0 votes
by (2.0k points)

Hello.
An error occurred when using FileZiller Server 1.1.0.
"TLS session of data connection not resumed"

Settings.SslReuseSessions = true;
Settings.ReuseControlConnectionSession = true;
Settings.ForceListHiddenFiles = ShowHiddenFiles;
Settings.ConnectPassiveLater = false;
Settings.KeepAliveDuringTransfer = true;
Settings.KeepAliveDuringTransferInterval = 30;
Settings.UseLargeBuffers = true;
Settings.SslAcceptAllCertificates = true;
Settings.SslAllowedVersions = TlsVersion.Any | TlsVersion.SSL30 | TlsVersion.TLS13;
Settings.SslAllowedSuites = TlsCipherSuite.All;
Settings.SslAllowedCurves = TlsEllipticCurve.All;
Connect(FtpAddress, FtpPort, sslMode);

After setting up and connecting like this, I get an error when I get folder lists.

Please let me know what further action I should take.
The log file is long, so I'll attach it by e-mail.

Thank you.

Applies to: Rebex FTP/SSL
by (5.3k points)
Hi,
thanks for the report. We are investigating the issue.

1 Answer

0 votes
by (5.3k points)
selected by
 
Best answer

The behavior lanopk reported we have classified as a bug in FileZilla behavior. We most likely add a workaround in one of our next releases.

Details:
1) FTP control connection - Rebex client sends ClientHello with pskkeyexchangemodes extension and advertises that supports both pskke, pskdheke.
From our point of view, this behavior strictly conforms to TLS 1.3 specification.

" The semantics of this extension are that the client only supports the use of PSKs with these modes, which restricts both the use of PSKs offered in this ClientHello and those which the server might supply via NewSessionTicket.“

See details here.
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.9

2) The handshake is completed, but the FileZilla server does not send NewSessionTicket.

3) FTP data connection requires that the client uses (New)SessionTicket from the FTP control connection. But we don't have any session tickets. TLS handshake for data connection is completed, but communication fails with ". "TLS session of data connection not resumed" exception.

The workaround is simple - we are sending psk_dhe_ke mode only in the psk_key_exchange_modes extension and then FileZilla provides NewSessionTicket that we can use when securing FTP data connection.

by (2.0k points)
I understand the situation very well.
However, I am confused.
Should I ask FileZilla again with the above?
Or do I need to configure something in Rebex R6.0?
by (5.3k points)
This workaround didn't make it to R6, sorry. We are still testing the workaround.
In the meantime, you may want to contact the FileZilla developer again. I think that the behavior of the FileZilla server is (at least) surprising and users of the FileZilla server will benefit from the fix.
by (2.0k points)
by (5.3k points)
Hi lanopk,
thanks for letting us  know.
by (148k points)
R6.1 has a workaround for this issue, which is enabled if FileZilla is detected. To enable it for other servers, call this before the Connect method:
    Rebex.Security.Cryptography.CryptoHelper.SetOption(ftp, "UseOnlyPskDhKeMode", true); // 'ftp' is an instance of Ftp object
...