public class SSLFTPClient extends ProFTPClient implements ProFTPClientInterface
SSLFTPClient
supports standard FTP and the two
types of FTPS, explicit and implicit.
Explicit FTPS is specified by the Internet Draft, "Securing FTP with TLS",
Ford-Hutchinson, et al. As directed by the draft, the FTP client connects
in plain (non-SSL) mode and operates in this mode until the "AUTH" command is
issued by means of the auth(String)
method. This will cause
the client and server to negotiate an SSL connection. Once complete
commands sent from the client to the server, and their corresponding replies
will be secure. Below is an example of a simple explicit FTPS session:
// create an explicit FTPS client SSLFTPClient ftp = new SSLFTPClient("123.123.123.123", 0); // Turn off server validation (ONLY do this when testing) ftp.setValidateServer(false); // connect to the server ftp.connect(); // switch to secure command channel ftp.auth(SSLFTPClient.AUTH_SSL); // log in ftp.login("test", "test"); // get a file ftp.get("file.txt", "file.txt"); // close the connection ftp.quit();This example uses no client authentication and does not attempt to verify server certificates (which should be done only when testing).
Implicit FTPS is an older form of FTPS which uses pure SSL connection, i.e. SSL sessions are established immediately upon socket connection for all FTP channels. The following is an example of a simple implicit FTPS session:
// create an implicit FTPS client SSLFTPClient ftp = new SSLFTPClient("123.123.123.123", SSLFTPClient.ConfigFlags.IMPLICIT_FTPS); // Turn off server validation (ONLY do this when testing) ftp.setValidateServer(false); // connect to the server ftp.connect(); // log in ftp.login("test", "test"); // get a file ftp.get("file.txt", "file.txt"); // close the connection ftp.quit();Like the previous example, this example uses no client authentication and does not attempt to verify server certificates (which should be done only when testing).
SSL Certificates:
Both the examples above used no server validation. This is only normally
acceptable only when testing. To be secure applications should always
validate the server that they're communicating with. If setValidateServer()
is not called then
SSLFTPClient
will attempt to validate the server's certificate. In
explicit FTPS this occurs when the auth(String)
method is invoked, whereas
in implicit FTPS, it occurs upon connection.
The server's certificate is matched against the root certificates
in the root certificate-store (accessible via getRootCertificateStore()
.
Some server certificates are
issued by Certificate Authorities (CAs). In such cases, it is sufficient for the
CA's certificate to be in the root certicate file. If a non-CA certificate is used then
the server certificate itself must be in root certificate file.
If client authentication is required
then a user's private key and certificate must be set using the
loadClientCertificate(String,String)
,
loadClientCertificate(InputStream,String)
or
setClientCertificate(Certificate,PrivateKey)
methods.
Configuration flags:There are variations in the
interpretation of the FTPS standard as
implemented in various servers. For this reason non-standard compatibility
options may activated by passing ConfigFlag
s to the
SSLFTPClient
constructor. For example, to communicate
with a GlobalSCAPE (tm) server, the following code would be used:
SSLFTPClient ftp = new SSLFTPClient("123.123.123.123", SSLFTPClient.ConfigFlags.DISABLE_SSL_CLOSURE | SSLFTPClient.ConfigFlags.DISABLE_WAIT_ON_CLOSURE);
Cipher-Suites: A cipher-suite is a set of algorithms that is used for various aspects of SSL security. For a client and a server to be able to communicate, they must be able to agree on a particular cipher-suite. Different types of servers recognize different cipher-suites, so it is usually up to the client make sure that it shares at least one cipher-suite with the server that it is trying to communicate securely with. By itself, this fact would imply that the client should simply enable all possible suites in order to increase the chances of overlap. However, this is not necessarily wise since some cipher-suites (esp. those which adhered to the (now defunct) US export restrictions are relatively easy to break, whereas some others are trusted as currently being virtually unbreakable.
This library supports many cipher-suites (see SSLFTPCipherSuite
)
so it should be possible to find a suitable cipher-suite in most cases. Cipher-suites
are configured on the client using the disableAllCipherSuites()
,
enableCipherSuite(SSLFTPCipherSuite)
, and getEnabledCipherSuites()
methods.
(Note: GlobalSCAPE is a registered trademark of GlobalSCAPE)
Modifier and Type | Class and Description |
---|---|
static class |
SSLFTPClient.ConfigFlags
ConfigFlags contains various static integers which are used
to configure clients. |
static class |
SSLFTPClient.SSLVersion |
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
AUTH_SSL
Deprecated - use AUTH_TLS.
|
static java.lang.String |
AUTH_TLS
May be passed to the
auth(String) method to request a TLS
connection. |
static java.lang.String |
AUTH_TLS_C
Synonym for
AUTH_TLS that may be used by some older servers. |
static char |
PROT_CLEAR
May be passed to the
prot(char) method to specify that
data-transfers should be done WITHOUT security. |
static char |
PROT_PRIVATE
May be passed to the
prot(char) method to specify that
data-transfers should be done WITH security. |
cvsId, proxySettings
CARRIAGE_RETURN, control, controlEncoding, controlPort, data, dataChannelCallback, dataReceiveBufferSize, dataSendBufferSize, DEFAULT_BUFFER_SIZE, DEFAULT_ENCODING, DEFAULT_LISTING_LOCALES, DEFAULT_MONITOR_INTERVAL, DEFAULT_RETRY_COUNT, DEFAULT_RETRY_DELAY, DEFAULT_TCP_BUFFER_SIZE, DEFAULT_TIMEOUT, dirEmptyStrings, fileLockingEnabled, fileNotFoundStrings, FTP_LINE_SEPARATOR, id, lastReply, lastValidReply, LINE_FEED, LINE_SEPARATOR, messageListener, monitor, monitorEx, monitorInterval, password, remoteAddr, remoteHost, serverWakeupInterval, throttler, timeout, transferBufferSize, transferCompleteStrings, transferType, useNOOP, user
cvsId
Constructor and Description |
---|
SSLFTPClient()
Constructs an FTPS client for the given remote host.
|
SSLFTPClient(java.net.InetAddress remoteAddr,
int configFlags)
Deprecated.
use setter methods to set properties
|
SSLFTPClient(java.net.InetAddress remoteAddr,
int controlPort,
int configFlags)
Deprecated.
use setter methods to set properties
|
SSLFTPClient(java.net.InetAddress remoteAddr,
int controlPort,
int timeout,
int configFlags)
Deprecated.
use setter methods to set properties
|
SSLFTPClient(java.lang.String remoteHost,
int configFlags)
Deprecated.
use setter methods to set properties
|
SSLFTPClient(java.lang.String remoteHost,
int controlPort,
int configFlags)
Deprecated.
use setter methods to set properties
|
SSLFTPClient(java.lang.String remoteHost,
int controlPort,
int timeout,
int configFlags)
Deprecated.
use setter methods to set properties
|
Modifier and Type | Method and Description |
---|---|
void |
auth(char command)
Required for certain implementations of implicit SSL.
|
void |
auth(java.lang.String securityMechanism)
Switches the control-channel (the connection which carries commands)
to secure mode.
|
void |
ccc()
Clears the control channel, setting it back to plain text.
|
void |
connect()
Connects to the server at the address and port number defined
in the constructor.
|
void |
disableAllCipherSuites()
Disables all cipher-suites.
|
void |
disableSSL3(boolean disable)
Set whether to disable SSL3.
|
void |
enableCipherSuite(SSLFTPCipherSuite cipherSuite)
Enables the given cipher-suite.
|
void |
enableCipherSuites(SSLFTPCipherSuite[] cipherSuites)
Enables the given cipher-suites.
|
java.util.Vector |
getCertificateChain()
Returns a vector containing the certificates (
SSLFTPCertificate )
presented by the server with the Certificate Authority's certificate first
and the server's certificate last. |
int |
getConfigFlags()
Get the set configuration flags.
|
SSLFTPCipherSuite[] |
getEnabledCipherSuites()
Returns an array of all currently enabled cipher-suites.
|
int |
getMaxSSLVersion()
Get the max SSL version that is permitted
|
int |
getMinSSLVersion()
Get the minimum SSL version that is permitted
|
SSLFTPCertificateStore |
getRootCertificateStore()
Returns a reference to the
SSLFTPCertificateStore
which contains the root certificates that will be used
to validate the server certificate. |
static SSLFTPCertificate |
getServerCertificate(java.lang.String hostName)
Connects to the given explicit FTPS server and retrieves its certificate.
