How to enable TLS session resumption of data connection with TIdFTP?
I am using Indy 10.6.2.0 that's shipped with Delphi 11.2 Embarcadero® RAD Studio 11 Version 28.0.46141.0937
Edit 2023-04-12T06:41:35.496Z
implementation
uses
IdFTP, IdSSLOpenSSL, IdExplicitTLSClientServerBase, IdFTPCommon;
procedure DoSomething;
var
ftp: TIdFTP;
ssl: TIdSSLIOHandlerSocketOpenSSL;
begin
ftp := TIdFTP.Create;
try
ssl := TIdSSLIOHandlerSocketOpenSSL.Create(ftp);
ssl.SSLOptions.SSLVersions := [sslvTLSv1_2];
ftp.IOHandler := ssl;
ftp.Host := 'myhost';
ftp.Port := 21;
ftp.Username := 'myuser';
ftp.Password := 'mytopsecretpassword';
ftp.Passive := true;
ftp.UseTLS := utUseExplicitTLS;
ftp.AUTHCmd := tAuthTLS;
ftp.DataPortProtection := ftpdpsPrivate;
ftp.Connect;
if ftp.Connected then begin
ftp.Put('C:\temp\test1.dat', 'test1.dat');
ftp.Put('C:\temp\test2.dat', 'test2.dat');
end;
ftp.Disconnect;
finally
ftp.Free;
end;
end;
I get still the message:
---------------------------
Ftpssessionresumption
---------------------------
Unable to build data connection: TLS session of data connection not resumed.
---------------------------
OK
---------------------------
This is the log from FileZilla Server:
<Date> Info [Type] Message
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Response] 220-FileZilla Server 1.6.7
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Response] 220-Please visit https://filezilla-project.org/
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Command] HOST myhost
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Response] 500 Wrong command.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Command] AUTH TLS
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Response] 234 Using authentication type TLS.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Command] USER myuser
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Response] 331 Please, specify the password.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 [Command] PASS ****
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 230 Login successful.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] FEAT
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 211-Features:
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 211 End
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] OPTS UTF8 ON
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 202 UTF8 mode is always enabled. No need to send this command
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] TYPE A
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 200 Type set to A
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] SYST
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 215 UNIX emulated by FileZilla.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] TYPE A
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 200 Type set to A
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] PBSZ 0
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 200 PBSZ=0
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] PROT P
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 200 Protection level set to P
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] PASV
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 227 Entering Passive Mode (192,168,10,24,198,132)
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Command] STOR test1.dat
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 150 About to start data transfer.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Error] TLS session of data connection not resumed.
<12-04-2023 08:35:05> FTP Session 1438 192.168.10.82 myuser [Response] 425 Unable to build data connection: TLS session of data connection not resumed.
<12-04-2023 08:35:13> FTP Server [Status] Session 1438 ended gracefully.
Indy does not natively support resuming of TLS sessions at this time (see this ticket).
However, if:
TIdFTP.DataPortProtection is set to ftpdpsPrivateTIdFTP.Passive is True (but not False!)Then TIdSSLIOHandlerSocketOpenSSL should copy the TLS session ID of the command connection into each new data connection TLS session. That is the closest Indy comes to resuming sessions.
If you want to try enabling session reuse manually, you can use the TIdFTP.OnDataChannelCreate and TIdFTP.OnDataChannelDestroy events to access the TIdSSLIOHandlerSocketOpenSSL object of the current data connection. You will have to invoke the relevant OpenSSL session APIs to get the session ID from an old data connection and apply it to a new data connection.
You can use SSL_SESSION_get_id() to get the current ID of a TLS session (wrapped by TIdSSLIOHandlerSocketOpenSSL.SSLSocket.GetSessionID()). However, TIdSSLIOHandlerSocketOpenSSL only supports up to OpenSSL 1.0.2, but SSL_SESSION_set1_id() was not added until OpenSSL 1.1.0. The above scenario uses SSL_copy_session_id() instead to copy a session ID from one TLS session to another, so that would not work to copy a session ID from one data connection to another, since there is only 1 data connection active at a time.