TLS/SSL session resume on FTP transfer connection with OpenSSL

问题:

I'm open source developer implementing FTP client (WinSCP).

I'm trying to resume TLS/SSL session from the FTP control socket on the transfer socket. Some FTP servers started to require this.

E.g. vsftpd:
https://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html

---

I'm using OpenSSL to implement SSL layer.

I've tried the obvious way to implement the session resume, i.e. to use SSL_get1_session and SSL_set_session, like here:
https://www.linuxjournal.com/article/5487?page=0,1

Though it does not work. I'm still not able to connect to any FTP server requiring TLS session resume (like the vsftpd).

I have suspicion that the problem may be due to in my case, there are two parallel TLS connections, which cannot share the same TLS session. Which is different to the example on linuxjournal.com, where the first connection is closed before the other is opened.

I have also tried several ways to clone the session, e.g. using i2d_SSL_SESSION/d2i_SSL_SESSION. Didn't help either.

I'm really stuck here.

Thanks in advance for any help.

回答1:

You must specifically enable client session caching on your SSL_CTX object with:

SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); 

You may also need to increase the default session cache timeout (the default is 300 seconds), using SSL_CTX_set_timeout().

(You must also be creating your SSL objects from the same SSL_CTX object).

回答2:

Using the SSL_get1_session and the SSL_set_session worked in the end. I must have used them incorrectly when trying the first time.

• Once the TLS/SSL session on the control connection is established, use SSL_get1_session to retrieve the session. I specifically do it from a callback set by the SSL_set_info_callback, when where & SSL_ST_CONNECT.
• Call the SSL_set_session with the reference to the control connection session, when setting up TLS/SSL session for the data connection.

文章来源: TLS/SSL session resume on FTP transfer connection with OpenSSL