|
static SSLFTPCertificate |
getServerCertificate(java.lang.String hostName,
int remotePort)
Connects to the given explicit FTPS server and retrieves its certificate.
|
static SSLFTPCertificate |
getServerCertificate(java.lang.String hostName,
int remotePort,
boolean isImplicit)
Connects to the given implicit or explicit FTPS server and retrieves its certificate.
|
static java.lang.String |
getServerSecurityMechanism(java.lang.String remoteHost)
Returns the safest explicit FTPS security mechanism supported by the server.
|
static java.lang.String |
getServerSecurityMechanism(java.lang.String remoteHost,
int remotePort)
Returns the safest explicit FTPS security mechanism supported by the server.
|
boolean |
getValidateServer()
Returns a flag indicating whether or not this client will attempt to validate
server certificates.
|
boolean |
isControlSecure()
Are we in secure mode on the control socket?
|
boolean |
isImplicitFTPS()
Is implicit FTPS being used?
|
boolean |
isSSL3Disabled()
return if SSL3 is disabled
|
void |
loadClientCertificate(java.io.InputStream inputStream,
java.lang.String password)
Loads the client's private key and certificate in PEM format from
the given input-stream.
|
void |
loadClientCertificate(java.lang.String path,
java.lang.String password)
Loads the client's private key and certificate in PEM format from the given file.
|
void |
loadClientKeyFile(java.io.InputStream inputStream,
java.lang.String password)
Deprecated.
Use
setClientCertificate<(inputStream, password)/code>. |
void |
loadClientKeyFile(java.lang.String path,
java.lang.String password)
Deprecated.
Use
loadClientCertificate<(path, password)/code>. |
void |
loadRootCertificates(java.io.InputStream inputStream)
|
void |
loadRootCertificates(java.lang.String path)
|
void |
pbsz(int bufferSize)
Defines the buffer-size to be used on data-connections.
|
void |
prot(char command)
Defines the security-level of subsequent data-transfers.
|
protected int |
readChar(java.io.LineNumberReader in)
Attempts to read a single character from the given
InputStream . |
int |
readChunk(java.io.BufferedInputStream in,
byte[] chunk,
int chunksize)
Attempts to read a specified number of bytes from the given
InputStream and place it in the given byte-array. |
protected java.lang.String |
readLine(java.io.LineNumberReader in)
Attempts to read a single line from the given
InputStream . |
protected void |
reconnect(java.lang.String cwd)
Reconnect to the server
|
void |
setClientCertificate(java.security.cert.Certificate[] certificateChain,
java.security.PrivateKey privateKey)
Sets the client's certificate chain and private key given standard Java
Certificate and PrivateKey
objects. |
void |
setClientCertificate(java.security.cert.Certificate certificate,
java.security.PrivateKey privateKey)
Sets the client's certificate and private key given standard Java
Certificate and PrivateKey
objects. |
void |
setConfigFlags(int configFlags)
Set the configuration flags which control various compatibility
features.
|
void |
setCustomValidator(SSLFTPValidator newValidator)
Sets the validator.
|
void |
setImplicitFTPS(boolean implicitFTPS)
Set implicit FTPS on or off.
|
void |
setMaxSSLVersion(int maxVersion)
Set the max SSL version that is permitted
|
void |
setMinSSLVersion(int minVersion)
Set the minimum SSL version that is permitted
|
void |
setRootCertificateStore(SSLFTPCertificateStore store)
Sets the
SSLFTPCertificateStore
which contains the root certificates that will be used
to validate the server certificate. |
void |
setValidateServer(boolean validate)
Determines whether or not this client will attempt to validate
server certificates.
|
java.lang.String |
toString()
String representation
|
enableModeZCompression, getCountBeforeSleep, getInputStream, getLocalCRC, getLocalCRC, getMaxTransferRate, getOutputStream, getProxySettings, getRemoteCRC, getSleepTime, integrityCheckTransferCRC, integrityCheckTransferCRC, integrityCheckTransferSize, isModeZCompressionEnabled, isSleepEnabled, isTransferIntegrityCheck, mdelete, mdelete, mdelete, mdelete, mget, mget, mget, mget, mput, mput, mput, mput, postTransferChecks, postTransferChecks, rmdir, setCountBeforeSleep, setMaxTransferRate, setSleepEnabled, setSleepTime, setTransferIntegrityCheck
abort, account, cancelResume, cancelTransfer, cdup, chdir, checkConnection, chooseTransferMode, clearSOCKS, closeDataSocket, closeDataSocket, configureDataSocket, connected, createDataSocket, debugResponses, delete, dir, dir, dir, dirDetails, dirDetails, dirDetailsM, executeCommand, exists, existsDirectory, existsFile, features, fileDetails, forceResumeOff, get, get, get, getActiveHighPort, getActiveIPAddress, getActiveLowPort, getBuildTimestamp, getConnectMode, getControlEncoding, getControlPort, getDataReceiveBufferSize, getDataSendBufferSize, getDeleteCount, getDetectTransferMode, getDirectoryEmptyMessages, getDownloadCount, getFileLockingEnabled, getFileNotFoundMessages, getId, getLastReply, getLastValidReply, getListenOnAllInterfaces, getMessageListener, getMonitorInterval, getNetworkBufferSize, getProgressMonitor, getProgressMonitorEx, getRemoteAddr, getRemoteHost, getRemotePort, getRetryCount, getRetryDelay, getServerWakeupInterval, getTimeout, getTransferBufferSize, getTransferCompleteMessages, getType, getUploadCount, getVersion, help, initGet, initialize, initPut, initSOCKS, initSOCKSAuthentication, isAutoPassiveIPSubstitution, isDeleteOnFailure, isStrictReturnCodes, isTransferCancelled, keepAlive, list, list, login, login, mkdir, modtime, noOp, noOperation, password, put, put, put, put, put, put, pwd, quit, quitImmediately, quote, quote, readChunk, rename, resetDeleteCount, resetDownloadCount, resetTransferMode, resetUploadCount, restart, resume, resumeNextDownload, rmdir, sendCommand, sendServerWakeup, setActiveIPAddress, setActivePortRange, setAutoPassiveIPSubstitution, setConnectMode, setControlEncoding, setControlPort, setDataChannelCallback, setDataReceiveBufferSize, setDataSendBufferSize, setDeleteOnFailure, setDetectTransferMode, setDirectoryEmptyMessages, setFileLockingEnabled, setFileNotFoundMessages, setForceUniqueNames, setFTPFileFactory, setId, setListenOnAllInterfaces, setMessageListener, setModTime, setMonitorInterval, setNetworkBufferSize, setParserLocale, setParserLocales, setPORTIP, setProgressMonitor, setProgressMonitor, setProgressMonitorEx, setRemoteAddr, setRemoteHost, setRemotePort, setRetryCount, setRetryDelay, setServerWakeupInterval, setStrictReturnCodes, setTimeout, setTransferBufferSize, setTransferCompleteMessages, setType, site, size, stat, system, user, validateReply, validateReply, validateTransfer, validateTransferOnError
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
getCountBeforeSleep, getMaxTransferRate, getProgressMonitorEx, getProxySettings, getSleepTime, isSleepEnabled, mdelete, mdelete, mdelete, mdelete, mget, mget, mget, mget, mput, mput, mput, mput, rmdir, setCountBeforeSleep, setMaxTransferRate, setMonitorInterval, setProgressMonitorEx, setSleepEnabled, setSleepTime
cancelResume, cancelTransfer, cdup, chdir, connected, delete, dir, dir, dir, dirDetails, dirDetails, executeCommand, exists, get, get, get, getDeleteCount, getDetectTransferMode, getDownloadCount, getFileLockingEnabled, getId, getMonitorInterval, getNetworkBufferSize, getRemoteHost, getRemotePort, getTimeout, getType, getUploadCount, keepAlive, mkdir, modtime, put, put, put, put, put, put, pwd, quit, quitImmediately, rename, resetDeleteCount, resetDownloadCount, resetUploadCount, resume, resumeNextDownload, rmdir, setControlEncoding, setDetectTransferMode, setFileLockingEnabled, setId, setModTime, setNetworkBufferSize, setProgressMonitor, setProgressMonitor, setRemoteHost, setRemotePort, setTimeout, setType, size, system
public static final java.lang.String AUTH_TLS
auth(String)
method to request a TLS
connection.public static final java.lang.String AUTH_TLS_C
AUTH_TLS
that may be used by some older servers.public static final java.lang.String AUTH_SSL
auth(String)
method to
request an SSL connection.public static final char PROT_CLEAR
prot(char)
method to specify that
data-transfers should be done WITHOUT security.public static final char PROT_PRIVATE
prot(char)
method to specify that
data-transfers should be done WITH security.public SSLFTPClient() throws FTPException
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
All other constructors are deprecated. This constructor should be used, and then setter methods used (most inherited from FTPClient) to set the control port, remote host etc
FTPException
public SSLFTPClient(java.lang.String remoteHost, int configFlags) throws java.net.UnknownHostException
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteHost
- Remote FTP server to connect to.configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.java.net.UnknownHostException
- Thrown if the remoteHost argument does not resolved to a known host.public SSLFTPClient(java.lang.String remoteHost, int controlPort, int configFlags) throws java.net.UnknownHostException
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteHost
- Remote FTP server to connect to.controlPort
- Port on remote FTP server to connect to.configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.java.net.UnknownHostException
- Thrown if the remoteHost argument does not resolved to a known host.public SSLFTPClient(java.lang.String remoteHost, int controlPort, int timeout, int configFlags) throws java.net.UnknownHostException
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteHost
- Remote FTP server to connect to.controlPort
- Port on remote FTP server to connect to.timeout
- Time-out of connections (0 means no time-out).configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.java.net.UnknownHostException
- Thrown if the remoteHost argument does not resolved to a known host.public SSLFTPClient(java.net.InetAddress remoteAddr, int configFlags)
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteAddr
- Address of remote FTP server to connect to.configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.public SSLFTPClient(java.net.InetAddress remoteAddr, int controlPort, int configFlags)
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteAddr
- Address of remote FTP server to connect to.controlPort
- Port on remote FTP server to connect to.configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.public SSLFTPClient(java.net.InetAddress remoteAddr, int controlPort, int timeout, int configFlags)
IMPORTANT NOTE: This constructor does NOT connect to
the server. The connect()
method must be called
to do this.
remoteAddr
- Address of remote FTP server to connect to.controlPort
- Port on remote FTP server to connect to.timeout
- Time-out of connections (0 means no time-out).configFlags
- Combination of flags used to configure the client for
implicit FTPS or compatibility with servers that don't fully comply with standards
(see SSLFTPClient.ConfigFlags
). For servers that comply with standards this value
may be set to 0.public void setConfigFlags(int configFlags) throws FTPException
SSLFTPClient.ConfigFlags
.
They are integers so they should be OR'd together if more than one is
required. For example,
ftpClient.setConfigFlags(SSLFTPClient.ConfigFlags.DISABLE_SESSION_RESUMPTION | SSLFTPClient.ConfigFlags.DISABLE_SSL_CLOSURE);Note that implicit FTPS should not longer be set via
ConfigFlags.IMPLICIT_FTPS
, which
is now deprecated.
Instead, use setImplicitFTPS(boolean)
. If ConfigFlags.IMPLICIT_FTPS
is
supplied, implicit FTPS will be enabled for backward compatibility. However if it is
not supplied, the implicit FTPS mode will be unaltered, i.e. if implicit
FTPS is currently enabled, it will not be disabled by not supplying ConfigFlags.IMPLICIT_FTPS
.configFlags
- Configuration flags to set (see SSLFTPClient.ConfigFlags
)FTPException
- Thrown if the client is already connected to the server.public int getConfigFlags()
public boolean isControlSecure()
public void connect() throws java.io.IOException, FTPException, SSLFTPCertificateException
SSLFTPClient.ConfigFlags.IMPLICIT_FTPS
) then the client and server
will negotiate a secure connection upon connection.connect
in interface FTPClientInterface
connect
in class ProFTPClient
java.io.IOException
- Thrown if there is a TCP/IP-related error.FTPException
- Thrown if there is an error related to the FTP protocol.SSLFTPCertificateException
- If connecting in implicit FTPS mode
(i.e. see SSLFTPClient.ConfigFlags.IMPLICIT_FTPS
) then the
SSLFTPCertificateException
may be thrown if there's a certificate
validation error. In this case, SSLFTPCertificateException.getCertificates()
returns the server's certificate(s).protected void reconnect(java.lang.String cwd) throws java.io.IOException, FTPException
reconnect
in class FTPClient
cwd
- current working dirjava.io.IOException
FTPException
protected int readChar(java.io.LineNumberReader in) throws java.io.IOException
FTPClient
InputStream
.
The purpose of this method is to permit subclasses to execute
any additional code necessary when performing this operation.protected java.lang.String readLine(java.io.LineNumberReader in) throws java.io.IOException
FTPClient
InputStream
.
The purpose of this method is to permit subclasses to execute
any additional code necessary when performing this operation.public int readChunk(java.io.BufferedInputStream in, byte[] chunk, int chunksize) throws java.io.IOException
FTPClient
InputStream
and place it in the given byte-array. The
purpose of this method is to permit subclasses to execute any additional
code necessary when performing this operation.public java.util.Vector getCertificateChain()
SSLFTPCertificate
)
presented by the server with the Certificate Authority's certificate first
and the server's certificate last.
It allows you to inspect the certificates that the server presented to the
client during the establishment of a secure connection. There should be one
or more certificates in this chain. The last one in the chain is the
server's certificate. Any preceding certificates are certificates of issuers.
For example, if there are three: A, B, and C. Then C is the server certificate.
C was issued by B, and B was issued by A. At least one of these three certificates
must be in the root certificate store for the server to be validated.SSLFTPCertificate
objects.public boolean getValidateServer()
getRootCertificateStore()
).
Setting this method to false makes it trivial for an attacker
to impersonate a server, so it should be done only for testing purposes.public void setValidateServer(boolean validate) throws FTPException
loadRootCertificates(String)
method.
Setting this method to false makes it trivial for an attacker
to impersonate a server, so it should be done only for testing purposes.validate
- True if servers are to be validated.FTPException
public void setCustomValidator(SSLFTPValidator newValidator) throws FTPException
SSLFTPStandardValidator
will be used.
Custom validators may be used to provide user interaction, such as allowing the user view a server's certificate before accepting the connection. See SSLFTPValidator and SSLFTPStandardValidator.
Note that this method must be called before auth
is called,
otherwise the standard validator will be used.
newValidator
- Custom validator to use.FTPException
public SSLFTPCipherSuite[] getEnabledCipherSuites()
public void disableAllCipherSuites() throws FTPException
FTPException
public void enableCipherSuite(SSLFTPCipherSuite cipherSuite) throws FTPException
cipherSuite
- Cipher-suite to enable.SSLFTPException
- Thrown if the given cipher-suite is not valid.FTPException
public void enableCipherSuites(SSLFTPCipherSuite[] cipherSuites) throws FTPException
cipherSuites
- Cipher-suites to enable.SSLFTPException
- Thrown if a cipher-suite is not valid.FTPException
public void disableSSL3(boolean disable)
disable
- true to disable SSL3public boolean isSSL3Disabled()
public void setMaxSSLVersion(int maxVersion) throws SSLFTPException
maxVersion
- one of SSLVersion valuesSSLFTPException
public int getMaxSSLVersion()
public void setMinSSLVersion(int minVersion) throws SSLFTPException
minVersion
- one of SSLVersion valuesSSLFTPException
public int getMinSSLVersion()
public void loadClientKeyFile(java.io.InputStream inputStream, java.lang.String password) throws java.io.FileNotFoundException, java.io.IOException, FTPException
setClientCertificate<(inputStream, password)/code>.
java.io.FileNotFoundException
java.io.IOException
FTPException
public void loadClientKeyFile(java.lang.String path, java.lang.String password) throws java.io.FileNotFoundException, java.io.IOException, FTPException
loadClientCertificate<(path, password)/code>.
java.io.FileNotFoundException
java.io.IOException
FTPException
public void loadClientCertificate(java.io.InputStream inputStream, java.lang.String password) throws java.io.FileNotFoundException, java.io.IOException, FTPException
-----BEGIN xxx PRIVATE KEY----- ... client's private key ... -----END xxx PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... client's certificate ... -----END CERTIFICATE-----where
xxx
defines the keytype which must be either
RSA or DSA.A chain of keys (ordered from client's certificate to the root) may be placed in the file. Each certificate must be bracketed as shown above.
inputStream
- InputStream to read from.password
- Pass-phrase for accessing the key.java.io.FileNotFoundException
- Thrown if the file could not be found.java.io.IOException
- Thrown if there was an error reading the key.FTPException
public void loadClientCertificate(java.lang.String path, java.lang.String password) throws java.io.FileNotFoundException, java.io.IOException, FTPException
-----BEGIN xxx PRIVATE KEY----- ... client's private key ... -----END xxx PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... client's certificate ... -----END CERTIFICATE-----where
xxx
defines the keytype which must be either
RSA or DSA.A chain of keys (ordered from client's certificate to the root) may be placed in the file. Each certificate must be bracketed as shown above.
path
- Path of the filepassword
- Pass-phrase for accessing the key.java.io.FileNotFoundException
- Thrown if the file could not be found.java.io.IOException
- Thrown if there was an error reading the key.FTPException
public void setClientCertificate(java.security.cert.Certificate certificate, java.security.PrivateKey privateKey) throws SSLFTPCertificateException
Certificate
and PrivateKey
objects.
To load a certificate and a private key from a Java keystore, code similar
to the following should be used:
KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(new FileInputStream(keyStoreFileName), keyStorePassword.toCharArray()); Certificate certificate = keyStore.getCertificate(alias); PrivateKey privateKey = (PrivateKey)keyStore.getKey(alias, privateKeyPassword.toCharArray()); ftp.setClientCertificate(certificate, privateKey);
certificate
- The client's certificate.privateKey
- The client's private key.SSLFTPCertificateException
- Thrown if there was a problem accessing
the key or the private key.public void setClientCertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) throws SSLFTPCertificateException
Certificate
and PrivateKey
objects.certificateChain
- The client's certificate.chainprivateKey
- The client's private key.SSLFTPCertificateException
- Thrown if there was a problem accessing
the key or the private key.public void loadRootCertificates(java.io.InputStream inputStream) throws java.io.FileNotFoundException, java.io.IOException, FTPException
-----BEGIN CERTIFICATE----- ... first certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... second certificate ... -----END CERTIFICATE----- etc
The ca-root package of FreeBSD has a file, ca-roots.crt, which contains a list of root certificates. It may be downloaded from the FreeBSD website (search for "ca-root") It is important to be aware that the root certificates file is a potential point of attack since an errant entry in this file may allow attackers obtain access to secured resources.
inputStream
- InputStream to read from.java.io.FileNotFoundException
- Thrown if the file could not be found.java.io.IOException
- Thrown if there was an error reading the certificates.FTPException
public void loadRootCertificates(java.lang.String path) throws java.io.IOException, FTPException
-----BEGIN CERTIFICATE----- ... first certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... second certificate ... -----END CERTIFICATE----- etc
The ca-root package of FreeBSD has a file, ca-roots.crt, which contains a list of root certificates. It may be downloaded from the FreeBSD website (search for "ca-root") It is important to be aware that the root certificates file is a potential point of attack since an errant entry in this file may allow attackers obtain access to secured resources.
path
- Path of the file.java.io.FileNotFoundException
- Thrown if the file could not be found.java.io.IOException
- Thrown if there was an error reading the certificates.FTPException
public SSLFTPCertificateStore getRootCertificateStore()
SSLFTPCertificateStore
which contains the root certificates that will be used
to validate the server certificate.public void setRootCertificateStore(SSLFTPCertificateStore store)
SSLFTPCertificateStore
which contains the root certificates that will be used
to validate the server certificate.store
- The root certificate-store to usepublic void auth(java.lang.String securityMechanism) throws java.io.IOException, FTPException
ConfigFlags.START_WITH_CLEAR_DATA_CHANNELS
flag was
passed in during construction, the client will switch to private
(i.e. secure) data channels immediately after a connection is made. It does
this by invoking pbsz(0)
and prot('P')
.
