Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL Session reuse in Apache FTPS client in JDK 8u161 [duplicate]

Tags:

java

ftp

ftps

apache-commons-net

Using Apache Commons-Net's FTPSClient to connect to a modern FTP/S server does not work. The reason is that they require SSL session reuse, i.e. the SSL session from the control connection needs to be re-used for the data connection.

This can usually be deactivated in the server, but that is

  • insecure
  • not always an option (since the server might not be under your control)

The correct solution would be to make the client actually re-use sessions. There is an open bug for Commons-Net but it does not look like that is going to be resolved any time soon.

Also, there is a "reflection hack" that was created by the authors of Cyberduck (an FTP client application) which is described in their bugtracker and, more in-depth, in a blog post. There is also a related post on StackOverflow describing this solution. They use reflection to access the internal cache of the JDK's SSLSessionContext and inject a new entry.

This hack worked fine until JDK 8u161 and 9.0.4 (?) where some changes to SSL were introduced that are described in the changelog. Apparently, some implementation details have changed causing the hack to not work any more.

As far as I can tell, there are the following options now:

  • Stay on JDK 8u152 either until someone finds a solution/apache-commons-net gets patched/JDK changes get rolled back (not really an option, because that would cut off production systems from security updates)
  • Use a different FTPS client (the only alternative I could find is proprietary and quite expensive)
  • Try to reverse engineer the changes to the SSLSessionContext implementation to find a new workaround. Not only does this seem like a non-trivial task - a solution would likely be hacky again and is thus likely to break again any time.
  • Do not use FTP/S any more

Can anyone suggest how to proceed here?

Related links:

  • http://mail.openjdk.java.net/pipermail/security-dev/2016-December/015254.html
  • https://bugs.openjdk.java.net/browse/JDK-8170813
  • https://issues.apache.org/jira/browse/NET-426
like image 926
David Avatar asked Mar 13 '18 13:03

David

People also ask

Why is the TLS/SSL session reused for FTP connections?

Indeed some FTP (S) servers do require that the TLS/SSL session is reused for the data connection. This is a security measure by which the server can verify that the data connection is used by the same client as the control connection.

Does the Apache Commons ftpsclient support SSL session reuse?

Unfortunately the Apache Commons FTPSClient does not support this SSL session reuse behavior; in fact, there’s an open Apache NET Jira ticket to fix this exact issue.

Can SSL/TLS session reuse be disabled in the httpclient?

Can SSL/TLS session reuse be disabled in the httpclient? SSL/TLS session reuse is a mechanism within SSL/TLS to reduce the full handshake negotiation between the client and the server, when a connection is established. SSL/TLS session reuse is ENABLED by default for the httpclient.

Does ftpsclient work with modern FTP/S servers?

Using Apache Commons-Net's FTPSClient to connect to a modern FTP/S server does not work. The reason is that they require SSL session reuse, i.e. the SSL session from the control connection needs to... Stack Overflow About Products For Teams Stack OverflowPublic questions & answers

1 Answers

A possible solution is described here.

Essentially, it is reverting changed behavior from JDK8u161 to the way this worked before. You need to set the system property

jdk.tls.useExtendedMasterSecret

to false to do that.

There are two ways:

  • call System.setProperty("jdk.tls.useExtendedMasterSecret", "false"); before initiating the FTP/S connection
  • Pass the property to your java process with java -Djdk.tls.useExtendedMasterSecret=false [...]

Keep in mind that this solution disables a security enhancement JVM-wide - proceed with caution.

like image 94
David Avatar answered Oct 17 '22 18:10

David
Sign in to Comment

Related questions

Controling Android's front led light
Securely Export Packages to Java Modules
could not find MavenWrapperMain class, but is contained within .m2 in the directory
Are hardcoded conditions optimized by JVM in Android?
What is the correct way to configure an SCP route with publickey authentication in Camel?
Java 8 https connection fails on some sites
Spring security JWT refresh token not expiring
When is a Java object fully initialized?
Putting SharedPrefs Editor in Utility Class?
Changing the access level of a framework class/method
How to mock absent bean definitions in SpringJUnit4ClassRunner?
In Java, what is the difference between the global logger and the root logger?
Facing NullPointerException while using Optional
Thymeleaf stopped resolving layout templates after migrating to Thymeleaf 3
CompletableFuture : Invoke a void function asynchronusly
In Java, how to reload dynamically resources bundles in a web application?
Reflection to access advanced telephony features
Lazy fetching single column (class attribute) with Hibernate
Can Haml be used in Java web apps?
Creating distinct list from existing list in Java 7 and 8?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!