates in the file must be of the OpenSSL PEM format and be bracketed as follows:-----BEGIN CERTIFICATE----- ... first certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... second certificate ... -----END CERTIFICATE----- etc
The ca-root package of FreeBSD has a file, ca-roots.crt, which contains a list of root certificates. It may be downloaded from the FreeBSD website (search for "ca-root") It is important to be aware that the root certificates file is a potential point of attack since an errant entry in this file may allow attackers obtain access to secured resources.
- Parameters:
path- Path of the file.- Throws:
FileNotFoundException- Thrown if the file could not be found.IOException- Thrown if there was an error reading the certificates.FTPException
-
getRootCertificateStore
Returns a reference to theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.- Returns:
- The root certificate-store.
-
setRootCertificateStore
Sets theSSLFTPCertificateStorewhich contains the root certificates that will be used to validate the server certificate.- Parameters:
store- The root certificate-store to use
-
auth
Switches the control-channel (the connection which carries commands) to secure mode. If this command succeeds, then all subsequent commands and their corresponding replies will be secure. Unless theConfigFlags.START_WITH_CLEAR_DATA_CHANNELSflag was passed in during construction, the client will switch to private (i.e. secure) data channels immediately after a connection is made. It does this by invokingpbsz(0)andprot('P').This library supports three arguments to this methods,
SSLFTPClient.AUTH_TLS,SSLFTPClient.AUTH_TLS_C, andSSLFTPClient.SSL, though the last two should only be used if required when communicating with an older server.- Parameters:
securityMechanism- Security mechanism to use (see above)- Throws:
IOException- Thrown if a communication error occurred.FTPException- Thrown if an FTP-protocol related error occurred.SSLFTPCertificateException- thrown if there's a certificate validation error. UseSSLFTPCertificateException.getCertificates()to obtain the server's certificate(s).
-
ccc
Clears the control channel, setting it back to plain text. After this command is issued, the server will continue the control connection in plaintext, expecting the next command from the client to be in plaintext. This command is often used in conjunction with firewalls, which need to be able to inspect the control channel to open data channel ports in the firewall. This can only be done if the control channel is not encrypted.The server will not accept any more PBSZ or PROT commands. All subsequent data transfers must be protected with the current PROT settings.
- Throws:
FTPExceptionIOException
-
auth
Required for certain implementations of implicit SSL. Some servers supporting implicit SSL do not require this method to be called, others do.- Parameters:
command- Seurity level to be used (must be eitherSSLFTPClient.PROT_PRIVATEorSSLFTPClient.PROT_CLEAR.- Throws:
IOException- Thrown if a communication error occurred.FTPException- Thrown if an FTP-protocol related error occurred.
-
prot
Defines the security-level of subsequent data-transfers. There are two security levels,'C'(Clear) and'P'(Private). The former dictates that data-transfers should be insecure and the latter that they should be secure. There are two public member-variables,SSLFTPClient.PROT_PRIVATEandSSLFTPClient.PROT_CLEARdefined for use with this method.- Parameters:
command- Seurity level to be used (must be eitherSSLFTPClient.PROT_PRIVATEorSSLFTPClient.PROT_CLEAR.- Throws:
IOException- Thrown if a communication error occurred.FTPException- Thrown if an FTP-protocol related error occurred.
-
pbsz
Defines the buffer-size to be used on data-connections. In conformity with the standard, this method must be0(zero). Note that this method is required only to conform with the standard.- Parameters:
bufferSize- Buffer-size to use (must be zero).- Throws:
IOException- Thrown if a communication error occurred.FTPException- Thrown if an FTP-protocol related error occurred.
-
getServerCertificate
public static SSLFTPCertificate getServerCertificate(String hostName) throws FTPException, IOException Connects to the given explicit FTPS server and retrieves its certificate. This method simply connects to the given host and tries to establish a secure connection. This always fails since the server certificate can't be validated, but in the process the server presents its certificate. This certificate is returned. It should be verified by some means (e.g. a dialog pop-up) to ensure that it is the correct certificate. It should not be added as a root certificate without independent verification since this defeats the purpose of server validation and means that the client essentially could be connected to any (potentially attacking) server.- Parameters:
hostName- Host-name of server.- Returns:
- The server's certificate.
