SSLSocketImpl.startHandshake() throws SSLHanshakeException/EOFException when resuming cached sessions

Question

Using Apache FTPSClient to listFiles(String)....

The aplication crashes sometimes after resuming an SSL Session and then calling sslSocketImpl.startHandshake() from the Apache FTPSClient code.

I set javax.net.debug to print the ssl information... System.setProperty("javax.net.debug", "all");

And this is what I get.

%% Client cached [Session-3, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
%% Try resuming [Session-3, SSL_RSA_WITH_3DES_EDE_CBC_SHA] from port 4149
*** ClientHello, TLSv1
....
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28                               ......(
main, called closeSocket()
[Mon Aug 30 17:41:52 PDT 2010][class com.smgtec.sff.fileupload.poller.BasicFTPAccess] - Could not list directory: sqjavax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
 at com.smgtec.sff.fileupload.poller.FixedFTPSClient._openDataConnection_(FixedFTPSClient.java:525)
 at org.apache.commons.net.ftp.FTPClient.initiateListParsing(FTPClient.java:2296)
 at org.apache.commons.net.ftp.FTPClient.initiateListParsing(FTPClient.java:2269)

Padded plaintext before ENCRYPTION:  len = 32
0000: 50 41  at org.apache.commons.net.ftp.FTPClient.listFiles(FTPClient.java:2046)
 at com.smgtec.sff.fileupload.poller.BasicFTPAccess.listFiles(BasicFTPAccess.java:100)
 at com.smgtec.sff.fileupload.poller.FTPPoller.addFileForProcessing(FTPPoller.java:67)
 at com.smgtec.sff.fileupload.poller.FTPPoller.main(FTPPoller.java:385)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
 at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
 ... 10 more

We also have jscape FTPS client here and it produces the same problem.

Answer 1

I suggest you include some retry logic in your FTPPoller - it looks like the host is closing the connection rather than your code. We used to see occasional connection closed by remote host errors which are best handled by simply retrying.

Answer 2

I solved it like this using SSLSession.invalidate() it seems to work now... although we aren't using FTPS anymore. If this is a true solution there is a problem in Apache commons-net FTPSClient or the FTP Server we are connecting to.

ftp = new FTPSClient() 
      {
        private Socket socket;

        protected Socket _openDataConnection_(int command, String arg) throws IOException
        {
          if (socket != null && socket instanceof SSLSocket)
          {
            // We have problems resuming cached SSL Sessions. Exceptions are
            // thrown and the system crashes... So we invalidate each SSL
            // session we used last.
            SSLSocket sslSocket = (SSLSocket) socket;
            sslSocket.getSession().invalidate();
          }
          socket = super._openDataConnection_(command, arg);
          return socket;
        }
      };

BTW I believe we were connecting to a FileZilla FTP server. I suspect this fix will cause more network chatter passing back and forth keys/certs and so forth.