markiewb commented on issue #7727: URL: https://github.com/apache/netbeans/issues/7727#issuecomment-2478463850
> So I had look at this and from my POV its a mess. The problem is, that FileZilla forces clients to reuse the TLS session used for the control channel on the data channel. Seems, that problem wracks havoc with various clients and my TL;DR take away is: FTP is dead, don't use it. > > The longer version: Java implements session resumptions for TLS. However it only allows that only for the same hostname/port pair. The TLS sessions are held in a map keyed by this. But even breaking into the JDK code and faking an entry holding the same session for hostname/datachannel-port as for hostname/controlchannel-port does not help (Idea from https://gist.github.com/riyaz-ali/48fb486f51c258b4e92c2d2be30c35c4, adjusted as `getHost` does not work anymore). > > Messing with TLS settings also did not help on my test setup (https://issues.apache.org/jira/browse/NET-408). > > My final straw was adding bouncy-castle TLS to NetBeans and using its implementation for the connection (inspired by [bcgit/bc-java#458](https://github.com/bcgit/bc-java/issues/458)). Wireshark indicated, that the session was established, the client side disagreed and still did not work. > > I stop at this point. We had to connect to such a filezilla FTP server once too and our team succeeded in providing a solution. I cannot disclose the whole solution, but some tips for the journey. See https://docs.spring.io/spring-integration/reference/ftp/advanced-configuration.html#ftps-and-shared-sslsession as a base. To make it work past JDK8 several additional changes (next to the reflection patching of the sessionHostPortCache of the SSLSessionContext) have to be made * jdk.tls.client.enableSessionTicketExtension=true, https://github.com/iterate-ch/cyberduck/commit/c0efa1f417 <- other Java based FTP clients with Filezilla support like Cyberduck are a good source for reference * jdk.tls.useExtendMasterSecret=false (but I am not sure about this) * --add-open for several modules for the reflection stuff * (works only for TLS1.2) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
