You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Bogdan Drozdowski (JIRA)" <ji...@apache.org> on 2011/06/25 19:33:47 UTC

[jira] [Commented] (NET-408) problem connecting to ProFTPD with FTPES

    [ https://issues.apache.org/jira/browse/NET-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13054937#comment-13054937 ] 

Bogdan Drozdowski commented on NET-408:
---------------------------------------

I finally got some time to look at this. I confirm the problem exists when connecting by IP in both active and passive mode to ProFTPd 1.3.3e. I confirm the sessions are different for the control and data connections (as per .toString()) despite using one SSLContext everywhere. Disabling session creating in server sockets or disabling client mode in them doesn't help.

I looked more closely at the JSSE Reference and yes, you can reuse sessions, but the only way you can do it is by passing the same host and port to the SSLEngine creation methods. These don't need to be the actual host and port you're connecting to (luckily) - they're just a marker or connection identifier. The first bad news is that these are just a "hint", so the implementation might just as well ignore these and always create new SSL sessions. The second bad news is that you can't use an SSLEngine anywhere. You can't create contexts or sockets with it. The only thing you can do is creating your own subset of TLS implementation for your needs, just like in the example in the JSSE Reference Guide - you check message types, wrap and unwrap them etc. Just creating an SSLEngine from an SSLContext doesn't work, you have to use it.

Now better news that I've found: the PureTLS library (http://www.rtfm.com/puretls/) seems to do it in an easier way - you specify the host and port in the constructors and they're used to find sessions, so re-using sessions looks possible. The drawback is that the whole FTPSClient would have to be re-written to use this library and a new project dependency would have to be introduced, not to mention that PureTLS may not be as secure as the "original" SSL code in the JRE. There also is ftp4j, but it doesn't semm to do more that the Commons-Net FTP Client in terms of SSL.

The whole SSL stuff is so wrapped in Java that you can't access the details and you don't have full control over what's being done unless you write your own implementation.

> problem connecting to ProFTPD with FTPES
> ----------------------------------------
>
>                 Key: NET-408
>                 URL: https://issues.apache.org/jira/browse/NET-408
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 2.2, 3.0
>         Environment: ProFTPD 1.3.3d on SUSE Linux Enterprise Server 10.1 32bit, Kernel 2.6.16.46-0.12-default (config file attached)
> ProFTPD 1.3.3d on OpenSUSE 64bit Linux 2.6.34.8-0.2-desktop
> Java 1.5
>            Reporter: Michael Voigt
>         Attachments: ftpes.jpg, proftpd.conf
>
>
> I have a problem with the FTPClient connecting to a ProFTPD server.
> If the server uses the configuration option "TLSProtocol TLSv1", I
> cannot connect to it at all. I recieve the following error message:
> - javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection
> On the server side I see in the log:
> unable to accept TLS connection: protocol error:
> -  (1) error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate unknown
> - TLS/TLS-C negotiation failed on control channel
> If the server uses the configuration option "TLSProtocol SSLv23", I
> can connect to it but I cant transfer any files. In the server log I
> see:
> - starting TLS negotiation on data connection
> - TLSv1/SSLv3 renegotiation accepted, using cipher RC4-MD5 (128 bits)
> - client did not reuse SSL session, rejecting data connection (see
> TLSOption NoSessionReuseRequired)
> - unable to open data connection: TLS negotiation failed
> If I add the NoSessionReuseRequired parameter to the ProFTPD config
> everything works fine.
> Here is my code:
>                FTPClient ftpClient = new FTPClient();
>                ftpClient = new FTPSClient("TLS");
>                // this throws an exception with TLSProtocol TLSv1
>                ftpClient.connect(host, port);
>                int reply = ftpClient.getReplyCode();
>                if (!FTPReply.isPositiveCompletion(reply)) {
>                        ftpClient.disconnect();
>                        log.error("The FTP Server did not return a positive completion reply!");
>                        throw new FtpTransferException(ECCUtils.ERROR_FTP_CONNECTION);
>                }
>                boolean loginSuccessful = ftpClient.login(userName, password);
>                if (!loginSuccessful) {
>                        log.error("Login to the FTP Server failed! The credentials are not valid.");
>                        throw new FtpTransferException(ECCUtils.ERROR_FTP_LOGIN);
>                }
>                ftpClient.execPBSZ(0);
>                ftpClient.execPROT("P");
>                boolean success = ftpClient.storeFile(fileName, fis);
>                if (!success) {
>                        // this is false if "NoSessionReuseRequired" is not set
>                }
> Now my question is if it is generally possible to connect to a server
> with "TLSProtocol TLSv1" or "TLSProtocol SSLv23" without the
> "NoSessionReuseRequired" parameter? Could someone provide a piece of
> example code for this?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira