Message 202193 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Ye.Wang
Recipients	Ye.Wang
Date	2013-11-05.04:02:08
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1383624130.64.0.185541289049.issue19500@psf.upfronthosting.co.za>
In-reply-to

Content
According to RFC4217 (Securing FTP with TLS, aka the FTPS spec), http://tools.ietf.org/html/rfc4217.html#section-10.2 " It is reasonable for the server to insist that the data connection uses a TLS cached session. This might be a cache of a previous data connection or of a cleared control connection. If this is the reason for the refusal to allow the data transfer, then the '522' reply should indicate this. Note: This has an important impact on client design, but allows servers to minimize the cycles used during TLS negotiation by refusing to perform a full negotiation with a previously authenticated client." It appears that vsftpd server implemented exactly that by enforcing the "SSL session reuse between the control and data connection". http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html Looking at the source of Python core library ftplib.py, there isn't any regard to the idea of SSL session reuse between data connection vs. control connection (correct me if I am wrong here. I've tried FTP_TLS.transfercmd(cmd[, rest])¶, didn't work). This issue is well documented on other FTP clients that supports FTPS, I.E. WinSCP: http://winscp.net/tracker/show_bug.cgi?id=668 See test log file attached. A vsftpd server with "require_ssl_reuse" set to true in vsftpd.conf would do the trick and can be reproduced.

According to RFC4217 (Securing FTP with TLS, aka the FTPS spec), 

http://tools.ietf.org/html/rfc4217.html#section-10.2

"  It is reasonable for the server to insist that the data connection
   uses a TLS cached session.  This might be a cache of a previous data
   connection or of a cleared control connection.  If this is the reason
   for the refusal to allow the data transfer, then the '522' reply
   should indicate this.

   Note: This has an important impact on client design, but allows
   servers to minimize the cycles used during TLS negotiation by
   refusing to perform a full negotiation with a previously
   authenticated client."

It appears that vsftpd server implemented exactly that by enforcing the "SSL session reuse between the control and data connection".

http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html

Looking at the source of Python core library ftplib.py, there isn't any regard to the idea of SSL session reuse between data connection vs. control connection (correct me if I am wrong here. I've tried FTP_TLS.transfercmd(cmd[, rest])¶, didn't work). 

This issue is well documented on other FTP clients that supports FTPS, I.E. WinSCP: http://winscp.net/tracker/show_bug.cgi?id=668

See test log file attached. A vsftpd server with "require_ssl_reuse" set to true in vsftpd.conf would do the trick and can be reproduced.

History
Date	User	Action	Args
2013-11-05 04:02:11	Ye.Wang	set	recipients: + Ye.Wang
2013-11-05 04:02:10	Ye.Wang	set	messageid: <1383624130.64.0.185541289049.issue19500@psf.upfronthosting.co.za>
2013-11-05 04:02:10	Ye.Wang	link	issue19500 messages
2013-11-05 04:02:09	Ye.Wang	create