FTPS : TLS session of data connection not resumed

0 votes
asked Nov 29, 2021 by lanopk (1,620 points)

Hello.
An error occurred when using FileZiller Server 1.1.0.
"TLS session of data connection not resumed"

Settings.SslReuseSessions = true;
Settings.ReuseControlConnectionSession = true;
Settings.ForceListHiddenFiles = ShowHiddenFiles;
Settings.ConnectPassiveLater = false;
Settings.KeepAliveDuringTransfer = true;
Settings.KeepAliveDuringTransferInterval = 30;
Settings.UseLargeBuffers = true;
Settings.SslAcceptAllCertificates = true;
Settings.SslAllowedVersions = TlsVersion.Any | TlsVersion.SSL30 | TlsVersion.TLS13;
Settings.SslAllowedSuites = TlsCipherSuite.All;
Settings.SslAllowedCurves = TlsEllipticCurve.All;
Connect(FtpAddress, FtpPort, sslMode);

After setting up and connecting like this, I get an error when I get folder lists.

Please let me know what further action I should take.
The log file is long, so I'll attach it by e-mail.

Thank you.

Applies to: Rebex FTP/SSL
commented Nov 29, 2021 by renestein (4,470 points)
Hi,
thanks for the report. We are investigating the issue.

1 Answer

0 votes
answered Nov 30, 2021 by renestein (4,470 points)
selected Dec 2, 2021 by lanopk
 
Best answer

The behavior lanopk reported we have classified as a bug in FileZilla behavior. We most likely add a workaround in one of our next releases.

Details:
1) FTP control connection - Rebex client sends ClientHello with pskkeyexchangemodes extension and advertises that supports both pskke, pskdheke.
From our point of view, this behavior strictly conforms to TLS 1.3 specification.

" The semantics of this extension are that the client only supports the use of PSKs with these modes, which restricts both the use of PSKs offered in this ClientHello and those which the server might supply via NewSessionTicket.“

See details here.
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.9

2) The handshake is completed, but the FileZilla server does not send NewSessionTicket.

3) FTP data connection requires that the client uses (New)SessionTicket from the FTP control connection. But we don't have any session tickets. TLS handshake for data connection is completed, but communication fails with ". "TLS session of data connection not resumed" exception.

The workaround is simple - we are sending psk_dhe_ke mode only in the psk_key_exchange_modes extension and then FileZilla provides NewSessionTicket that we can use when securing FTP data connection.

commented Dec 14, 2021 by lanopk (1,620 points)
I understand the situation very well.
However, I am confused.
Should I ask FileZilla again with the above?
Or do I need to configure something in Rebex R6.0?
commented Dec 14, 2021 by renestein (4,470 points)
This workaround didn't make it to R6, sorry. We are still testing the workaround.
In the meantime, you may want to contact the FileZilla developer again. I think that the behavior of the FileZilla server is (at least) surprising and users of the FileZilla server will benefit from the fix.
commented Dec 16, 2021 by lanopk (1,620 points)
it seems to be a GnuTLS bug.
https://gitlab.com/gnutls/gnutls/-/issues/1303
commented Dec 16, 2021 by renestein (4,470 points)
Hi lanopk,
thanks for letting us  know.
commented 6 days ago by Lukas Pokorny (128,250 points)
R6.1 has a workaround for this issue, which is enabled if FileZilla is detected. To enable it for other servers, call this before the Connect method:
    Rebex.Security.Cryptography.CryptoHelper.SetOption(ftp, "UseOnlyPskDhKeMode", true); // 'ftp' is an instance of Ftp object
...