Topic: SSL Session Reuse

I am asking if I can use the C++ or even the C# library for "session reuse".

Some background:
A customer is use SFTP, that old protocol on port 990.  I don't have any control over them, so I have to deal with it.

I already have an FTPES client in C#. I adapted it for this with little problem.  It is using the MS SslStream object.

To internal testing, until I can get to the customer server, I installed FileZilla server.

I am getting a failure "450 TLS session of data connection has not resumed or the session does not match the control connection"
(This is to prevent another attacker connecting to the data port and hijacking to connection...  I actually wonder why such a requirement is not part of FTPES as well)

I can eliminate the failure by un-checking the requirement.  But I have no control over what setting the customer is using.

(Apparently there is no way to put an image into this post... :-(  )

So, I can find zero support for "session reuse in the C# SslStream object, except that Microsoft claims it already does it.  I guess it will not reuse the session if the previous one (in this case the control port) is still open.

So, in summary, my question is:
Is there a way to tell the WolfSSL library in C++ or C# that when it opens a new connection it should reuse a session?
If so, how?


Post's attachments

Session.jpg 83.4 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.
<Code shown is not to scale>


Re: SSL Session Reuse

Hi Scotty2541,

There are a few types of session resumption.
1. Session cache on the server side, client uses a session id to determine which resumption. This requires server to store / cache session information.
2. Session tickets where server encrypts blob that client retains and presents it in the TLS session ticket extension. This one uses no resources on the TLS server.

For session ID its on by default unless "NO_SESSION_CACHE" is set. To use it here is an example.

/* Do TLS connect, read and write. */
/* Before shutdown or socket close call... */
WOLFSSL_SESSION* session = wolfSSL_get_session(ssl);

/* On next connect set the session before the TLS connect (wolfSSL_connect). */
wolfSSL_set_session(ssl, session);

For Session Tickets you must enable and optionally set a callback:

static int sessionTicketCB(WOLFSSL* ssl,
                    const unsigned char* ticket, int ticketSz,
                    void* ctx)
    printf("Session Ticket CB: ticketSz = %d, ctx = %s\n", ticketSz, (char*)ctx);
    return 0;

wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");

Here is an example for TLS client resumption: … s-resume.c

David Garske, wolfSSL