+1 vote

Hi all,

Today, I got this error while connecting to FTPS server, probably due to a Windows update...

I can't see how to correct this...
Please note that use the last version of Ftp.dll...

Thank you for your quick help !!

by (250 points)

1 Answer

0 votes

In FTP protocol, data connection does not directly authenticate the client.
Client uses control connection to authenticate, then it establishes data connection using PASV command followed by the STOR (upload) or RETR (download) command.
The server opens a port and waits for the client to connect to it and upload/download files.

An attacker could figure out the port the server listens to, connect to it before the client, and upload a piece of malware.

TLS session resumption prevents this. It acts as a form of authentication. If the TLS session of the data connection matches the session of the control connection, both the client and the server have the guarantee, that the data connection is genuine. Any mismatch in sessions indicates a potential attack.

Ftp.dll uses .NET's SslStream and it supports session resumption.

  1. Make sure you are using TLS 1.2,
  2. Make sure you are using the latest Ftp.dll and OS versions,
  3. If it was one time thing ignore it
  4. Usually servers allow disabling TLS session resumption - but this is not recommended.

[Edit]

It looks like one of the recent windows update disabled/broke session resumption/session tickets.

The offending update is KB4517389 (uninstalling it resolves this issue):
https://support.microsoft.com/en-us/help/4517389/windows-10-update-kb4517389


[Edit #2]

More details can be found in this article:
https://www.limilabs.com/blog/ftp-tls-encrypted-data-connections-fail-ems

by (301k points)
edited by
Thank you for your quick reply.

The thing is that it worked very well for many months and it crashed yesterday on 3 different workstations relied on 2 different FTPS servers.

1. Yes, TLS1.2 is forced :
vFtp.SSLConfiguration.EnabledSslProtocols = Security.Authentication.SslProtocols.Tls12

2. I use Ftp.dll v.2.0.16114.926. I've tried the trial version of v.2.0.19002.942 with the same results. The problem occurs on Win7 and Win10 workstations.

3. It doesn't seem that it's one timething...

4. I've asked to the one's server admin to disable TLS sessions resumption. With no result it seems... I will continue to investigate with him...

You said that Ftp.dll uses .NET's SslStream. Maybe a Windows update is the source of the problem ?

Thanks !
By the way, disabling TLS session resumption works now...

But could you confirm the reason of the problem ?
(Windows Update as I guess...)

thanks
I did some tests on Windows 10 with and without latest updates, and I started getting exactly the same error: 'TLS session of data connection has not resumed or the session does not match the control connection' - windows update is the problem here.
It look like the offending update is KB4517389 - uninstalling it resolved this issue.
Thank you very much for your feedback
...