botg... I have to agree with you as a developer myself. In my case, 3.2 isnt working anymore. The FTP Server is owned and maintenanced by Oracle.. believe or not... I told my administrator, which told me that Oracle told us to use 3.0.1 and not to upgrade. I SO laughed at the fact that a company so large and a company that hosts clients very valuable data would actually not care to solve this problem!
But- I truly believe your stern replies about not changing the code is valid. But, (hear me out) if a hosting server is out of a users ablity to get them to upgrade.. Does the user downgrade just to use the unpatched client version to connect to an unpatched server? Or should the user keep using a more secure client version for the rest of the worlds 'patched' servers AND be spammed with a msg that reads along the lines of 'by the way this server u are connecting to isnt secure, want to continue' as an option so these users of this situation dont sacrifice every other ftp connect. See my point. I'm with you, to put it in other words... As developers, we identify a bug/flaw we fix that flaw, we dont let 'users' tell us not to patch... its in our blood not to allow the users to do stupid things.. thats why there's databases hooked up with validation forms, and not notepads were clients used to write down stuff lol. We always want to fix human error... So I really think you should re-consider. Adding this code (however you like, a msg what have you) is the best solution. Here's why - I'm sure if Oracle gets a ton of complains from their clients about this, they will upgrade.. and see this will/could be a 'pro-active' choice/solution on your behave. You are forcing clients that ended up upgrading and running into this issue - to be aware of the security vulnerabilities and getting them to be pro-active to tell/demand their hosts to upgrade
WithOut a nofitication or what have you, clients just like my 'admin' would believe their hosts replies about 'oh just stick with 3.0.1 - plz dont upgrade its not compatiable' Instead your msg would tell the users of the client DIRECTLY, no bs'n from the host!
Hope my point isnt retarded but... just trying to not have to downgrade and listen to the bs oracle is feeding.. in my gut I believe you and this forum.. and well its easier to back this proof up with a msg that constantly pops up when your demoing this issue to your host