CVE-2009-3555

[MJ_CID]

Hi @all,

After an Update of Java (Java 8 Update 25) at one of our clients, he isn't able to transfer files to our FTPS server (v. 0.9.60) anymore.
The client is able to transfer files after we deactivate the "File transfer security" Setting "Require TLS session resumtion on data connection when using PROT P" but from our perspective this is not a good way to configure the FTPS.
Is there any fix or something else about this topic?

[botg]

Server-side there's nothing to be done. This issue needs to be fixed client-side.

You should also urgently update your Java version, Update 25 is antique, Java 8 is already at update 192 with tons of security fixes since then.

[MJ_CID]

The client is using OpenJDK 1.8.0_191 and we've got still the same issue.
I also got the information that a security leak was fixed in update 25.

One statement from our client is follow:

For the JVM to reuse an SSL session, the server must support certain criteria, including the Extended Master Secret, which is reported by the server as a capability in the ServerHello of the TLS handshake.

Seems that the FileZilla Server doesn't support this criteria and we have to allow only unsafe TLS-Session Resumption.

[botg]

This extension is not supported by OpenSSL 1.0.2 and as such cannot be added to FileZilla Server.

Please wait until FileZilla Server gets rewritten to use GnuTLS instead.

[MJ_CID]

Ok. Thanks for this information. So we will wait until this is done.