/* C K C F T P -- FTP Client for C-Kermit */
-char *ckftpv = "FTP Client, 9.0.260, 14 Jul 2011";
+char *ckftpv = "FTP Client, 9.0.263, 5 Feb 2015";
/*
Authors:
Frank da Cruz <fdc@columbia.edu>,
The Kermit Project, Columbia University.
- Copyright (C) 2000, 2011,
+ Copyright (C) 2000, 2014,
Trustees of Columbia University in the City of New York.
All rights reserved. See the C-Kermit COPYING.TXT file or the
copyright text in the ckcmai.c module for disclaimer and permissions.
#ifdef CK_SSL
static int ftp_bug_use_ssl_v2 = 0; /* use SSLv2 for AUTH SSL */
+static int ftp_bug_use_ssl_v3 = 0; /* use SSLv3 for AUTH SSL */
#endif /* CK_SSL */
static int
/* FTP BUGS */
#define FTB_SV2 1 /* use SSLv2 */
+#define FTB_SV3 2 /* use SSLv3 */
static struct keytab ftpbugtab[] = {
- { "use-ssl-v2", FTB_SV2, 0 }
+ { "use-ssl-v2", FTB_SV2, 0 },
+ { "use-ssl-v3", FTB_SV3, 0 }
+
};
static int nftpbug = (sizeof(ftpbugtab) / sizeof(struct keytab));
#ifdef CK_SSL
case FTB_SV2:
return seton(&ftp_bug_use_ssl_v2);
+ case FTB_SV3:
+ return seton(&ftp_bug_use_ssl_v3);
#endif /* CK_SSL */
default:
return(-2);
ssl_auth() {
int i;
char* p;
+ CONST SSL_METHOD *client_method;
if (ssl_debug_flag) {
fprintf(stderr,"SSL DEBUG ACTIVE\n");
#ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
#endif
+/*
+ Pick allowed SSL/TLS versions according to enabled bugs.
+ Modified 5 Feb 2015 to default to TLS 1.0 if no bugs are enabled,
+ instead of to SSL 3.0, which has the POODLE vulnerability.
+*/
+ if (ftp_bug_use_ssl_v2) {
+ /* allow SSL 2.0 or later */
+ client_method = SSLv23_client_method();
+ } else if (ftp_bug_use_ssl_v3) {
+ /* allow SSL 3.0 ONLY - previous default */
+ client_method = SSLv3_client_method();
+ } else {
+ /* default - allow TLS 1.0 or later */
+ client_method = TLSv1_client_method();
+ }
if (auth_type && !strcmp(auth_type,"TLS")) {
- ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
+ ssl_ftp_ctx=SSL_CTX_new(client_method);
if (!ssl_ftp_ctx)
return(0);
SSL_CTX_set_options(ssl_ftp_ctx,
SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
);
} else {
- ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() :
- SSLv3_client_method());
+ ssl_ftp_ctx = SSL_CTX_new(client_method);
if (!ssl_ftp_ctx)
return(0);
SSL_CTX_set_options(ssl_ftp_ctx,
} else {
ssl_ftp_active_flag = 1;
- if (!ssl_certsok_flag && !tls_is_krb5(1)) {
+ if (!ssl_certsok_flag &&
+ (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
+ !tls_is_krb5(1)) {
char *subject = ssl_get_subject_name(ssl_ftp_con);
if (!subject) {
inet_ntoa(hisctladdr.sin_addr)
);
errno = oerrno;
- perror((char *)0);
+ perror("ftphookup");
hp->h_addr_list++;
memcpy((char *)&hisctladdr.sin_addr,
hp->h_addr_list[0],
} else {
ssl_ftp_data_active_flag=1;
- if (!ssl_certsok_flag && !tls_is_krb5(2)) {
+ if (!ssl_certsok_flag &&
+ (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
+ !tls_is_krb5(2)) {
char *subject = ssl_get_subject_name(ssl_ftp_data_con);
if (!subject) {