FTP - session reuse required

mworrell · June 9, 2022, 3:26pm

I am trying to connect to a FTP (ftps) server and am getting the following error when requesting the directory listing:

Receiving: 522 SSL connection failed: session reuse required

I am using the following connect options:

    [
        {verbose, true},
        {port, 21},
        {tls, [
            {tls_version, 'tlsv1.2'},
            {reuse_sessions, true}
        ]},
        {tls_ctrl_session_reuse, true},
        {tls_sec_method, ftpes}
    ]

Connect and login work well.

Does anybody know the magic TLS options to get this working?

Cheers, Marc

To be complete here is the verbose log:

"Receiving: 220 (vsFTPd 3.0.3)"
"Sending: AUTH TLS"
"Receiving: 234 Proceed with negotiation."
"Sending: PBSZ 0"
"Receiving: 200 PBSZ set to 0."
"Sending: PROT P"
"Receiving: 200 PROT now Private."
"Sending: USER marc"
"Receiving: 331 Please specify the password."
"Sending: PASS xxxxxx"
"Receiving: 230 Login successful."
"Sending: PASV"
"Receiving: 227 Entering Passive Mode (192,168,1,124,22,116)."
"Sending: LIST"
"Receiving: 150 Here comes the directory listing."
"Receiving: 522 SSL connection failed: session reuse required"
{error,epath}

Anatolii · June 9, 2022, 4:51pm

Hi Marc!
I hope this provide you some ideas and useful settings:
Github examples. tls_ctrl_session_reuse

Spanfest provide this set of options (with my adoptation):

doit() ->
  TLSB = vsftpd_tls(),
  TLS = [{tls,TLSB}],
  TLSReuse = [{tls_ctrl_session_reuse,true}|TLS],
  PASSIVE = [{mode,passive}],
  ExtraOpts = [{verbose,true}],
  
% try to connect 
  ftp:open("localhost:21", TLSReuse ++ PASSIVE ++ ExtraOpts).

vsftpd_tls() ->
    %% Workaround for interoperability issues with vsftpd =< 3.0.2:
    %%
    %% vsftpd =< 3.0.2 does not support ECDHE ciphers and the ssl application
    %% removed ciphers with RSA key exchange from its default cipher list.
    %% To allow interoperability with old versions of vsftpd, cipher suites
    %% with RSA key exchange are appended to the default cipher list.
    All = ssl:cipher_suites(all, 'tlsv1.2'),
    Default = ssl:cipher_suites(default, 'tlsv1.2'),
    RSASuites =
        ssl:filter_cipher_suites(All, [{key_exchange, fun(rsa) -> true;
                                                         (_) -> false end}]),
    Suites = ssl:append_cipher_suites(RSASuites, Default),
    [
        {ciphers,Suites},
        %% vsftpd =< 3.0.3 gets upset with anything later than tlsv1.2
        {versions,['tlsv1.2']}
    ].

mworrell · June 10, 2022, 6:50am

Thanks! I have checked it and it seems that there is a problem in the OTP ftp application.

The test set does seem to cover all cases, but in the vsftp conf the session reuse is explicitly turned off, so that feature is not tested:

github.com

erlang/otp/blob/c578f61c17d836d7b4943767f6a08400c33cb3cf/lib/ftp/test/ftp_SUITE_data/vsftpd.conf#L27-L28

      
        
            ### Explicitly changed by unit test
            require_ssl_reuse=NO

mworrell · June 10, 2022, 7:15am

Just tested on OTP 24, and there it works.

So this seems to be a problem in OTP 22.3 (which I have to use for this application).

Anatolii · June 10, 2022, 7:56am

It is nice you have found the solution.

ingela · June 10, 2022, 1:02pm

There are actually two different ways that FTP can support TLS connections and I am afraid the one you want to use was not supported before OTP-24. So either you need to backport the ftp and ssl (also possible public_key and crypto) from OTP-24 or you need to convince the application to upgrade OTP.

mworrell · June 13, 2022, 3:01pm

Indeed, I just hope (fingers crossed) that the production FTP server has the magic require_ssl_reuse configuration, and otherwise I foresee some application porting

(Which needs to be done at some point anyway.)