Hi Raymond, from what I understand the security measure in FileZilla requires that the same TLS session is used for the control and data connections, am I correct?
In your research have you come across this StackOverflow post? https://stackoverflow.com/questions/32398754/how-to-connect-to-ftps-server-with-data-connection-using-same-tls-session I'm not sure if that would be a good fit to implement in Camel, it seems to rely on a Java system property `jdk.tls.useExtendedMasterSecret` being set to `false` on newer JVMs and also reflection tricks to fool the TLS session cache. I think it might be against the design of JSSE to reuse the same SSL session across different ports. zoran On Wed, Feb 20, 2019 at 8:04 PM ski n <[email protected]> wrote: > > I looked again into this issue. The issue occurs, because of TLS session > resumption. There is an option enabled by default on the FileZilla server > to avoid an exploit. See this forum post: > > https://forum.filezilla-project.org/viewtopic.php?p=137191#p137191 > > The proposed solution on StackOverflow is to turn off this security option: > > https://stackoverflow.com/questions/35061145/ftpsclient-file-upload-and-download-always-size-0-and-exception > > However, this isn't desirable and is not always an option because the > server-side cannot be changed. See also this question: > > https://stackoverflow.com/questions/50852231/camel-ftps-how-enable-tls-resumption > > As the questioner wrote there's currently no way to enable TLS enable from > Camel FTPS options. This issue can easily be reproduced by installing a > FileZilla server with FTPS with default options. > > Raymond > > > > Op ma 11 feb. 2019 om 22:08 schreef ski n <[email protected]>: > > > Yes, I have JCE accessible in the JVM. I am using latest Java 8 Update > > 201. > > > > As in this anser stackoverflow the unlimited shouldn't be set anymore: > > > > > > https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html > > > > To be sure I did enable crypto.policy=unlimited in the security file. But > > this hadn't any effect. > > > > Raymond > > > > > > Op ma 11 feb. 2019 om 14:43 schreef Björn Þór Jónsson <[email protected]>: > > > >> Do you have the Java Cryptography Extension (JCE) accessible to your JVM ? > >> > >> In one case Camel had trouble communicating with an FTPS server which was > >> using a cipher not available to the default Java installation and I solved > >> it by installing that extension. > >> > >> /Björn > >> > >> On 10/02/2019, 19:09, "ski n" <[email protected]> wrote: > >> > >> I'm trying to send some text files to a FTPS server. The FTPS server > >> has > >> following specifications: > >> > >> 1) FTP Type: FileZilla Server > >> 2) Cryptographic protocol = TLS/SSL Explicit encryption, TLSv1.2 > >> 3) Encryption algorithm = TLSv1/SSLv3: ECDHE-RSA-AES256-GCM-SHA384, > >> 2048 > >> bit RSA, ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA > >> Enc=AESGCM(256) Mac=AEAD > >> 4) Mode: Passive > >> 5) Port: 21 (NAT ports 50000-500010) > >> > >> I can access and send the files with WinSCP or FilleZilla client. When > >> using the FTPS Component of Camel (using a TrustStore and set > >> passivemode > >> to true) the file is created within the FTPS Server directory, > >> however with > >> 0 kb. No data is send. In the logs I got the following error: > >> > >> Remote host closed connection during handshake. Code: 150 > >> Writing file failed with: File operation failed: 150 Opening data > >> channel > >> for file upload to server of "/file.csv" > >> > >> Stacktrace > >> > >> --------------------------------------------------------------------------------------------------------------------------------------- > >> > >> org.apache.camel.component.file.GenericFileOperationFailedException: > >> File > >> operation failed: 150 Opening data channel for file upload to server > >> of > >> "/file.csv" > >> Remote host closed connection during handshake. Code: 150 > >> at > >> > >> org.apache.camel.component.file.remote.FtpOperations.doStoreFile(FtpOperations.java:710) > >> at > >> > >> org.apache.camel.component.file.remote.FtpOperations.storeFile(FtpOperations.java:615) > >> at > >> > >> org.apache.camel.component.file.GenericFileProducer.writeFile(GenericFileProducer.java:305) > >> at > >> > >> org.apache.camel.component.file.GenericFileProducer.processExchange(GenericFileProducer.java:169) > >> at > >> > >> org.apache.camel.component.file.remote.RemoteFileProducer.process(RemoteFileProducer.java:57) > >> at > >> > >> org.apache.camel.util.AsyncProcessorConverterHelper$ProcessorToAsyncProcessorBridge.process(AsyncProcessorConverterHelper.java:61) > >> at > >> > >> org.apache.camel.processor.SendProcessor$2.doInAsyncProducer(SendProcessor.java:178) > >> at > >> > >> org.apache.camel.impl.ProducerCache.doInAsyncProducer(ProducerCache.java:445) > >> at > >> > >> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:173) > >> at > >> > >> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:201) > >> at > >> > >> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:548) > >> at > >> > >> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:201) > >> at > >> > >> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109) > >> at > >> > >> org.apache.camel.processor.MulticastProcessor.doProcessParallel(MulticastProcessor.java:860) > >> at > >> > >> org.apache.camel.processor.MulticastProcessor.access$200(MulticastProcessor.java:86) > >> at > >> > >> org.apache.camel.processor.MulticastProcessor$1.call(MulticastProcessor.java:330) > >> at > >> > >> org.apache.camel.processor.MulticastProcessor$1.call(MulticastProcessor.java:316) > >> at java.util.concurrent.FutureTask.run(Unknown Source) > >> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > >> Source) > >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > >> Source) > >> at java.lang.Thread.run(Unknown Source) > >> Suppressed: > >> org.apache.camel.component.file.GenericFileOperationFailedException: > >> File > >> operation failed: 150 Opening data channel for file upload to server > >> of > >> "/file.csv" > >> Remote host closed connection during handshake. Code: 150 > >> ... 21 common frames omitted > >> Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed > >> connection during handshake > >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > >> at > >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > >> Source) > >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > >> Source) > >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > >> Source) > >> at > >> > >> org.apache.commons.net.ftp.FTPSClient._openDataConnection_(FTPSClient.java:646) > >> at > >> org.apache.commons.net.ftp.FTPClient._storeFile(FTPClient.java:653) > >> at > >> org.apache.commons.net.ftp.FTPClient.__storeFile(FTPClient.java:639) > >> at > >> org.apache.commons.net.ftp.FTPClient.storeFile(FTPClient.java:2030) > >> at > >> > >> org.apache.camel.component.file.remote.FtpOperations.doStoreFile(FtpOperations.java:685) > >> ... 20 common frames omitted > >> Caused by: java.io.EOFException: SSL peer shut down incorrectly > >> at sun.security.ssl.InputRecord.read(Unknown Source) > >> ... 29 common frames omitted > >> Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed > >> connection during handshake > >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > >> Source) > >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > >> at > >> > >> org.apache.commons.net.ftp.FTPSClient._openDataConnection_(FTPSClient.java:646) > >> at > >> org.apache.commons.net.ftp.FTPClient._storeFile(FTPClient.java:653) > >> at > >> org.apache.commons.net.ftp.FTPClient.