Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Is a defect
Workspace IBM i
Categories JAVA
Created by Guest
Created on May 8, 2019

SSL session reuse (FTPS)

As a Java client program I want to use SSL session resumption on different ports.

Some FTPS servers can force the client to use session resumption. For example FileZilla server shown in screenshot.
In this case the client must take the SSL session of the command channel and reuse it in the data channel on a different port! Java on IBM i only supports session resumption on the same port.

The Oracle Java version has the same problem, but it exists a workaround. Basically you can overwrite the port in session cache with the current data port so it will be reused. Because the IBM Java version is obfuscated (and different), this workaround is not possible.

I see two possible solutions. The first one would be a switch, so I can bind the session to address only. The second one would allow a workaround similar to the workaround on Oracle Java.


Use Case:

We have a FTPS client and our customer wants to transfer data to a FileZilla server. The server forces SSL session resumption.

Our FTPS client is implemented in Java.
Currently we use a QSHELL call to run a CURL command. I mention this because we had to use a CURL version with OpenSSL. The CURL version from yum does not work either.


Idea priority Medium
  • Guest
    Reply
    |
    May 27, 2021

    Java core team reject the request as can not support. Suggest to open PMR to continue the discussion on ibmi5osjsse component.

  • Guest
    Reply
    |
    Dec 31, 2020

    You may check session id value in the 2nd connection's client hello. If it is 0, it means locally a cache entry was not found that we thought was a match for the peer. If it matches the session id sent by the server on the 1st connection, then the server is rejecting 2nd session for some other reason. If not 0 and not a match to 1st connection value from server, then other connections are at play in their process. Comm trace and wireshark would be used to analyze the session id value on all of the connections to the FTP server.
    If there are multiple contexts with different attributes for each of the connections, then the session cache entry from 1st would not be available to 2nd. That would be an unusual configuration.

  • Guest
    Reply
    |
    Sep 30, 2020

    My first test did not access SSLSessionContext and had no NullPointerException. The FTP server disconnected, because it was a different connection.

    The problem in our scenario is that we have two connections with two different ports. The server expects the TLS session from the first connection (control port) to be resumed for file transfer (data port).
    In Oracle Java the TLS session is bound to a specific port, but can be modified by changing the SSLSessionContext. It seems that IBM Java also binds the TLS session to a specific port? Therefore the request to provide a way (for clients) to continue the TLS session on other ports. Or to provide a workaround similar to Oracle Java.

  • Guest
    Reply
    |
    Sep 23, 2020

    Does latest comment work for the scenario? Please let us know your test result. Thanks.

  • Guest
    Reply
    |
    Aug 3, 2020

    Thanks for feedback!
    com.ibm.i5os.jsse.JSSEProvider, which is built on System TLS, doesn't expose session cache information to Java in the SSLSessionContext. Comment out the call to getSessionContext that returns NullPointerException and any other SSLSessionContext related calls that fail with NullPointerException. System TLS will use the cached session (Session Reuse) for the second connection based on the available System TLS session cache entries.

  • Guest
    Reply
    |
    Jul 27, 2020

    Thanks for your answer.
    Unfortunately com.ibm.i5os.jsse.JSSEProvider throws a NullPointerException. In my first test I received the same FTP server error, because it is a different SSL connection.
    In my second test I tried to implement the workaround for Oracle Java. The provider does not return a SSLSessionContext from the SSLSession. It returns null. The Javadoc mentions that not all environments support this method: "This context may be unavailable in some environments, in which case this method returns null."

    I started to test every registered provider, but they do not support TLSv1.2.

    Changing the provider did not help in our scenario.

  • Guest
    Reply
    |
    Jun 24, 2020

    Please let us know if changing the JSSEProvider worked for your scenario.

  • Guest
    Reply
    |
    Jun 19, 2020

    There are two implementations of JSSE in Java on i. Refer to /jre/lib/security/java.security. By default, the first provider com.ibm.jsse2.IBMJSSEProvider2 is selected. Try to switch to com.ibm.i5os.jsse.JSSEProvider to see whether it works for your scenario.

  • Guest
    Reply
    |
    May 5, 2020

    This topic requires discussion.

  • Guest
    Reply
    |
    May 8, 2019

    Attachment (Description): The session resumption option in FileZilla server