FluentFTP
FluentFTP copied to clipboard
robinrodricks
Issue with server supporting TLS 1.3 and forcing "TLS session resumption"
FTP OS: Windows
FTP Server: FileZilla Server
Computer OS: Windows 11
FluentFTP Version: 35.0.5
I am getting an exception "Unable to build data connection: TLS session of data connection not resumed." when connecting with a FileZilla Server and trying to retrieve the root folders on it. The folders are retrieved by a call to GetListing(). I included the FluentFTP code from github and with debugging I see there that in GetListingInternal() a call to OpenDataStream() is done and from there a call to OpenPassiveDataStream(). The latter creates a new stream, which I think is not correct in case of TLS 1.3 and session reuse. Could it be that "TLS session resumption" is not handled? FileZilla Server apparently forces session reuse when TLS 1.3 is negotiated. When setting up the connection with TLS 1.2 everything works fine. See logs.
Logs :
2021.11.01 16:45:33.884 Handle FTPConnectReq
2021.11.01 16:45:33.892 FTPStorageDevice.Initialize - Host: saturnus, port: 21, account: ***, connectionMode: 0, tlsProtocol: None
2021.11.01 16:45:33.900 FTPStorageDevice.Initialize - Extract trusted certificates list
2021.11.01 16:45:33.909 FTPStorageDevice.Initialize - File contains 4 entries
2021.11.01 16:45:33.920 --FluentFTP-- > Connect()
2021.11.01 16:45:33.938 --FluentFTP-- Status: Connecting to 192.168.2.13:21
2021.11.01 16:45:33.944 --FluentFTP-- Response: 220-FileZilla Server 1.0.1
2021.11.01 16:45:33.945 --FluentFTP-- Response: 220 Please visit https://filezilla-project.org/
2021.11.01 16:45:33.949 --FluentFTP-- Status: Detected FTP server: FileZilla
2021.11.01 16:45:33.951 --FluentFTP-- Command: AUTH TLS
2021.11.01 16:45:33.954 --FluentFTP-- Response: 234 Using authentication type TLS.
2021.11.01 16:45:34.117 FTPStorageDevice.ValidateCertificate - Checking certificate for $saturnus:21, fingerprint: ***************************
2021.11.01 16:45:34.118 FTPStorageDevice.ValidateCertificate - Certificate found in TrustedCerts
2021.11.01 16:45:34.118 FTPStorageDevice.ValidateCertificate - Certificate found and accepted
2021.11.01 16:45:34.119 --FluentFTP-- Status: FTPS Authentication Successful
2021.11.01 16:45:34.119 --FluentFTP-- Status: Time to activate encryption: 0h 0m 0s. Total Seconds: 0,1615696.
2021.11.01 16:45:34.120 --FluentFTP-- Command: USER ***
2021.11.01 16:45:34.122 --FluentFTP-- Response: 331 Please, specify the password.
2021.11.01 16:45:34.123 --FluentFTP-- Command: PASS ***
2021.11.01 16:45:34.197 --FluentFTP-- Response: 230 Login successful.
2021.11.01 16:45:34.198 --FluentFTP-- Command: PBSZ 0
2021.11.01 16:45:34.199 --FluentFTP-- Response: 200 PBSZ=0
2021.11.01 16:45:34.200 --FluentFTP-- Command: PROT P
2021.11.01 16:45:34.201 --FluentFTP-- Response: 200 Protection level set to P
2021.11.01 16:45:34.202 --FluentFTP-- Command: FEAT
2021.11.01 16:45:34.203 --FluentFTP-- Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MLST type*;size*;modify*;perm*;
Response: MLSD
Response: AUTH SSL
Response: AUTH TLS
Response: PROT
Response: PBSZ
Response: UTF8
Response: TVFS
Response: EPSV
Response: EPRT
Response: MFMT
2021.11.01 16:45:34.204 --FluentFTP-- Response: 211 End
2021.11.01 16:45:34.209 --FluentFTP-- Status: Text encoding: System.Text.UTF8Encoding
2021.11.01 16:45:34.209 --FluentFTP-- Command: OPTS UTF8 ON
2021.11.01 16:45:34.211 --FluentFTP-- Response: 202 UTF8 mode is always enabled. No need to send this command
2021.11.01 16:45:34.211 --FluentFTP-- Command: SYST
2021.11.01 16:45:34.212 --FluentFTP-- Response: 215 UNIX emulated by FileZilla.
2021.11.01 16:45:34.215 --FluentFTP-- Command: PWD
2021.11.01 16:45:34.216 --FluentFTP-- Response: 257 "/" is current directory.
2021.11.01 16:45:34.217 FTPStorageDevice.Initialize - SUCCESS
... Update the UI and then request root folder
2021.11.01 16:45:34.415 Handle FTPFoldersReq
2021.11.01 16:45:34.420 --FluentFTP-- > SetWorkingDirectory("/")
2021.11.01 16:45:34.421 --FluentFTP-- Command: CWD /
2021.11.01 16:45:34.423 --FluentFTP-- Response: 250 CWD command successful
2021.11.01 16:45:34.424 --FluentFTP-- > GetListing("/", NoPath)
2021.11.01 16:45:34.428 --FluentFTP-- Command: TYPE I
2021.11.01 16:45:34.429 --FluentFTP-- Response: 200 Type set to I
2021.11.01 16:45:34.431 --FluentFTP-- > OpenPassiveDataStream(PASV, "MLSD", 0)
2021.11.01 16:45:34.431 --FluentFTP-- Command: PASV
2021.11.01 16:45:34.434 --FluentFTP-- Response: 227 Entering Passive Mode (192,168,2,13,217,184)
2021.11.01 16:45:34.440 --FluentFTP-- Status: Connecting to 192.168.2.13:55736
2021.11.01 16:45:34.442 --FluentFTP-- Command: MLSD
2021.11.01 16:45:34.445 --FluentFTP-- Response: 150 Starting data transfer.
2021.11.01 16:45:34.453 --FluentFTP-- Status: FTPS Authentication Successful
2021.11.01 16:45:34.454 --FluentFTP-- Status: Time to activate encryption: 0h 0m 0s. Total Seconds: 0,0069809.
2021.11.01 16:45:34.454 --FluentFTP-- +---------------------------------------+
2021.11.01 16:45:34.457 --FluentFTP-- -----------------------------------------
2021.11.01 16:45:34.458 --FluentFTP-- Status: Disposing FtpSocketStream...
2021.11.01 16:45:34.465 --FluentFTP-- > CloseDataStream()
2021.11.01 16:45:34.466 --FluentFTP-- Response: 425 Unable to build data connection: TLS session of data connection not resumed.
2021.11.01 16:45:34.467 --FluentFTP-- Status: Disposing FtpSocketStream...
Could it be that "TLS session resumption" is not handled?
I think this could definitely be right, but I am not sure. See issue #236
I wanted to chime in on this as I have encountered it before in other contexts (not FluentFTP).
IIRC, although everyone seems to think that TLS session resume makes the server or the session more secure, it in fact is to a certain degree the opposite as well. The only real reason for this to be used is to halve the number of negotiation roundtrips to make the repeated setup of the secure channel(s) less of a performance issue. Using it opens a number of cans of worms that are vulnerable to attacks, as either session tickets or session data needs to be stored "to remember" the first round-trip of the previously opened secure channel.
I know that what I wrote is controversial, but there is newly found information "out there", for example: this and some other stuff as welll. google is your friend.
AFAIK, you can actually disable this behaviour in the FileZilla server. The thing to look for is the setting "Require TLS session resumption" in FileZilla Server.
So that might be a workaround, but probably not, I realize that.
Thanks @FanDjango for chiming in. OP, just use TLS 1.2 or disable session resumption on Filezilla server. We don't support TLS session resumption on Unix, but I think it is supported on Windows using .NET so not sure why its failing for you.
Any news? I have the same problem on Windows 10 and .NET 6, and the remote server, which I don't have control on the server, requires TLS 1.3 with session re-using. For now I've fixed with writing a program in Python 3.10, but I would like to put everyting in one place using C#
Any news? I have the same problem on Windows 10 and .NET 6, and the remote server, which I don't have control on the server, requires TLS 1.3 with session re-using. For now I've fixed with writing a program in Python 3.10, but I would like to put everyting in one place using C#
I have this problem currently, using .NET 6 with FluentFTP library to connect FTP server which has TLS session resumption enabled. After hours of digging I've found the there is a problem with library (and the underlying .NET platform ?)
Have you solved this problem or can you elaborate more on your python solution ?
Thank you
@m2rt
Getting same error on tls 1.2 in linux and windows.
Can you please add some info in a separate issue with info on server, server version? Filezilla? A log maybe? I am in the process of collecting information on this.
@zurabt-inst
I have this problem currently
Can you please add some info in a separate issue with info on server, server version? Filezilla? A log maybe? I am in the process of collecting information on this.
@LuciferSam86
requires TLS 1.3 with session re-using...
Yes, it seems SSL Session Resume under TLS 1.3 is currently not functional in .NET
@FanDjango I no longer have any information you are asking for, I am using a different FTP library that works with server that has TLS session resumption enabled.
@FanDjango I no longer have any information you are asking for, I am using a different FTP library that works with server that has TLS session resumption enabled.
Hi zurabt-inst, Would you like to share what FTP library do you use to solve the issue? Thanks.
@Adwa0428 Hi It's WinSCP https://winscp.net/eng/download.php You can check it on nuget, it's not modern library, but it does it's job Here is the documentation https://winscp.net/eng/docs/library
@zurabt-inst Thanks for your share. But I can not use WinSCP in my case. I run my C# program on Linux OS with dotnet core.
Marking this as 'cantfix' and closing as we are unable to change this behavior in .NET. Anyways OP has moved on to another library and no longer interested in debugging further.
Hi, just make sure, can FluentFTP.GnuTLS solve this issue? Or FluentFTP.GnuTLS can connect to the latest FileZilla Server (1.7.2) ? Thanks.