Hi, I'm having a lot of trouble with Java and the implementation of an FTPS-client that can work with most of the FTPS servers out there that require the data connection to be established with TLS session resumption of the control channel's session. Because the control channel is a different port (but the same host), the JSSE mechanism to find a reusable session didn't work and FTPS-transfers failed.
I'm not alone with this[1] and the solution with Java 7 and 8 was going "deeply reflective" and fiddle with the sessionPortHostCache in the SSLSocket's sslContext. While it's ugly and obviously a thing to break sooner or later, it worked and kept data transfers "out there" functioning. With Java 11 this "fix" doesn't work anymore as soon as TLSv1.3 is negotiated between client and server and even while I might be able to come up with a new hack that might only buy me some time until a future release of Java prevents the access to the context's internals. So I'd like to ask questions first, maybe there is a less brutal solution than the one, the world of Java seemed to be currently using: - Is there a better way to ensure that a particular session is used for session resumption? - With [2] I have the impression that with TLSv1.3 session resumption only works once. Is that enforced by the standard or a JSSE-decision. If the former, that would mean that FTPS can't use TLSv1.3 (which would solve my problem at least in that direction ;-) because it's common that there are plenty of data connections being opened during an FTP-session - Also with [2] (but found that out myself as part of my JUnit-Tests), the session id that is reported to the server differs for the original ssl socket and the new one that got created after a session resumption. Is it still the case as it was 1.5 years ago that the create time is the only thing that allows you to check if two sessions are "the same"? I see potential attack vectors here for MITM attacks if System.currentTimeMillis isn't precise down to the millisecond. Talking the world out of using FTPS is out of the order in my eyes, so whatever the answers are here, I'll have to find a solution here. Thanks and best regards, Lothar Kimmeringer [1] https://eng.wealthfront.com/2016/06/10/connecting-to-an-ftps-server-with-ssl-session-reuse-in-java-7-and-8/ [2] https://mail.openjdk.java.net/pipermail/security-dev/2018-August/017993.html
