在与 OpenSSL 的 FTP 传输连接上恢复 TLS/SSL 会话 [英] TLS/SSL session resume on FTP transfer connection with OpenSSL
问题描述
我是实现 FTP 客户端 (WinSCP) 的开源开发人员.
I'm open source developer implementing FTP client (WinSCP).
我正在尝试从传输套接字上的 FTP 控制套接字恢复 TLS/SSL 会话.一些 FTP 服务器开始需要这个.
I'm trying to resume TLS/SSL session from the FTP control socket on the transfer socket. Some FTP servers started to require this.
例如vsftpd:
https://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
我正在使用 OpenSSL 来实现 SSL 层.
I'm using OpenSSL to implement SSL layer.
我已经尝试了实现会话恢复的明显方法,即使用 SSL_get1_session 和 SSL_set_session,如下所示:
https://www.linuxjournal.com/article/5487
I've tried the obvious way to implement the session resume, i.e. to use SSL_get1_session and SSL_set_session, like here:
https://www.linuxjournal.com/article/5487
虽然它不起作用.我仍然无法连接到任何需要 TLS 会话恢复的 FTP 服务器(例如 vsftpd).
Though it does not work. I'm still not able to connect to any FTP server requiring TLS session resume (like the vsftpd).
我怀疑问题可能是由于在我的情况下,有两个并行 TLS 连接,它们不能共享同一个 TLS 会话.这与 linuxjournal.com 上的示例不同,第一个连接在打开另一个连接之前关闭.
I have suspicion that the problem may be due to in my case, there are two parallel TLS connections, which cannot share the same TLS session. Which is different to the example on linuxjournal.com, where the first connection is closed before the other is opened.
我还尝试了几种克隆会话的方法,例如使用 i2d_SSL_SESSION/d2i_SSL_SESSION.也没有用.
I have also tried several ways to clone the session, e.g. using i2d_SSL_SESSION/d2i_SSL_SESSION. Didn't help either.
我真的被困在这里了.
提前感谢您的帮助.
推荐答案
使用 SSL_get1_session 和 SSL_set_session 最终奏效.我第一次尝试的时候一定是用错了.
Using the SSL_get1_session and the SSL_set_session worked in the end. I must have used them incorrectly when trying the first time.
控制连接上的 TLS/SSL 会话建立后,使用
SSL_get1_session检索会话.
- 我专门从
设置的回调中执行此操作SSL_set_info_callback,当where &SSL_ST_CONNECT. - 但对于 TLS 1.3 (
SSL_version >= TLS1_3_VERSION),我不得不使用SSL_CTX_set_session_cache_mode与SSL_SESS_CACHE_CLIENT |SSL_SESS_CACHE_NO_INTERNAL_STORE |SSL_SESS_CACHE_NO_AUTO_CLEAR,并使用SSL_CTX_sess_set_new_cb 设置的回调.
- I specifically do it from a callback set by the
SSL_set_info_callback, whenwhere & SSL_ST_CONNECT. - But for TLS 1.3 (
SSL_version >= TLS1_3_VERSION), I had to useSSL_CTX_set_session_cache_modewithSSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | SSL_SESS_CACHE_NO_AUTO_CLEAR, and use a callback set bySSL_CTX_sess_set_new_cb.
调用SSL_set_session 在为数据连接设置 TLS/SSL 会话时,参考控制连接会话.
Call the SSL_set_session with the reference to the control connection session, when setting up TLS/SSL session for the data connection.
这篇关于在与 OpenSSL 的 FTP 传输连接上恢复 TLS/SSL 会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
