I'm open source developer implementing FTP client (WinSCP).
I'm trying to resume TLS/SSL session from the FTP control socket on the transfer socket. Some FTP servers started to require this.
E.g. vsftpd:
https://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
I'm using OpenSSL to implement SSL layer.
I've tried the obvious way to implement the session resume, i.e. to use SSL_get1_session and SSL_set_session, like here:
https://www.linuxjournal.com/article/5487
Though it does not work. I'm still not able to connect to any FTP server requiring TLS session resume (like the vsftpd).
I have suspicion that the problem may be due to in my case, there are two parallel TLS connections, which cannot share the same TLS session. Which is different to the example on linuxjournal.com, where the first connection is closed before the other is opened.
I have also tried several ways to clone the session, e.g. using i2d_SSL_SESSION/d2i_SSL_SESSION. Didn't help either.
I'm really stuck here.
Thanks in advance for any help.
You must specifically enable client session caching on your SSL_CTX object with:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
You may also need to increase the default session cache timeout (the default is 300 seconds), using SSL_CTX_set_timeout().
(You must also be creating your SSL objects from the same SSL_CTX object).
Using the SSL_get1_session and the SSL_set_session worked in the end. I must have used them incorrectly when trying the first time.
- Once the TLS/SSL session on the control connection is established, use
SSL_get1_sessionto retrieve the session. I specifically do it from a callback set by theSSL_set_info_callback, whenwhere & SSL_ST_CONNECT. - Call the
SSL_set_sessionwith the reference to the control connection session, when setting up TLS/SSL session for the data connection.
来源:https://stackoverflow.com/questions/7786352/tls-ssl-session-resume-on-ftp-transfer-connection-with-openssl