On 2017-11-11 12:37:15 [+0100], To Mats Erik Andersson wrote: > So the problem was that you never shutdown the connection. You can blame > libssl that it behaves differently or you can apply the first patch > attached. > The second one replaces SSL_copy_session_id() with something maybe more > obvious and with more documentation.
okay. This time with the patch attached… > > > M E Andersson, maintainer of netkit-ftp-ssl Sebastian
>From 489397738dddd20c9fb2c48ec444b156099d1bae Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <[email protected]> Date: Sat, 11 Nov 2017 11:10:07 +0000 Subject: [PATCH 1/2] ftp-ssl: shutdown the session properly If the SSL session is not shutdown properly, the following SSL_free will free all SSL related structs including the session making it impossible to be reused in a later connection. Signed-off-by: Sebastian Andrzej Siewior <[email protected]> --- ftp/ftp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ftp/ftp.c b/ftp/ftp.c index 81d38b5f9087..24c8ce956d14 100644 --- a/ftp/ftp.c +++ b/ftp/ftp.c @@ -951,6 +951,7 @@ sendrequest(const char *cmd, char *local, char *remote, int printnames) #ifdef USE_SSL if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_shutdown(ssl_data_con); SSL_free(ssl_data_con); ssl_data_active_flag=0; ssl_data_con=NULL; @@ -989,6 +990,7 @@ sendrequest(const char *cmd, char *local, char *remote, int printnames) #ifdef USE_SSL if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_shutdown(ssl_data_con); SSL_free(ssl_data_con); ssl_data_active_flag=0; ssl_data_con=NULL; @@ -1373,6 +1375,7 @@ recvrequest(const char *cmd, #ifdef USE_SSL if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_shutdown(ssl_data_con); SSL_free(ssl_data_con); ssl_data_active_flag=0; ssl_data_con=NULL; @@ -1420,6 +1423,7 @@ recvrequest(const char *cmd, #ifdef USE_SSL if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_shutdown(ssl_data_con); SSL_free(ssl_data_con); ssl_data_active_flag=0; ssl_data_con=NULL; @@ -1654,6 +1658,7 @@ dataconn(const char *lmode) if (ssl_active_flag && ssl_encrypt_data) { /* do SSL */ if (ssl_data_con!=NULL) { + SSL_shutdown(ssl_data_con); SSL_free(ssl_data_con); ssl_data_con=NULL; } -- 2.15.0
>From d228c9e24e78047afdd04fcc9e335551fea87251 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <[email protected]> Date: Sat, 11 Nov 2017 11:11:55 +0000 Subject: [PATCH 2/2] ftp-ssl: use get+set session instead of copy id This does mostly the same thing but may be more obvious, maybe not. Signed-off-by: Sebastian Andrzej Siewior <[email protected]> --- ftp/ftp.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ftp/ftp.c b/ftp/ftp.c index 24c8ce956d14..53fc34f1ac2b 100644 --- a/ftp/ftp.c +++ b/ftp/ftp.c @@ -94,6 +94,7 @@ static struct sockaddr_storage myctladdr; static int ptflag = 0; static int ptabflg = 0; #ifdef USE_SSL +static SSL_SESSION *ssl_data_session; int ssl_available=1; static int pdata = -1; static int @@ -1677,7 +1678,8 @@ dataconn(const char *lmode) * this quick assuming Eric has this going * okay! ;-) */ - SSL_copy_session_id(ssl_data_con,ssl_con); + if (ssl_data_session) + SSL_set_session(ssl_data_con, ssl_data_session); /* we are doing I/O and not using select so * it is "safe" to read ahead @@ -2279,6 +2281,11 @@ ssl_init(void) fprintf(stderr, "Data connection security level refused.\n"); return ERROR; } + if (ssl_encrypt_data) { + SSL_SESSION_free(ssl_data_session); + ssl_data_session = SSL_get1_session(ssl_con); + } + if (verbose && use_tls && ssl_encrypt_data) fprintf(stderr, "[Encrypted data transfer.]\n"); } -- 2.15.0
