-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make PBSZ optional #279
Comments
Thanks for the pull request! I may change the |
You are most welcome, I've fixed the things you've pointed out in the pull request, please take a look at it again. I've chosen "RequirePBSZ", because it's specifically about that command, and the error message also mentions this command in reply to PROT, when forgotten. There are a rather large number of relevant RFCs, and even RFC2228 has multiple requirements, that's one of the reasons why I chosen a name for the option with "RFC" in it. Personally I think, that might be misleading and confusing on the long run. |
In the case of FTP over SSL/TLS, there's only one particularly relevant RFC: RFC 4127. However, your point is taken. Another approach might be to not provide such a |
Honestly, I don't really see any reason why couldn't be optional by default, except if some sysadmin is feeling to start a holy crusade against broken clients, and wants to teach the world a lesson. Apart from that, I don't think it would hurt anyone. Would you like me to change the pull request to make this the default behaviour? |
Yes, please. It's easy enough to add such an option in, later, if/when we find a use case. |
Done, please review. Instead of removing the error return, i've just disabled the codepath with a macro, if that's fine. Might come handy if there's a usecase. |
PR merged to master; thanks! |
We've found a broken client, which doesn't do PBSZ before PROT, and by RFC2228 proftpd is refusing the client because of this. I would like to ask to make PBSZ optional, because even in the source it's forced to 0, and to the best of my knowledge, it doesn't raise any security issues as well.
As per email discussion with castaglia, I've created a patch, and will create a pull request for it.
The path introduces a new TLSOptions option named "RequirePBSZ", and PBSZ will only be required if that flag is present. If the flag is not specified, then PBSZ is optional.
The text was updated successfully, but these errors were encountered: