FileZilla Forums

Hi,
I established an FTPes (Explicit TLS) connection between a FileZilla client and my FileZilla server in passive mode. The connection is done correctly and the file transfer works in both directions. When I establish this same connection from android smartphone application (FtpCafe and AndFTP) the connection is also made but access to the remote directory is denied to me with the following message on the server :

150 Opening data channel for directory listing of "/"
450 TLS session of data connection is not resumed or the session does not match the control connection

I feel like I'm missing something in the application configuration for port 990 (the DATA port?) On which FileZilla server is open in TLS mode.
Thank you for your help,

H. C.

This is a client-side issue. Your mobile clients do not protect themselves against data connection stealing attacks.

Please make sure to use a client that uses session resumption on the data connection.

Thanks for your help,
Using the AndFTP application, I selected the option to enable error recovery, maybe the right one you suggested to me.
I also tried the EPSV option with IPV4 and the Keep-Alive option on the command channel.
For these 3 tests, the result is unchanged. Below is the result of the connection.

> 230 Logged on
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> CLNT AndFTP
> 200 Don't care
> PBSZ 0
> 200 PBSZ=0
> PROT P
> 200 Protection level set to P
> CWD /
> 250 CWD successful. "/" is current directory.
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> EPSV
> 229 Entering Extended Passive Mode (|||20059|)
> 229 Entering Extended Passive Mode (|||20076|) si l'option EPSV avec IPV4 ) n'est pas sélectionné
> MLSD
> 150 Opening data channel for directory listing of "/"
> 450 TLS session of data connection has not resumed or the session does not match the control connection

By testing the FileZilla server with https://ftptest.net/ No problems, as with a client FileZilla. Below, the result of the connection ftptest

.> 230 Logged on
> SYST
> 215 UNIX emulated by FileZilla
> FEAT
> 211-Features:
> MDTM
> REST STREAM
> SIZE
> MODE Z
> MLST type*;size*;modify*;
> MLSD
> AUTH SSL
> AUTH TLS
> PROT
> PBSZ
> UTF8
> CLNT
> MFMT
> EPSV
> EPRT
> 211 End
> PBSZ 0
> 200 PBSZ=0 ( Don't care avec AndFTP )
> PROT P
> 200 Protection level set to P
> PWD
> 257 "/" is current directory.
> TYPE I
> 200 Type set to I
> PASV
> 227 Entering Passive Mode (91,163,156,105,78,56)
> TLS connection for data connection established
> MLSD
> 150 Opening data channel for directory listing of "/"
> 226 Successfully transferred "/"
> disconnected.


I do not know if this can help for a diagnosis
Please help.
thanks

H. C.

botg wrote: ↑

2019-11-28 16:42

This is a client-side issue. Your mobile clients do not protect themselves against data connection stealing attacks.

Please make sure to use a client that uses session resumption on the data connection.

I can only repeat myself on this one.

Clients not supporting TLS session resumption will not work with FileZilla Server. While the protection can be disabled in the FileZilla Server settings (TLS page), it is generally NOT recommended, as it lowers overall security.

Hello,
From my AndFTP mobile application I made a connection with my FileZilla server in FTP mode Explicit over TLS but by unchecking the Settings option on the Server:
" Require TLS session resuming on data connection when using PROT P "
Access and transfert of files work fine.
But doing that, is my connection less secure. I don't understand exactly the effect of this option.?
I also suppressed listening of server on port 990 ( used only for implicit connection I presume ? )
Thanks,
H. C.

If you disable this option the server becomes vulnerable to connection stealing attacks. You should not uncheck this option.