Wednesday, November 2, 2011

Using FTPS with the commons jakarta net library

Using FTPS via the jakarta commons library is not that complicated.

But it has a few things to know:

The correct sequence is this:

FTPClient.connect("YourServer"); 
FTPClient.execPBSZ(0); 
FTPClient.execPROT("P"); 
FTPClient.login("YourUserName","YourPassword"); 

If you skip the execPBSZ or execPROT calls, then your ftps server will probably deny access to you.

If you receive strange errors like:

java.io.IOException: DerValue.getOctetString, not an Octet String 10 

or

Caused by: java.security.cert.CertificateParsingException: java.io.IOException:
DerValue.getOctetString, not an Octet String: 10
        at sun.security.x509.X509CertInfo.(Unknown Source)
        at sun.security.x509.X509CertImpl.parse(Unknown Source)
        at sun.security.x509.X509CertImpl.(Unknown Source)
        at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown S
ource)
        at java.security.cert.CertificateFactory.generateCertificate(Unknown Sou
rce)
        ... 16 more
Caused by: java.io.IOException: DerValue.getOctetString, not an Octet String: 10

        at sun.security.util.DerValue.getOctetString(Unknown Source)
        at sun.security.x509.Extension.(Unknown Source)
        at sun.security.x509.CertificateExtensions.init(Unknown Source)
        at sun.security.x509.CertificateExtensions.(Unknown Source)
        at sun.security.x509.X509CertInfo.parse(Unknown Source)

Then you (or your pfts server) are probably behind a checkpoint firewall.
There is nothing you can do, just talk with the firewall admin and tell him to fix the "FTP Bounce" attack.
He will see this in the logs:

Attack Information: The packet was modified due to a potential Bounce Attack (Telnet Options)

Here is the option to disable this on a checkpoint firewall: