Hello,
It seems that Synapse doesn't support TLS session resumption when using FTP
with AUTH TLS. What it means is that after issuing PBSZ 0, PROT P, and
PASV, it opens a data channel and encrypts it. But unfortunately it
encrypts the data channel in a different session. Modern FTP servers may
require that the TLS session for the data is resumed. For example, recent
version of FileZilla Server has an option like "Require TLS session
resumption on data connection when using PROT P". If this condition is not
met, the server refuses to accept files with a message:
450 TLS session of data connection has not resumed or the session does not
match the control connection
The author says:
===
It appears your client does not support TLS session resumption. Please
contact your client vendor so that TLS session resumption can be
implemented in your client.
Not requiring session resumption allows session stealing attacks. The
problem with FTP is that the data connection does not authenticate the
client: Imagine you a want to upload a new version of your website. To
initiate the transfer your client sends the PASV command followed by the
STOR command. The server opens a port and waits for the client to connect
to it and upload the file. Now an attacker comes along and figures out the
port the server listens on. He connects to the port before you can and
uploads a piece of malware to your website.
TLS session resumption prevents this, it acts as a form of authentication.
If the TLS session of the data connection matches the session of the
control connection, both the client and the server have the guarantee that
the data connection is genuine. Any mismatch in sessions indicates a
potential attack.
===
Source: https://forum.filezilla-project.org/viewtopic.php?f=6&t=36903
I'm using the latest revision.
I tried Overbyte ICS and it doesn't work with these settings as well,
however Indy 10 does, as well as FTP clients (for example, the one in Total
Commander). Can it be implemented in Synapse please? Or is there a setting
that I'm missing?
Thanks in advance!
Zak.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
synalist-public mailing list
synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public
