ftplibpp icon indicating copy to clipboard operation
ftplibpp copied to clipboard

Published 20 hours ago verified publisher icon mkulke

"TLS Session resumption" not supported by ftplibpp ?

Open 14Merlin opened this issue 3 years ago • 2 comments

Hello, I'm using ftplibpp with OpenSSL and I'm trying to connect to a Filezilla Server with FTP over TLS (FTPS).

I just found that ftplibpp can't transfer data (even if already securely connected) to a FileZilla Server that Requires TLS session resumption, since I get this error: "450 TLS session of data connection has not resumed or the session does not match the control connection"

If I untick "Require TLS session resumption on data connection when using PROT P" in FileZilla Server settings, then I'm able to do the transfers.

So, is there a way to add "TLS session resumption" ability to the ftplibpp ??

14Merlin avatar Mar 30 '21 13:03 14Merlin

After a lot of reading and searching I found this link: https://www.linuxjournal.com/article/5487

It seems that SSL session id is taken with: SSL_SESSION* sess=SSL_get1_session(ssl);

then you can close the connection with SSL_shutdown(ssl);

Whenever you want to reopen the connection, you have to assign the old session id to id just before opening(resuming) the connection:

SSL_set_session(ssl,sess); if(SSL_connect(ssl)<=0)' berr_exit("SSL connect error (second connect)");

So with a bit of guessing It seems I managed to have TLS resumption supported in ftpLibpp by simply modifying two functions (changes in bold):

int ftplib::FtpClose(ftphandle *nData) { [...] #ifndef NOSSL SSL_shutdown(nData->ssl); //<---- close data connection, this is mandatory, if you dont call this only the first connect will work SSL_free(nData->ssl); #endif free(nData); if (ctrl) return readresp('2', ctrl); return 1; }

int ftplib::FtpAccess(const char *path, accesstype type, transfermode mode, ftphandle *nControl, ftphandle **nData) { [...] #ifndef NOSSL if (nControl->tlsdata) { (*nData)->ssl = SSL_new(nControl->ctx); (*nData)->sbio = BIO_new_socket((*nData)->handle, BIO_NOCLOSE); SSL_set_bio((*nData)->ssl,(*nData)->sbio,(*nData)->sbio); *SSL_set_session( (nData)->ssl, SSL_get1_session(nControl->ssl) ); //<----------- Set same session ID of the control data (to support TLS session Resumption) int ret = SSL_connect((*nData)->ssl); if (ret != 1) return 0; (*nData)->tlsdata = 1; } #endif return 1; }

14Merlin avatar Mar 31 '21 14:03 14Merlin

Ok, I don't know how to insert multiline code.... hope it is clear enough

14Merlin avatar Mar 31 '21 15:03 14Merlin