TLS session cache access (for FTP clients with data connection session reuse)
Xuelei Fan
xuelei.fan at oracle.com
Tue Dec 6 17:56:15 UTC 2016
Hi Bernd,
Thanks for the enhancement request.
I filed a new Request For Enhancement (RFE) so that we can track the issue:
https://bugs.openjdk.java.net/browse/JDK-8170813
Regards,
Xuelei
On 12/5/2016 11:58 AM, Bernd Eckenfels wrote:
> With FTP/TLS there is a risk that data connections are guessed by
> attackers and there is no binding of the login credentials on the
> control connection and the data connection.
>
> Some FTP servers implement protection about this by requiring the data
> connection to resume the cached TLS session from the control connection.
>
> For example vsftpd 2.1.0 introduced the `require_ssl_reuse` option for
> this:
> http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
>
> There is now a problem for Java implementations:
>
> if you implement a FTP client (like Apache Commons Net is doing) with
> SSLSocket (JSSE) you have no control over session re-use.
>
> In fact the JSSE internal session context cache is keyed by the
> destination address and port. The initial control connection is stored
> under ftp.vendor.com:20 but the additional data connections to random
> ports like ftp.vendor.com:12345 (or ip:port) will not re-use this cache
> entry.
>
> There have been some discussions in 2010 and Apache Commons Net
> implemented a hook method which can be used by application code to do
> some nasty setup. Cyberduck the FTP client for example uses
> reflection to poke into JSSE internals to provide the same
> session cache key:
>
> https://trac.cyberduck.io/ticket/5087
> https://trac.cyberduck.io/changeset/10760
>
> And there is no good solution in Commons Net either:
>
> https://issues.apache.org/jira/browse/NET-408
> https://issues.apache.org/jira/browse/NET-426
>
> (and a lot of discussions around vsftpd, filezilla, proftpd with Java
> all over stack exchange)
>
> Here I found a good writeup describing the reflection workaround (and
> the different versions needed):
>
> http://eng.wealthfront.com/2016/06/10/connecting-to-an-ftps-server-with-ssl-session-reuse-in-java-7-and-8/
>
> I do wonder is it planned to offer a standard interface to get some
> more control? Has this been discussed here?
>
> The SSLContext provides
> getClientSessionContext() which talks about "Returns the client session
> context, which represents the set of SSL sessions available for use
> during the handshake phase of client-side SSL sockets." but does not
> make it clear that it uses some strict destination-port filtering. Also
> SSLSessionContext does not allow to add or modify a session or the
> cache key.
>
> Gruss
> Bernd
>
More information about the security-dev
mailing list