On 2017-11-09 18:54:42 [+0100], Mats Erik Andersson wrote: > than a few kilobytes. Netkit-ftl-ssl achieves this by > use of the function SSL_copy_seesion_id(). This presumably > is a legacy function from the time of SSLeay.
I can't find this in SSL_copy_seesion_id() in the source in 0.17.34+0.2-4. What could I do wrong. > With the advent of libssl1.1 the behaviour of SSL_copy_session_id() > has changed without any mention in the published changelog as far > as I have been able to determine. In effect, SSL_copy_session_id() > is able to arrange reuse of the session identity exactly once -- > I repeat to make the point -- exactly ONCE, where libssl1.0 is > able to continually renew the identity for the entire session. > Thus libssl1.1 prevents transmission of files in excess of 3 kB! There is openssl s_client & s_server which perform SSL session reusage. > The best setup to observe this new behaviour is to use Proftpd > at the server end. It offers a setting to handle misconfigured > or crippled FTP clients: > > # etc/proftpd.conf > > TLSOptions NoSessionReuseRequired > > Without this option, a client using netkit-ftp-ssl with libssl1.1 > sees a cancelled connection at the time the third package is sent > in a single session, whereas libssl1.0 continues to go on shipping > however many packages remain to cover the requested file's entire > contents. So I installed proftpd-basic 1.3.5d-1, enabled TLS: |$ cat /etc/proftpd/tls.conf |grep -v ^# | |<IfModule mod_tls.c> |TLSEngine on |TLSLog /var/log/proftpd/tls.log |TLSRSACertificateFile /etc/ssl/certs/proftpd.crt |TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key |</IfModule> and I tried to test session-reuse via openssl s_client -starttls ftp -connect localhost:21 -reconnect and the result was that "Session-ID" and "Master-Key" was different on each connection. Ideally (if it works) they would be the same. What do I miss? > > M E Andersson, maintainer of netkit-ftp-ssl > Sebastian