- Throws:
FTPException- Thrown if an FTP-related error occurred.IOException- Thrown if a TCP/IP-related error occurred.
-
getServerCertificate
public static SSLFTPCertificate getServerCertificate(String hostName, int remotePort) throws FTPException, IOException Connects to the given explicit FTPS server and retrieves its certificate. This method simply connects to the given host and tries to establish a secure connection. This always fails since the server certificate can't be validated, but in the process the server presents its certificate. This certificate is returned. It should be verified by some means (e.g. a dialog pop-up) to ensure that it is the correct certificate. It should not be added as a root certificate without independent verification since this defeats the purpose of server validation and means that the client essentially could be connected to any (potentially attacking) server.- Parameters:
hostName- Host-name of server.remotePort- Port to connect to.- Returns:
- The server's certificate.
- Throws:
FTPException- Thrown if an FTP-related error occurred.IOException- Thrown if a TCP/IP-related error occurred.
-
getServerCertificate
public static SSLFTPCertificate getServerCertificate(String hostName, int remotePort, boolean isImplicit) throws FTPException, IOException Connects to the given implicit or explicit FTPS server and retrieves its certificate. This method simply connects to the given host and tries to establish a secure connection. This always fails since the server certificate can't be validated, but in the process the server presents its certificate. This certificate is returned. It should be verified by some means (e.g. a dialog pop-up) to ensure that it is the correct certificate. It should not be added as a root certificate without independent verification since this defeats the purpose of server validation and means that the client essentially could be connected to any (potentially attacking) server.- Parameters:
hostName- Host-name of server.remotePort- Port to connect to.isImplicit- Should be true for implicit FTPS and false for explicit FTPS.- Returns:
- The server's certificate.
- Throws:
FTPException- Thrown if an FTP-related error occurred.IOException- Thrown if a TCP/IP-related error occurred.
-
getServerSecurityMechanism
Returns the safest explicit FTPS security mechanism supported by the server. If the server supports explicit FTPS using TLS thenAUTH_TLSis returned. If the server supports explicit FTPS using SLL but not TLS thenAUTH_SSLis returned. If explicit FTPS is not supported then the method returnsnull.- Parameters:
remoteHost- Host from which to retrieve a security mechanism.- Returns:
AUTH_TLS,AUTH_SSLornull(see above).- Throws:
FTPException- Thrown if an FTP-related error occurred.IOException- Thrown if a TCP/IP-related error occurred.
-
getServerSecurityMechanism
public static String getServerSecurityMechanism(String remoteHost, int remotePort) throws FTPException, IOException Returns the safest explicit FTPS security mechanism supported by the server. If the server supports explicit FTPS using TLS thenAUTH_TLSis returned. If the server supports explicit FTPS using SLL but not TLS thenAUTH_SSLis returned. If explicit FTPS is not supported then the method returnsnull.- Parameters:
remoteHost- Host from which to retrieve a security mechanism.remotePort- Port on which to connect to the server.- Returns:
AUTH_TLS,AUTH_SSLornull(see above).- Throws:
FTPException- Thrown if an FTP-related error occurred.IOException- Thrown if a TCP/IP-related error occurred.
-
isImplicitFTPS
public boolean isImplicitFTPS()Is implicit FTPS being used?- Returns:
- true if implicit, false if not implicit
-
setImplicitFTPS
public void setImplicitFTPS(boolean implicitFTPS) Set implicit FTPS on or off. By default explicit FTPS is used. Implicit FTPS is an older form of FTPS which connects on a different port (usually 990) from standard FTP. It is not recommended for deployment in new systems and is included in this library mainly for compatibility with legacy systems.Implicit FTPS is not recommended because it is not compatible with FTP standards and not supported by as many systems. It is however, no less secure than explicit FTPS.
- Parameters:
implicitFTPS- true if switching on, false if switching off
-
toString
String representation
-