Message202193
According to RFC4217 (Securing FTP with TLS, aka the FTPS spec),
http://tools.ietf.org/html/rfc4217.html#section-10.2
" It is reasonable for the server to insist that the data connection
uses a TLS cached session. This might be a cache of a previous data
connection or of a cleared control connection. If this is the reason
for the refusal to allow the data transfer, then the '522' reply
should indicate this.
Note: This has an important impact on client design, but allows
servers to minimize the cycles used during TLS negotiation by
refusing to perform a full negotiation with a previously
authenticated client."
It appears that vsftpd server implemented exactly that by enforcing the "SSL session reuse between the control and data connection".
http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
Looking at the source of Python core library ftplib.py, there isn't any regard to the idea of SSL session reuse between data connection vs. control connection (correct me if I am wrong here. I've tried FTP_TLS.transfercmd(cmd[, rest])¶, didn't work).
This issue is well documented on other FTP clients that supports FTPS, I.E. WinSCP: http://winscp.net/tracker/show_bug.cgi?id=668
See test log file attached. A vsftpd server with "require_ssl_reuse" set to true in vsftpd.conf would do the trick and can be reproduced. |
|
Date |
User |
Action |
Args |
2013-11-05 04:02:11 | Ye.Wang | set | recipients:
+ Ye.Wang |
2013-11-05 04:02:10 | Ye.Wang | set | messageid: <1383624130.64.0.185541289049.issue19500@psf.upfronthosting.co.za> |
2013-11-05 04:02:10 | Ye.Wang | link | issue19500 messages |
2013-11-05 04:02:09 | Ye.Wang | create | |
|