Android Question FTPS - require TLS session resumption on data connection

T

togax

Member
Licensed User
I've been doing some FTP coding using the standard Net library with much success. One issue I've come across is the support for FTPS (FTP over TLS) is missing one feature. I've been testing my code against a FileZilla FTP server. The following startup code works fine as long as the server setting for "Require TLS session resumption on data connection when using PROT P" is disabled as shown in the attached screenshot. Would it be possible to update the Net library to accommodate such a feature?

B4X: 
If FirstTime Then
    FTP.Initialize("FTP", "xxxxx", 21, "xxxxx", "xxxxx")
    FTP.PassiveMode=True
    FTP.UseSSLExplicit = True
    ssltrustmanager.InitializeAcceptAll
    FTP.SetCustomSSLTrustManager(ssltrustmanager)
End If
FTP over TLS settings.png
 
Sort by date Sort by votes
T

togax

Member
Licensed User
Oh BTW, the error message I get on the phone via Msgbox(LastException,"Error connecting") is:
(SSL Exception) javax.net.ssl.SSLException:Connection closed by peer

and on the FTP server log file:
450 TLS session of data connection has not resumed or the session does not match the control connection
 
Upvote 0
T

togax

Member
Licensed User
Erel said:
I think that this is an OS feature. I don't see how it can be added to the Net library. The SSL handshake is done by the OS.
Click to expand...
I've searched through the FileZilla forum and there were similar discussions with other FTP client utilities and often the fix was done by the developer or vendor in a later release of the client. This does indicate the handshaking is done inside the client but you may still be correct in that it's system dependent. I'll investigate it further.

Notre that TLS session resumption is an important security feature; it prevents FTP data connection stealing attacks.
 
Upvote 0
T

togax

Member
Licensed User
I had a look at the SSLSocket classes used by another Android development tool and it talks about caching session ids or session tickets for reuse and checking the secondary data connections associated with FTP over TLS sessions are still authentic. I would say don't worry about it for now. I'll instigate my own method of checking that each transfer is authentic to prevent a man-in-the-middle attack of the secondary data connections.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

PureVision
  • Question
Android Question B4A FTP over Explicit TLS
Replies
2
Views
798
PureVision
PureVision
vecino
  • Question
Android Question FTP session finished
Replies
2
Views
556
vecino
vecino
Erel
  • Article
Android Tutorial [B4X] Tip: Always set FTP.PassiveMode to True
Replies
0
Views
4K
Erel
Erel
Erel
  • Article
B4A Library [B4X] FTP Server implemented with Socket and AsyncStreams
2 3
Replies
43
Views
39K
OliverA
OliverA
Erel
  • Locked
  • Article
B4A Library New Net library - Android FTP, SMTP and POP3
18 19 20
Replies
383
Views
188K
Erel
Erel
Top