[PR] FTPES with TLS Session Reuse for FileZilla Server (need also BouncyCastle and a subclass). [commons-net]

Wed, 15 Jan 2025 03:35:53 -0800 


deguich opened a new pull request, #321:
URL: https://github.com/apache/commons-net/pull/321

   Connecting to ftp.example.com on the command port and then to the 
corresponding IP x.x.x.x on the data port prevents the server from accepting 
the same TLS session. Therefore, the Filezilla server needs to set peerHost 
before socket.connect to allow TLS session resumption.
   
   With this new version, FTPeS to the server with TLS session resumption works 
with this subclass :
   
   ```java
   package org.mypackage;
   
   import java.io.IOException;
   import java.net.Socket;
   import java.security.SecureRandom;
   
   import javax.net.ssl.SSLContext;
   import javax.net.ssl.TrustManager;
   
   import org.apache.commons.net.ftp.FTPSClient;
   import org.apache.commons.net.util.TrustManagerUtils;
   import org.bouncycastle.jsse.BCExtendedSSLSession;
   import org.bouncycastle.jsse.BCSSLSocket;
   import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
   
   public class FTPSClientSSLSessionReuse extends FTPSClient {
   
     public FTPSClientSSLSessionReuse (boolean isImplicit) throws Exception {
       super(isImplicit, createSSLContext());
       setEnabledProtocols(new String[] {"TLSv1.2"});
       setUseEPSVwithIPv4(true);
     }
   
     private static SSLContext createSSLContext() throws Exception {
       SSLContext context = SSLContext.getInstance("TLS", new 
BouncyCastleJsseProvider());
       context.init(
           null,
           new TrustManager[] 
{TrustManagerUtils.getValidateServerCertificateTrustManager()},
           new SecureRandom());
       return context;
     }
   
     @Override
     protected void _prepareDataSocket_(final Socket socket) throws IOException 
{
          if (_socket_ instanceof BCSSLSocket sslSocket) {
              BCExtendedSSLSession bcSession = sslSocket.getBCSession();
              if (bcSession != null && bcSession.isValid() && socket instanceof 
BCSSLSocket dataSslSocket) {
                dataSslSocket.setBCSessionToResume(bcSession); 
                // Next line could be a solution if this function was called 
before connect
                dataSslSocket.setHost(bcSession.getPeerHost());
              }
            }
     }
   }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to