CVE-2009-3555

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
MJ_CID
500 Command not understood
Posts: 3
Joined: 2019-01-02 11:13
First name: Marco
Last name: Johne

CVE-2009-3555

#1 Post by MJ_CID » 2019-01-02 11:25

Hi @all,

After an Update of Java (Java 8 Update 25) at one of our clients, he isn't able to transfer files to our FTPS server (v. 0.9.60) anymore.
The client is able to transfer files after we deactivate the "File transfer security" Setting "Require TLS session resumtion on data connection when using PROT P" but from our perspective this is not a good way to configure the FTPS.
Is there any fix or something else about this topic?

User avatar
botg
Site Admin
Posts: 31661
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: CVE-2009-3555

#2 Post by botg » 2019-01-02 18:06

Server-side there's nothing to be done. This issue needs to be fixed client-side.

You should also urgently update your Java version, Update 25 is antique, Java 8 is already at update 192 with tons of security fixes since then.

MJ_CID
500 Command not understood
Posts: 3
Joined: 2019-01-02 11:13
First name: Marco
Last name: Johne

Re: CVE-2009-3555

#3 Post by MJ_CID » 2019-01-03 11:23

The client is using OpenJDK 1.8.0_191 and we've got still the same issue.
I also got the information that a security leak was fixed in update 25.

One statement from our client is follow:
For the JVM to reuse an SSL session, the server must support certain criteria, including the Extended Master Secret, which is reported by the server as a capability in the ServerHello of the TLS handshake.
Seems that the FileZilla Server doesn't support this criteria and we have to allow only unsafe TLS-Session Resumption.

User avatar
botg
Site Admin
Posts: 31661
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: CVE-2009-3555

#4 Post by botg » 2019-01-03 12:53

This extension is not supported by OpenSSL 1.0.2 and as such cannot be added to FileZilla Server.

Please wait until FileZilla Server gets rewritten to use GnuTLS instead.

MJ_CID
500 Command not understood
Posts: 3
Joined: 2019-01-02 11:13
First name: Marco
Last name: Johne

Re: CVE-2009-3555

#5 Post by MJ_CID » 2019-01-03 12:56

Ok. Thanks for this information. So we will wait until this is done. :)

Post Reply