A user asked how to obtain the server certificate for use in FTPS server validation.
My response:
Technically, the correct way to get the server certificate is to ask the administrators of the FTPS server to send it to you through a secure channel. Most people would use e-mail, even though it's not usually very secure. The theoretical threat you're trying to avoid is that the attacker intercepts the e-mail and substitutes the certificate that is sent to you with a false one.
The other way is to try to connect to the FTPS server and then save the certificate that is sent to your FTPS client. You can do this by using the static SSLFTPCertificate getServerCertificate(String hostName) method of the class, com.enterprisedt.net.ftp.ssl.SSLFTPClient. The SSLFTPCertificate class has methods for exporting the certificate to a file.
Again, the theoretical risk of doing this is that an attacker may have already rerouted your connection to a masquerading server and you'll therefore be grabbing the certificate of the attacking server, which doesn't help you. If you're sure you're connecting to the right server then you can safely use the getServerCertificate method to obtain the certificate.
Once you have the file then you can use it for validating the server in subsequent connections.
- Hans (EnterpriseDT)
