TLS/SSL session resume on FTP transfer connection with OpenSSL

Question

I'm open source developer implementing FTP client (WinSCP).

I'm trying to resume TLS/SSL session from the FTP control socket on the transfer socket. Some FTP servers started to require this.

E.g. vsftpd:
https://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html

I'm using OpenSSL to implement SSL layer.

I've tried the obvious way to implement the session resume, i.e. to use SSL_get1_session and SSL_set_session, like here:
https://www.linuxjournal.com/article/5487

Though it does not work. I'm still not able to connect to any FTP server requiring TLS session resume (like the vsftpd).

I have suspicion that the problem may be due to in my case, there are two parallel TLS connections, which cannot share the same TLS session. Which is different to the example on linuxjournal.com, where the first connection is closed before the other is opened.

I have also tried several ways to clone the session, e.g. using i2d_SSL_SESSION/d2i_SSL_SESSION. Didn't help either.

I'm really stuck here.

Thanks in advance for any help.

Martin Prikryl · Accepted Answer · 2021-09-08 08:21:43Z

7

Using the SSL_get1_session and the SSL_set_session worked in the end. I must have used them incorrectly when trying the first time.

Once the TLS/SSL session on the control connection is established, use SSL_get1_session to retrieve the session.
- I specifically do it from a callback set by the SSL_set_info_callback, when where & SSL_ST_CONNECT.
- But for TLS 1.3 (SSL_version >= TLS1_3_VERSION), I had to use SSL_CTX_set_session_cache_mode with SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | SSL_SESS_CACHE_NO_AUTO_CLEAR, and use a callback set by SSL_CTX_sess_set_new_cb.
Call the SSL_set_session with the reference to the control connection session, when setting up TLS/SSL session for the data connection.

edited Sep 8, 2021 at 8:21

answered Sep 8, 2015 at 10:51

Martin Prikryl

198k62 gold badges528 silver badges1.1k bronze badges

Thank you for sharing this. I'm also developing an FTP client with OpenSSL and this whole thing caused me some head scratching.
– Anachronism
Commented Jun 16, 2023 at 9:34

Add a comment |

caf · Accepted Answer · 2011-10-28 00:59:13Z

2

You must specifically enable client session caching on your SSL_CTX object with:

SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);

You may also need to increase the default session cache timeout (the default is 300 seconds), using SSL_CTX_set_timeout().

(You must also be creating your SSL objects from the same SSL_CTX object).

answered Oct 28, 2011 at 0:59

caf

237k41 gold badges330 silver badges472 bronze badges

Add a comment |

Collectives™ on Stack Overflow

TLS/SSL session resume on FTP transfer connection with OpenSSL

2 Answers 2

Not the answer you're looking for? Browse other questions tagged
session
ssl
ftp
openssl
resume
or ask your own question.

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Not the answer you're looking for? Browse other questions tagged sessionsslftpopensslresume or ask your own question.

Linked

Related

Not the answer you're looking for? Browse other questions tagged
session
ssl
ftp
openssl
resume
or ask your own question.