FTPES - Session Reuse Required

问题:

So, I am trying to connect to an ftp server to get directory listings and download files. But the first command after the prot_p() function is raising an exception - Producing these errors from the log:

*get* '150 Here comes the directory listing.\r\n' *resp* '150 Here comes the directory listing.' *get* '522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page\r\n' *resp* '522 SSL connection failed; session reuse required: see require_ssl_reuse  option in vsftpd.conf man page' Traceback (most recent call last):   File "C:\temp\download.py", line 29, in <module>     files = ftps.dir()   File "C:\Python27\lib\ftplib.py", line 522, in dir     self.retrlines(cmd, func)   File "C:\Python27\lib\ftplib.py", line 725, in retrlines     return self.voidresp()   File "C:\Python27\lib\ftplib.py", line 224, in voidresp     resp = self.getresp()   File "C:\Python27\lib\ftplib.py", line 219, in getresp     raise error_perm, resp ftplib.error_perm: 522 SSL connection failed; session reuse required: see requir e_ssl_reuse option in vsftpd.conf man page 

Here is the code:

from ftplib import FTP_TLS import os import socket  host = 'example.com' port = 34567 user = 'user1' passwd = 'pass123' acct = 'Normal'  ftps = FTP_TLS()  ftps.set_debuglevel(2)  ftps.connect(host, port)  print(ftps.getwelcome()) print(ftps.sock)  ftps.auth()  ftps.login(user, passwd, acct)  ftps.set_pasv(True) ftps.prot_p()  print('Current directory:') print(ftps.pwd()) files = ftps.dir()  ftps.quit() 

I want to do this securely, hence using FTP over TLS Explicit. I have the idea that I may need to manipulate some settings in the Socket class referenced by FTPLib. Changing the settings on the server is not a possibility. I have tested the server successfully with FileZilla client, an older version of WinSCP was raising the same error - although an upgrade to the newest version fixed it.

Any ideas?

回答1:

It looks more likely a vsftpd issue than ftplib as you mention an upgrade to the newest version fixed the problem.

Provided that you cannot touch server's settings, sub-classing the FTP_TLS may help resolve your issue, although it is quite a HACK in my opinion, referenced to this SO question & answers Python FTP TLS connection issue. You can also take a look from this python bug issue 19500:

" It is reasonable for the server to insist that the data connection uses a TLS cached session. This might be a cache of a previous data
connection or of a cleared control connection. If this is the reason for the refusal to allow the data transfer, then the '522' reply
should indicate this.

Note: This has an important impact on client design, but allows
servers to minimize the cycles used during TLS negotiation by
refusing to perform a full negotiation with a previously
authenticated client."

It appears that vsftpd server implemented exactly that by enforcing the "SSL session reuse between the control and data connection".

http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html

This issue is well documented on other FTP clients that supports FTPS, I.E. WinSCP: https://winscp.net/tracker/668

See test log file attached. A vsftpd server with "require_ssl_reuse" set to true in vsftpd.conf would do the trick and can be reproduced.

Hope this helps.

回答2:

It can be now easily fixed for Python 3.6+ by this class (descendant of FTP_TLS):

class MyFTP_TLS(ftplib.FTP_TLS):     """Explicit FTPS, with shared TLS session"""     def ntransfercmd(self, cmd, rest=None):         conn, size = ftplib.FTP.ntransfercmd(self, cmd, rest)         if self._prot_p:             conn = self.context.wrap_socket(conn,                                             server_hostname=self.host,                                             session=self.sock.session)  # this is the fix         return conn, size 

文章来源: FTPES - Session Reuse Required