425 Unable to build data connection: TLS session of data connection not resumed

[aravindagowda]

I have recently upgraded the Filezilla server to 1.7.1 with minimum allowed TLS to v1.2, Post the upgrade and TLS version set. The user is able to login to the server but the Client-facing issue listing directories, downloading or uploading to directories.

Connections and directory listing work with Fizilla client from the same source, Issue only when using the homegrown application.

Tried using TLSv1.2 and TLSv1.3 (as FileZille is using TLSv1.3), it still throws the error when do listFiles(): “425 Error while transferring data: PROT C is not allowed when the control connection is secure. Use PROT P.”
And then added line ftp.execPROT("P"); in the code. Then, it throws the error message “425 Unable to build data connection: TLS session of data connection not resumed.” when doing listFiles().

Client using homegrown Java application snippet of the code used.


FTPSClient ftp = new FTPSClient("TLSv1.3");

ftp.connect(ftpProperties.getFtpHost(), ftpProperties.getFtpPort());
ftp.enterLocalPassiveMode();
int reply = ftp.getReplyCode();
if (!FTPReply.isPositiveCompletion(reply)) {
ftp.disconnect();
throw new IOException("Exception in connecting to FTP Server");
}

ftp.execPROT("P");

ftp.login(ftpProperties.getFtpUsername(), ftpProperties.getFtpPassword());
LOGGER.info("Connected to FTP location");

FileOutputStream fos;
LOGGER.info("Downloading files for " + today);

ftp.changeWorkingDirectory(ftpProperties.getFtpDirectory());
FTPFile[] files = ftp.listFiles();

FTPFile[] files = ftp.listFiles(); : Error at this line “425 Unable to build data connection: TLS session of data connection not resumed.”

[botg]

TLS session resumption on the data connection is an important security mechanism, it prevents theft of the data connection.

I don't know anything about Java, all I can give you is a link to the TLS specifications on session resumption: https://datatracker.ietf.org/doc/html/r ... ection-2.2

If you're not hell-bent on using Java for the client, may I recommend using C++? Using libfilezilla TLS session resumption is trivially easy.

[oibaf]

I come from a place of utter ignorance about java sockets, but maybe the SSLSocket.setEnableSessionCreation(boolean) method is the one that you need to look into?

Here's the documentation: https://docs.oracle.com/en/java/javase/ ... n(boolean)

By invoking it with a "false" argument, you'll force the socket to reuse an existing session. The default is to not force that.

[aravindagowda]

Thanks for the suggestion, After i tried SSLSocket.setEnableSessionCreation(False) , We started reciving different error as below.

Javax.net.ssl.SSLHandshakeException: No new session is allowed and no existing sessions can be resumed.

[aravindagowda]

any suggestions ?

[oibaf]

Again, ignorant about Java in connection with TLS and session resumptions, but googling for that error gave this: https://stackoverflow.com/a/10610187/566849

Looking deeper, it also appears (but I might be wrong) that the idiomatic use of the API doesn't allow to reuse the session across connections to different ports of the same server - which is what you need to be able to connect with FileZilla Server, but there seems to be a workaround with the Oracle Java implementation: https://github.com/bcgit/bc-java/issues ... -467471728

You might want to investigate starting from there.

[botg]

Be very mindful though to not resume the data connection for one FTP connection with the session from a different unrelated FTP connection, or worse yet, an injected session. See viewtopic.php?p=137191#p137191 why that would be a bad idea. Note that the issue mentioned in the article affects clients just the same as it does servers.

[aravindagowda]

Thanks for the suggetion, Now we are stuck at session not resumed error post switch to FTP over TLS . There is no working script in JAVA or python for FTP connection over TLS.

[oibaf]

I am not sure what you mean by "Now we are stuck at session not resumed error post switch to FTP over TLS": "session not resumed" is an error that the server returns only in the case of creating a data connection for an already established control connection over a secure (TLS) channel.

In other words, when you want to transfer a file or read the content of a directory and must thus open a data socket, if the control connection is secure (TLS), then both the following conditions must be met:

• the data connection must be secure too (TLS);
• the data connection must share the TLS session with the control connection to which it pertains

[karand85]

Thanks for the suggetion, Now we are stuck at session not resumed error post switch to FTP over TLS . There is no working script in JAVA or python for FTP connection over TLS.

Hello Aravinda, did you get anything working at java side ?
we are also stuck at the same error when we upgraded filezilla server to latest and using Explicit FTP over TLS