__storeFile(FTPClient.java:639) > >> at > >> org.apache.commons.net.ftp.FTPClient.storeFile(FTPClient.java:2030) > >> at > >> > >> org.apache.camel.component.file.remote.FtpOperations.doStoreFile(FtpOperations.java:685) > >> ... 20 common frames omitted > >> Caused by: java.io.EOFException: SSL peer shut down incorrectly > >> at sun.security.ssl.InputRecord.read(Unknown Source) > >> ... 29 common frames omitted > >> > >> - Camel is run with Java 8 Update 201. > >> - The certificated was downloaded with OpenSSL and successfully > >> imported in > >> the truststore with Keytool > >> > >> When searching for this type of error I found the following resources: > >> > >> > >> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.jboss.org%2Fthread%2F247957&data=02%7C01%7Cbthj%40origo.is%7Cf6e9e3d54e5847d8ff3c08d68f8b4402%7C470852d578e34ee3bee9e9638b276d14%7C0%7C0%7C636854225647654211&sdata=BnB7mypukyWdnJOa86xiPXN78aAL3twZ4jFSSOaNn%2BA%3D&reserved=0 > >> > >> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F21245796%2Fjavax-net-ssl-sslhandshakeexception-remote-host-closed-connection-during-handsh&data=02%7C01%7Cbthj%40origo.is%7Cf6e9e3d54e5847d8ff3c08d68f8b4402%7C470852d578e34ee3bee9e9638b276d14%7C0%7C0%7C636854225647654211&sdata=8FjzMN73kfXTGPWf22%2Bo8vFcPuofomKtzNCt4GBbPaA%3D&reserved=0 > >> > >> These sources recommended that following actions: > >> > >> 1) Setting the-Dhttps.protocols parameter at Java: > >> > >> I tried the following: > >> > >> -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 > >> > >> -Dhttps.protocols=TLSv1.1,TLSv1.2 > >> > >> -Dhttps.protocols=TLSv1.2 > >> > >> 2) Set RCE (*Java Cryptography Extension*) to unlimited in > >> java.security file > >> > >> 3) Try settings passiveMode=false and set the parameter ActivePorts > >> (this causes an "Accepted time out") and I also tried it with > >> passiveMode=true > >> > >> All actions still gave the same result. When running the Camel > >> application with parameter: > >> > >> -Djavax.net.debug=all > >> > >> I see the failure during WRITE: > >> > >> Camel (camel-1) thread #2 - Multicast, WRITE: TLSv1.2 Handshake, > >> length = 96 > >> [Raw write]: length = 101 > >> 0000: 16 03 03 00 60 88 00 8B E3 1B DD 54 7B DE 7A 01 > >> ....`......T..z. > >> 0010: 35 A6 44 CC AF 6A 4C 4F A6 AB C6 9E 04 FA F5 0F > >> 5.D..jLO........ > >> 0020: 61 CF AF CD FC B1 E4 F2 01 0D 15 33 18 C3 FA B7 > >> a..........3.... > >> 0030: 34 6A A5 53 60 4A E9 B3 63 99 31 98 F6 97 A7 81 > >> 4j.S`J..c.1..... > >> 0040: AB 9D 83 D4 7B C4 F8 3B D0 54 45 91 E4 13 58 C6 > >> .......;.TE...X. > >> 0050: AA 20 CC 81 ED 62 C0 FD F3 D8 90 53 85 DF 7D 0E . > >> ...b.....S.... > >> 0060: A6 E7 E0 AC 51 ....Q > >> Camel (camel-1) thread #2 - Multicast, received EOFException: error > >> Camel (camel-1) thread #2 - Multicast, handling exception: > >> javax.net.ssl.SSLHandshakeException: Remote host closed connection > >> during handshake > >> %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] > >> Camel (camel-1) thread #2 - Multicast, SEND TLSv1.2 ALERT: fatal, > >> description = handshake_failure > >> > >> I have three questions based on this: > >> > >> 1) How to debug this further? Did I miss an option of the FTPS > >> component? Does this happen because of muliple session/threads? > >> > >> 2) How can it be that the message/file is consumed, then there is > >> failure, but I don't see the message in the error endpoint? Camel > >> statistics > >> says the message is completed, but it's not really transfered (it's > >> gone at consumer and producer). > >> > >> 3) Isn't there a way that Camel can handle certificates just like > >> clients like WinSCP or FileZilla do? This opposed of doing it manually > >> (a) create truststore, b) download certificatei > >> > >> and c) import certificate in truststore and d) link Camel route to > >> truststore? > >> > >> Raymond > >> > >> > >> -- Zoran Regvart
