TLS Session Ticket Not Received on Server

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
greyreap
500 Command not understood
Posts: 4
Joined: 2021-05-27 21:37
First name: G
Last name: R

TLS Session Ticket Not Received on Server

#1 Post by greyreap » 2021-05-27 21:43

I've been working on a custom FTP server and am struggling to get session resumption working. The server uses TLS 1.3 which requires using session tickets for resumption. However, on the server when I inspect for a session ticket being sent none is present using a FZ 3.54.1 client. While I could downgrade the server to use TLS 1.2 and utilize session caching that would seem to be counter to wise security practice.

Is there something I'm missing in terms of FZ's session resumption support? I've not read anything that explicitly states session tickets are used in FZ but I've seen security advisories that would seem to imply they are. Any guidance here is appreciated.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Session Ticket Not Received on Server

#2 Post by botg » 2021-05-31 06:56

Does your server send a session ticket at the end of the handshake on the control connection to the client?

If you set the debug log level to 4 in FileZilla, you should see a line with "Received NEW SESSION TICKET" shortly after the handshake completes.

greyreap
500 Command not understood
Posts: 4
Joined: 2021-05-27 21:37
First name: G
Last name: R

Re: TLS Session Ticket Not Received on Server

#3 Post by greyreap » 2021-06-01 13:57

Thanks so much for that guidance. Yes, it does appear FZ is getting the initial ticket from the server. Though it seems to happen a couple times during the handshake:

Code: Select all

2021-06-01 09:54:17 18592 1 Status: TLS connection established, waiting for welcome message...
2021-06-01 09:54:17 18592 1 Trace: CFtpControlSocket::OnReceive()
2021-06-01 09:54:17 18592 1 Trace: tls_layer_impl::on_read()
2021-06-01 09:54:17 18592 1 Trace: CFtpControlSocket::OnReceive()
2021-06-01 09:54:17 18592 1 Trace: TLS handshake: Received NEW SESSION TICKET
2021-06-01 09:54:17 18592 1 Trace: TLS handshake: Processed NEW SESSION TICKET
2021-06-01 09:54:17 18592 1 Trace: gnutls_record_recv returned spurious EAGAIN
2021-06-01 09:54:17 18592 1 Trace: TLS handshake: Received NEW SESSION TICKET
2021-06-01 09:54:17 18592 1 Trace: TLS handshake: Processed NEW SESSION TICKET
2021-06-01 09:54:17 18592 1 Trace: gnutls_record_recv returned spurious EAGAIN
2021-06-01 09:54:17 18592 1 Trace: tls_layer_impl::on_read()
2021-06-01 09:54:17 18592 1 Trace: CFtpControlSocket::OnReceive()
2021-06-01 09:54:17 18592 1 Response: 220 Ready

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Session Ticket Not Received on Server

#4 Post by botg » 2021-06-01 18:01

In TLS 1.3 resumption happens through the pre_shared_key extension in the client hello.

greyreap
500 Command not understood
Posts: 4
Joined: 2021-05-27 21:37
First name: G
Last name: R

Re: TLS Session Ticket Not Received on Server

#5 Post by greyreap » 2021-06-01 18:32

That definitely clarifies things on my side. I shall take that knowledge and try to get something working, thanks so much

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Session Ticket Not Received on Server

#6 Post by botg » 2021-06-02 00:43

Note that presence of the extension in the client_hello doesn't actually tell whether the session is actually resumed.

Which TLS library are you using? With a modern library such as GnuTLS it's as simple as checking whether gnutls_session_is_resumed returns non-zero.

greyreap
500 Command not understood
Posts: 4
Joined: 2021-05-27 21:37
First name: G
Last name: R

Re: TLS Session Ticket Not Received on Server

#7 Post by greyreap » 2021-06-02 02:00

I'm using OpenSSL via Node. I've relied too much on Node's docs which I'm either reading incorrectly (most likely this) or are not jiving with the actual RFC specs. Either way, based on the info you've provided and a look at the specs I think there is more work to do on the server implementation to get things working.

I really appreciate the info you provided, I will update if/when I find a solution within Node if for nothing but documentation purposes for future googlers.

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: TLS Session Ticket Not Received on Server

#8 Post by botg » 2021-06-02 07:09

OpenSSL at least has SSL_session_reused. The important bit with OpenSSL is to use a separate SSL_CTX for each FTP control connection to prevent session from one FTP connection contaminating the sessions of another. Such contamination would lead to data connection stealing attacks.

In addition, even if you verify that the connection is reused, you need to make sure the session actually matches the control connection, see https://filezilla-project.org/misc/ftps ... xploit.cpp why this needs to be. I think these days, calling SSL_CTX_set_session_cache_mode with SSL_SESS_CACHE_NO_INTERNAL together with manual session caching callbacks could be an appropriate solution, haven't tested it though.

Post Reply