Resolving TLS Session Reuse Issue for FTPS Data Connection
When establishing an FTPS connection, it is crucial for the data connection to reuse the TLS session established for the control connection. This ensures that the server verifies the identity of the client for both connections. However, some FTP(S) servers, including FileZilla, enforce this requirement.
The Apache Commons Net library, utilized by many Java FTPS clients, lacks this session reuse feature. To overcome this limitation, it is recommended to inspect the implementation of the Cyberduck FTP(S) client, which supports TLS/SSL session reuse.
In particular, focus on the prepareDataSocket method in FTPClient.java. This method allows for the reuse of the TLS/SSL session from the control connection for the data connection.
Here's a sample prepareDataSocket method:
@Override
protected void _prepareDataSocket_(final Socket socket) {
if (preferences.getBoolean("ftp.tls.session.requirereuse")) {
if (socket instanceof SSLSocket) {
// Control socket is SSL
final SSLSession session = ((SSLSocket) _socket_).getSession();
if (session.isValid()) {
final SSLSessionContext context = session.getSessionContext();
context.setSessionCacheSize(preferences.getInteger("ftp.ssl.session.cache.size"));
try {
final Field sessionHostPortCache = context.getClass().getDeclaredField("sessionHostPortCache");
sessionHostPortCache.setAccessible(true);
final Object cache = sessionHostPortCache.get(context);
final Method putMethod = cache.getClass().getDeclaredMethod("put", Object.class, Object.class);
putMethod.setAccessible(true);
Method getHostMethod;
try {
getHostMethod = socket.getClass().getMethod("getPeerHost");
} catch (NoSuchMethodException e) {
// Running in IKVM
getHostMethod = socket.getClass().getDeclaredMethod("getHost");
}
getHostMethod.setAccessible(true);
Object peerHost = getHostMethod.invoke(socket);
putMethod.invoke(cache, String.format("%s:%s", peerHost, socket.getPort()).toLowerCase(Locale.ROOT), session);
} catch (NoSuchFieldException e) {
// Not running in expected JRE
log.warn("No field sessionHostPortCache in SSLSessionContext", e);
} catch (Exception e) {
// Not running in expected JRE
log.warn(e.getMessage());
}
} else {
log.warn(String.format("SSL session %s for socket %s is not rejoinable", session, socket));
}
}
}
}This method ensures that the TLS/SSL session from the control connection is reused for the data connection.
Additional Considerations:
In Java 8u161 and later, you may encounter conflicts with the extended master secret extension support. To alleviate this, disable this extension by setting the jdk.tls.useExtendedMasterSecret system property to false.
If you continue to experience issues, refer to the Jira ticket NET-408 for an alternative implementation and other pertinent information.
By implementing these steps and leveraging the Cyberduck FTP(S) client implementation, you can establish FTPS connections with TLS session reuse, meeting the requirements of your client's FTPS server.
The above is the detailed content of How to Resolve TLS Session Reuse Issues in Java FTPS Clients?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
