Please can someone tell me if Apache VFS 2.6.0 will support FTPS at TLSv1 ?
The reason I ask is because we have written an application using VFS and developed it against VsFTPD 3.0.2
Now we have moved into testing we are seeing a lot of old machines using VsFTPD 2.2.2 with only TLSv1 support.
Exceptions (don't give much away)
org.apache.commons.vfs2.FileSystemException: Could not connect to FTP server on "100.200.150.25".
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory$ConnectionFactory.createConnection(FtpClientFactory.java:220)
at org.apache.commons.vfs2.provider.ftps.FtpsClientFactory.createConnection(FtpsClientFactory.java:57)
at org.apache.commons.vfs2.provider.ftps.FtpsClientWrapper.createClient(FtpsClientWrapper.java:47)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.createClient(FTPClientWrapper.java:97)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.getFtpClient(FTPClientWrapper.java:146)
at org.apache.commons.vfs2.provider.ftp.FTPClientWrapper.<init>(FTPClientWrapper.java:52)
at org.apache.commons.vfs2.provider.ftps.FtpsClientWrapper.<init>(FtpsClientWrapper.java:41)
at org.apache.commons.vfs2.provider.ftps.FtpsFileProvider.doCreateFileSystem(FtpsFileProvider.java:49)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.getFileSystem(AbstractOriginatingFileProvider.java:93)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.findFile(AbstractOriginatingFileProvider.java:72)
at org.apache.commons.vfs2.provider.AbstractOriginatingFileProvider.findFile(AbstractOriginatingFileProvider.java:56)
at org.apache.commons.vfs2.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:717)
at org.apache.commons.vfs2.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:654)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:750)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
at org.springframework.cloud.sleuth.instrument.async.TraceAsyncAspect.traceBackgroundThread(TraceAsyncAspect.java:67)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:644)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:633)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115)
at org.springframework.cloud.sleuth.instrument.async.TraceCallable.call(TraceCallable.java:70)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at org.apache.commons.net.ftp.FTPSClient.sslNegotiation(FTPSClient.java:289)
at org.apache.commons.net.ftp.FTPSClient._connectAction_(FTPSClient.java:226)
at org.apache.commons.net.SocketClient._connect(SocketClient.java:244)
at org.apache.commons.net.SocketClient.connect(SocketClient.java:202)
at org.apache.commons.vfs2.provider.ftp.FtpClientFactory$ConnectionFactory.createConnection(FtpClientFactory.java:163)
Apache VFS does support TLSv1
The issue here was in the commonly seen and equally vague Exception
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Java 11 has a set of disabled Ciphers which are used to encrypt for TLS
The one I found was being used by VSFTPD 2.2.2 is DES-CBC3-SHA
The one I found disabled by Java 11 in conf/java.security was 3DES_EDE_CBC
I removed it from the disabled list and now the connection works fine.
PLEASE NOTE
I will be advising services to upgrade their VSFTPD servers. I don't like downgrading security but money talks and I suspect this smaller/cheaper change will be implemented.