Skip to Main Content
IBM Power Ideas Portal

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to this portal to enhance a Power product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas and add comments to ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The Power teams will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Specific link you will want to bookmark for future use

IBM Unified Ideas Portal - https://ideas.ibm.com/ - Use this site to create or search for existing Ideas across all IBM products that are outside of Power, and track all of your personal interactions with all Ideas.

Status Is a defect
Workspace IBM i
Categories JAVA
Created by Guest
Created on May 8, 2019

SSL session reuse (FTPS)

As a Java client program I want to use SSL session resumption on different ports.

Some FTPS servers can force the client to use session resumption. For example FileZilla server shown in screenshot.
In this case the client must take the SSL session of the command channel and reuse it in the data channel on a different port! Java on IBM i only supports session resumption on the same port.

The Oracle Java version has the same problem, but it exists a workaround. Basically you can overwrite the port in session cache with the current data port so it will be reused. Because the IBM Java version is obfuscated (and different), this workaround is not possible.

I see two possible solutions. The first one would be a switch, so I can bind the session to address only. The second one would allow a workaround similar to the workaround on Oracle Java.


Use Case:

We have a FTPS client and our customer wants to transfer data to a FileZilla server. The server forces SSL session resumption.

Our FTPS client is implemented in Java.
Currently we use a QSHELL call to run a CURL command. I mention this because we had to use a CURL version with OpenSSL. The CURL version from yum does not work either.


Idea priority Medium
  • Guest
    May 27, 2021

    Java core team reject the request as can not support. Suggest to open PMR to continue the discussion on ibmi5osjsse component.

  • Guest
    Dec 31, 2020

    You may check session id value in the 2nd connection's client hello. If it is 0, it means locally a cache entry was not found that we thought was a match for the peer. If it matches the session id sent by the server on the 1st connection, then the server is rejecting 2nd session for some other reason. If not 0 and not a match to 1st connection value from server, then other connections are at play in their process. Comm trace and wireshark would be used to analyze the session id value on all of the connections to the FTP server.
    If there are multiple contexts with different attributes for each of the connections, then the session cache entry from 1st would not be available to 2nd. That would be an unusual configuration.

  • Guest
    Sep 30, 2020

    My first test did not access SSLSessionContext and had no NullPointerException. The FTP server disconnected, because it was a different connection.

    The problem in our scenario is that we have two connections with two different ports. The server expects the TLS session from the first connection (control port) to be resumed for file transfer (data port).
    In Oracle Java the TLS session is bound to a specific port, but can be modified by changing the SSLSessionContext. It seems that IBM Java also binds the TLS session to a specific port? Therefore the request to provide a way (for clients) to continue the TLS session on other ports. Or to provide a workaround similar to Oracle Java.

  • Guest
    Sep 23, 2020

    Does latest comment work for the scenario? Please let us know your test result. Thanks.

  • Guest
    Aug 3, 2020

    Thanks for feedback!
    com.ibm.i5os.jsse.JSSEProvider, which is built on System TLS, doesn't expose session cache information to Java in the SSLSessionContext. Comment out the call to getSessionContext that returns NullPointerException and any other SSLSessionContext related calls that fail with NullPointerException. System TLS will use the cached session (Session Reuse) for the second connection based on the available System TLS session cache entries.

  • Guest
    Jul 27, 2020

    Thanks for your answer.
    Unfortunately com.ibm.i5os.jsse.JSSEProvider throws a NullPointerException. In my first test I received the same FTP server error, because it is a different SSL connection.
    In my second test I tried to implement the workaround for Oracle Java. The provider does not return a SSLSessionContext from the SSLSession. It returns null. The Javadoc mentions that not all environments support this method: "This context may be unavailable in some environments, in which case this method returns null."

    I started to test every registered provider, but they do not support TLSv1.2.

    Changing the provider did not help in our scenario.

  • Guest
    Jun 24, 2020

    Please let us know if changing the JSSEProvider worked for your scenario.

  • Guest
    Jun 19, 2020

    There are two implementations of JSSE in Java on i. Refer to /jre/lib/security/java.security. By default, the first provider com.ibm.jsse2.IBMJSSEProvider2 is selected. Try to switch to com.ibm.i5os.jsse.JSSEProvider to see whether it works for your scenario.

  • Guest
    May 5, 2020

    This topic requires discussion.

  • Guest
    May 8, 2019

    Attachment (Description): The session resumption option in FileZilla server