[vlc-devel] [PATCH] access: ftp: add TLS support (fix #137)
Rémi Denis-Courmont
remi at remlab.net
Tue Jul 16 18:57:32 CEST 2013
Hello,
On Tuesday 16 July 2013 18:15:52 Francois Cartegnie wrote:
> @@ -99,12 +100,27 @@ static int Seek( access_t *, uint64_t );
> static int OutSeek( sout_access_out_t *, off_t );
> static int Control( access_t *, int, va_list );
>
> +static void FeaturesCheck( void *, const char * );
> +
> +typedef struct ftp_features_t
> +{
> + bool b_unicode;
> + bool b_authtls;
Why would you check for the AUTH TLS feature? If the user requested TLS, then
TLS has to be used in any case. Checking server features over the unencrypted
channel would trivially pave the way for a MITM downgrade attack.
(Conversely, if the user did not request TLS, I think we are better off not
even trying. There does not seem to be an error code for the server to
explicitly request TLS.)
> +} ftp_features_t;
> +
> + /* FIXME: Do Reuse TLS Session */
I doubt that reusing the TLS session is legal in this context. At least, I
could not find anything to support it in RFC4217.
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list