com.enterprisedt.net.puretls.* javadoc missing

Question

Hello,

on some occations I am getting the exception:
com.enterprisedt.net.puretls.cert.CertificateVerifyException

However this exception is not documented in the API on http://www.enterprisedt.com/products/ed ... index.html

On older version (3.0.1), where SSLFTPCertificateException is thrown, I could obtain the certificates by accessing its methods. Could you provide some information about the classes inside puretls.* especially the classes connected to the CertificateVerifyException.

Thank you

Answer 1

The hostname I posted has unfortunately a local IP and thus can not be accessed from outside. As I mentioned, the connection to this host/port is good, since I can connect with openssl and also with firefox with https and verify the self signed certificate

Answer 2

What do you mean when you say that you can connect with OpenSSL? Which command did you execute?

Are you able to connect with FileZilla?

Answer 3

I can connect with openssl with the command: openssl s_client -connect demo.intra.net:7135 -showcerts
The certificate will then be shown and I got FTP status OK. And I can connect with filezilla either.

$ openssl s_client -connect demo.intra.net:7135 -showcerts
CONNECTED(00000003)
[certificate stuff snipped]
---
220 Welcome to FTP server

Answer 4

Ah I see what's going on. FTPS is used to refer to two different protocols. They are described as "explicit FTPS" and "implicit FTPS". Explicit FTPS connects in plain FTP mode and then switches to TLS after the AUTH command is issued by the client. Implicit FTPS connect as TLS socket, in other words the TLS handshake occurs immediately. SSLFTPClient.getServerCertificate() only works with explicit FTPS. This never actually occurred to me before, which is why I didn't mention it earlier.

Sorry to lead you up the garden path.

Answer 5

Ah OK. I didnt mention either, that the server is an implicit one. But anyway, Isnt it a nice feature to support certificate access on both implicit and explicit FTPS? Formost accessing certificate on implicit FTPS should be easier than explicit one.

Answer 6

Yes you're right. We will add it in the next version. In the meantime, you may as well roll your own. Here's the code:

public static SSLFTPCertificate getServerCertificate(String hostName, int remotePort, 
      boolean isImplicit)
   throws FTPException, IOException {
   
   SSLFTPClient ftpClient = new SSLFTPClient();
   try {
      ftpClient.setRemoteHost(hostName);
      ftpClient.setRemotePort(remotePort);
      ftpClient.setValidateServer(true);
      ftpClient.setImplicitFTPS(isImplicit);
      ftpClient.connect();       // implicit FTPS should throw an exception here
      ftpClient.auth(AUTH_TLS);  // explicit FTPS should throw an exception here
      ftpClient.quit();
      return null;
   } catch (SSLFTPCertificateException e) {
      Vector certChain = e.getCertificates();
      return certChain!=null ? (certChain.size()>0 ? (SSLFTPCertificate)certChain.lastElement() : null) : null;
   } finally {
      try {
         ftpClient.quitImmediately();
      } catch (Throwable t) {
      }
   }
}

Answer 7

Thanks for the code.
Could you give me some feedback to my other question, whether it is possible to extend the ftpclient so that the server certificate is trusted if end certificate is imported like firefox does without having to load the whole CA certificates in the chain.
At the moment we have to load the CA certificates. And this is a restriction for users, who want to force trust server whose CA is not known and loaded.

Answer 8

You can create your own certificate validator by extending SSLFTPValidator and tell SSLFTPClient to use it by calling setCustomValidator().

You can find the documentation for SSLFTPValidator here.