[
https://issues.apache.org/jira/browse/NET-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17152035#comment-17152035
]
Erick Lichtas commented on NET-408:
-----------------------------------
[~jtoivonoja] - This case went quiet for a long time and my patch, which was
still in the works at the time, has since been finalized and has been in use
for a few years now. I've updated the attached set of libs.
The biggest problem is that the data connection is on a separate port than the
control connection. So when java looks up the TLS session for the ftp data
connection on port 30000 (as an example), it doesn't find one - the control
connection where the session was originally create for port 21. The patch I've
attached will instruct the SSLEngine being created to use the original control
channel host and port. This doesn't impact the socket connection itself, but
will instruct the JVM to use an existing SSL session if it exists.
I've added a newer zip file 'FTPSClientWithTLSResumption' with an
org.apache.commons.net.io.ext package. Copy that package into your project and
add the following code block to the appropriate location in the execPROT method
of the FTPSClient.java class
{code:java}
// Added to execProt command of the FTPSClient.java
if (useTlsResumption) {
ChannelSslSocketFactory sslSocketFactory = new ChannelSslSocketFactory(
context);
sslSocketFactory.setControlHost(tlsResumptionAddress.getAddress().getHostAddress());
sslSocketFactory.setControlPort(tlsResumptionAddress.getPort());
setSocketFactory(sslSocketFactory);
ChannelSslServerSocketFactory sslServerSocketFactory = new
ChannelSslServerSocketFactory(
context);
sslServerSocketFactory.setControlHost(tlsResumptionAddress.getAddress().getHostAddress());
sslServerSocketFactory.setControlPort(tlsResumptionAddress.getPort());
setServerSocketFactory(sslServerSocketFactory);
}
else {
setSocketFactory(new FTPSSocketFactory(context, _socketFactory_));
setServerSocketFactory(new FTPSServerSocketFactory(context));
}
{code}
> problem connecting to ProFTPD with FTPES
> ----------------------------------------
>
> Key: NET-408
> URL: https://issues.apache.org/jira/browse/NET-408
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2, 3.0
> Environment: ProFTPD 1.3.3d on SUSE Linux Enterprise Server 10.1
> 32bit, Kernel 2.6.16.46-0.12-default (config file attached)
> ProFTPD 1.3.3d on OpenSUSE 64bit Linux 2.6.34.8-0.2-desktop
> Java 1.5
> Reporter: Michael Voigt
> Priority: Major
> Attachments: BCFTPSClient.java, FTPSClientWithTLSResumption.zip,
> PTFTPSClient.java, ftpes.jpg, proftpd.conf
>
>
> I have a problem with the FTPClient connecting to a ProFTPD server.
> If the server uses the configuration option "TLSProtocol TLSv1", I
> cannot connect to it at all. I recieve the following error message:
> - javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection
> On the server side I see in the log:
> unable to accept TLS connection: protocol error:
> - (1) error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate unknown
> - TLS/TLS-C negotiation failed on control channel
> If the server uses the configuration option "TLSProtocol SSLv23", I
> can connect to it but I cant transfer any files. In the server log I
> see:
> - starting TLS negotiation on data connection
> - TLSv1/SSLv3 renegotiation accepted, using cipher RC4-MD5 (128 bits)
> - client did not reuse SSL session, rejecting data connection (see
> TLSOption NoSessionReuseRequired)
> - unable to open data connection: TLS negotiation failed
> If I add the NoSessionReuseRequired parameter to the ProFTPD config
> everything works fine.
> Here is my code:
> FTPClient ftpClient = new FTPClient();
> ftpClient = new FTPSClient("TLS");
> // this throws an exception with TLSProtocol TLSv1
> ftpClient.connect(host, port);
> int reply = ftpClient.getReplyCode();
> if (!FTPReply.isPositiveCompletion(reply)) {
> ftpClient.disconnect();
> log.error("The FTP Server did not return a positive
> completion reply!");
> throw new
> FtpTransferException(ECCUtils.ERROR_FTP_CONNECTION);
> }
> boolean loginSuccessful = ftpClient.login(userName, password);
> if (!loginSuccessful) {
> log.error("Login to the FTP Server failed! The
> credentials are not valid.");
> throw new
> FtpTransferException(ECCUtils.ERROR_FTP_LOGIN);
> }
> ftpClient.execPBSZ(0);
> ftpClient.execPROT("P");
> boolean success = ftpClient.storeFile(fileName, fis);
> if (!success) {
> // this is false if "NoSessionReuseRequired" is not set
> }
> Now my question is if it is generally possible to connect to a server
> with "TLSProtocol TLSv1" or "TLSProtocol SSLv23" without the
> "NoSessionReuseRequired" parameter? Could someone provide a piece of
> example code for this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