This library supports three arguments to this methods,
SSLFTPClient.AUTH_TLS
, SSLFTPClient.AUTH_TLS_C
,
and SSLFTPClient.SSL
, though the last two should only be used
if required when communicating with an older server.
securityMechanism
- Security mechanism to use (see above)java.io.IOException
- Thrown if a communication error occurred.FTPException
- Thrown if an FTP-protocol related error occurred.SSLFTPCertificateException
- thrown if there's a certificate
validation error. Use SSLFTPCertificateException.getCertificates()
to obtain the server's certificate(s).public void ccc() throws FTPException, java.io.IOException
The server will not accept any more PBSZ or PROT commands. All subsequent data transfers must be protected with the current PROT settings.
FTPException
java.io.IOException
public void auth(char command) throws java.io.IOException, FTPException
command
- Seurity level to be used (must be either
SSLFTPClient.PROT_PRIVATE
or SSLFTPClient.PROT_CLEAR
.java.io.IOException
- Thrown if a communication error occurred.FTPException
- Thrown if an FTP-protocol related error occurred.public void prot(char command) throws java.io.IOException, FTPException
'C'
(Clear) and 'P'
(Private).
The former dictates that data-transfers should be insecure and the latter
that they should be secure. There are two public member-variables,
SSLFTPClient.PROT_PRIVATE
and SSLFTPClient.PROT_CLEAR
defined for use with this method.command
- Seurity level to be used (must be either
SSLFTPClient.PROT_PRIVATE
or SSLFTPClient.PROT_CLEAR
.java.io.IOException
- Thrown if a communication error occurred.FTPException
- Thrown if an FTP-protocol related error occurred.public void pbsz(int bufferSize) throws java.io.IOException, FTPException
0
(zero). Note that
this method is required only to conform with the standard.bufferSize
- Buffer-size to use (must be zero).java.io.IOException
- Thrown if a communication error occurred.FTPException
- Thrown if an FTP-protocol related error occurred.public static SSLFTPCertificate getServerCertificate(java.lang.String hostName) throws FTPException, java.io.IOException
hostName
- Host-name of server.FTPException
- Thrown if an FTP-related error occurred.java.io.IOException
- Thrown if a TCP/IP-related error occurred.public static SSLFTPCertificate getServerCertificate(java.lang.String hostName, int remotePort) throws FTPException, java.io.IOException
hostName
- Host-name of server.remotePort
- Port to connect to.FTPException
- Thrown if an FTP-related error occurred.java.io.IOException
- Thrown if a TCP/IP-related error occurred.public static SSLFTPCertificate getServerCertificate(java.lang.String hostName, int remotePort, boolean isImplicit) throws FTPException, java.io.IOException
hostName
- Host-name of server.remotePort
- Port to connect to.isImplicit
- Should be true for implicit FTPS and false for explicit FTPS.FTPException
- Thrown if an FTP-related error occurred.java.io.IOException
- Thrown if a TCP/IP-related error occurred.public static java.lang.String getServerSecurityMechanism(java.lang.String remoteHost) throws FTPException, java.io.IOException
AUTH_TLS
is returned. If the server supports explicit FTPS using SLL but not TLS then
AUTH_SSL
is returned. If explicit FTPS is not supported then
the method returns null
.remoteHost
- Host from which to retrieve a security mechanism.AUTH_TLS
, AUTH_SSL
or
null
(see above).FTPException
- Thrown if an FTP-related error occurred.java.io.IOException
- Thrown if a TCP/IP-related error occurred.public static java.lang.String getServerSecurityMechanism(java.lang.String remoteHost, int remotePort) throws FTPException, java.io.IOException
AUTH_TLS
is returned. If the server supports explicit FTPS using SLL but not TLS then
AUTH_SSL
is returned. If explicit FTPS is not supported then
the method returns null
.remoteHost
- Host from which to retrieve a security mechanism.remotePort
- Port on which to connect to the server.AUTH_TLS
, AUTH_SSL
or
null
(see above).FTPException
- Thrown if an FTP-related error occurred.java.io.IOException
- Thrown if a TCP/IP-related error occurred.public boolean isImplicitFTPS()
public void setImplicitFTPS(boolean implicitFTPS)
Implicit FTPS is not recommended because it is not compatible with FTP standards and not supported by as many systems. It is however, no less secure than explicit FTPS.
implicitFTPS
- true if switching on, false if switching offCopyright © 2001-2014 Enterprise Distributed Technologies Ltd. All Rights Reserved.