Using Apache Commons-Net's FTPSClient to connect to a modern FTP/S server does not work. The reason is that they require SSL session reuse, i.e. the SSL session from the control connection needs to be re-used for the data connection.
This can usually be deactivated in the server, but that is
The correct solution would be to make the client actually re-use sessions. There is an open bug for Commons-Net but it does not look like that is going to be resolved any time soon.
Also, there is a "reflection hack" that was created by the authors of Cyberduck (an FTP client application) which is described in their bugtracker and, more in-depth, in a blog post. There is also a related post on StackOverflow describing this solution. They use reflection to access the internal cache of the JDK's SSLSessionContext and inject a new entry.
This hack worked fine until JDK 8u161 and 9.0.4 (?) where some changes to SSL were introduced that are described in the changelog. Apparently, some implementation details have changed causing the hack to not work any more.
As far as I can tell, there are the following options now:
SSLSessionContext implementation to find a new workaround. Not only does this seem like a non-trivial task - a solution would likely be hacky again and is thus likely to break again any time.Can anyone suggest how to proceed here?
Related links:
A possible solution is described here.
Essentially, it is reverting changed behavior from JDK8u161 to the way this worked before. You need to set the system property
jdk.tls.useExtendedMasterSecret
to false to do that.
There are two ways:
System.setProperty("jdk.tls.useExtendedMasterSecret", "false"); before initiating the FTP/S connectionjava -Djdk.tls.useExtendedMasterSecret=false [...]Keep in mind that this solution disables a security enhancement JVM-wide - proceed with caution.