Using Apache Commons-Net FTPSClient to connect to a modern FTP / S server does not work. The reason is that they require reusing an SSL session, that is, the SSL session from the control connection must be reused to connect to the data.
This can usually be deactivated on the server, but it
- unsafe
- not always an option (since the server may not be under your control)
The correct solution would be to force the client to actually reuse the sessions. There is an open bug in Commons-Net, but it doesn't look like it will be resolved any time soon.
In addition, there is a โreflex hackโ that was created by the authors of Cyberduck (FTP client application), which is described in their bugtracker and, in more detail, in the message. There is also an article related to this, https://stackoverflow.com/a/1673333/ ... describing this solution. They use reflection to access the internal SSLSessionContext cache of the SSLSessionContext and introduce a new entry.
This hack worked fine until JDK 8u161 and 9.0.4 (?), Where some changes to SSL described in changelog were made. Apparently, some implementation details changed, which made the hack no longer work.
As far as I can tell, there are now the following options:
- Stay on the JDK 8u152 either until someone finds a solution / apache -commons-net gets a fix / the JDK changes fail (in fact, this is not an option, as this will disable production systems from security updates)
- Use another FTPS client (the only alternative I can find is proprietary and quite expensive).
- Try rebuilding the changes to the
SSLSessionContext implementation to find a new workaround. Not only does this look like a non-trivial task - the solution is likely to be hacked again and thus can break again at any time. - Do not use FTP / S anymore
Can anyone suggest how to move here?
Related links:
java ftp ftps apache-commons-net
David
source share