This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
email@example.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Java core team reject the request as can not support. Suggest to open PMR to continue the discussion on ibmi5osjsse component.
You may check session id value in the 2nd connection's client hello. If it is 0, it means locally a cache entry was not found that we thought was a match for the peer. If it matches the session id sent by the server on the 1st connection, then the server is rejecting 2nd session for some other reason. If not 0 and not a match to 1st connection value from server, then other connections are at play in their process. Comm trace and wireshark would be used to analyze the session id value on all of the connections to the FTP server.
If there are multiple contexts with different attributes for each of the connections, then the session cache entry from 1st would not be available to 2nd. That would be an unusual configuration.
My first test did not access SSLSessionContext and had no NullPointerException. The FTP server disconnected, because it was a different connection.
The problem in our scenario is that we have two connections with two different ports. The server expects the TLS session from the first connection (control port) to be resumed for file transfer (data port).
In Oracle Java the TLS session is bound to a specific port, but can be modified by changing the SSLSessionContext. It seems that IBM Java also binds the TLS session to a specific port? Therefore the request to provide a way (for clients) to continue the TLS session on other ports. Or to provide a workaround similar to Oracle Java.
Does latest comment work for the scenario? Please let us know your test result. Thanks.
Thanks for feedback!
com.ibm.i5os.jsse.JSSEProvider, which is built on System TLS, doesn't expose session cache information to Java in the SSLSessionContext. Comment out the call to getSessionContext that returns NullPointerException and any other SSLSessionContext related calls that fail with NullPointerException. System TLS will use the cached session (Session Reuse) for the second connection based on the available System TLS session cache entries.
Thanks for your answer.
Unfortunately com.ibm.i5os.jsse.JSSEProvider throws a NullPointerException. In my first test I received the same FTP server error, because it is a different SSL connection.
In my second test I tried to implement the workaround for Oracle Java. The provider does not return a SSLSessionContext from the SSLSession. It returns null. The Javadoc mentions that not all environments support this method: "This context may be unavailable in some environments, in which case this method returns null."
I started to test every registered provider, but they do not support TLSv1.2.
Changing the provider did not help in our scenario.
Please let us know if changing the JSSEProvider worked for your scenario.
There are two implementations of JSSE in Java on i. Refer to /jre/lib/security/java.security. By default, the first provider com.ibm.jsse2.IBMJSSEProvider2 is selected. Try to switch to com.ibm.i5os.jsse.JSSEProvider to see whether it works for your scenario.
This topic requires discussion.
Attachment (Description): The session resumption option in FileZilla server