keepass2android FTP TLS session resumption not supported.

Using keepass2android with FTPS (FTP over or with TLS) servers that require TLS session resumption do not work.

This is mainly a security feature and partially a minor performance boost in connection setup.

Any chance this could be added?

Mar 21 '21 23:03 Napsterbater

can you specify "do not work"? Do you see a specific error message. KP2A is using FluentFTP, I would neet to search for how to resolve this there.

Mar 29 '21 10:03 PhilippC

Seems this is a limitation in FluentFTP and their reliance on .NET

Basily with this limitation, FTPS is insecure. And i'm going to guess using a different FTP backend is not an available option.

https://github.com/robinrodricks/FluentFTP/issues/347 https://github.com/dotnet/runtime/issues/27916

Mar 29 '21 22:03 Napsterbater

Isn't a new session each time, more secure than reuse? I understand the performance benefits from TLS handshaking.

Sep 28 '21 23:09 4-FLOSS-Free-Libre-Open-Source-Software

Isn't a new session each time, more secure than reuse? I understand the performance benefits from TLS handshaking.

As far as FTP goes, it doesn't. See, FTP Data channel is not authenticated, so any attacker could connect to this Data port and get access to information. As only the communication via port 21 is authenticated, it is a good idea to use that token for the Data channel as well.

Nov 02 '21 07:11 astukov

I continue to encounter this problem also with open-source FileZilla Server, latest v1.5.1 (min TLS 1.2)

Below are 3 verbose log capture. 1st from Keepass2Android on local Wi-Fi, 2nd out/back through Internet, 3rd FileZilla Client, which connects fine either way.

The former on DB selection displays "Warning: Server certificate validation failed: RemoteCertificateChainErrors. Install appropriate root certificate on your device or see settings." - despite Applicable Hostnames on Self-Signed cert including local server IP "pinkduck.myddns.me 192.168.1.71".

Keepass2Android log (Android 10 to FileZilla Server 1.5.1, both on local Wi-Fi network) 19/10/2022 14:15:27:991 -- AppSettingsActivity.OnPause 34 19/10/2022 14:15:28:13 -- PasswordActivity.OnStart 33 19/10/2022 14:15:28:15 -- PasswordActivity.OnResume 33 19/10/2022 14:15:28:16 -- DB null 33 19/10/2022 14:15:28:17 -- starting: True, Finishing: False, _performingLoad: False 19/10/2022 14:15:28:18 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:15:28:476 -- AppSettingsActivity.OnStop 34 19/10/2022 14:15:28:479 -- AppSettingsActivity.OnDestroyTrue 34 19/10/2022 14:15:29:158 -- PasswordActivity.OnPause 33 19/10/2022 14:15:29:177 -- SelectCurrentDbActivity 31: OnActivityResult FirstUser/1 19/10/2022 14:15:29:177 -- TryGetFromActivityResult: no data 19/10/2022 14:15:29:192 -- SelectCurrentDbActivity.OnStart 31 19/10/2022 14:15:29:195 -- SelectCurrentDbActivity.OnResume 31 19/10/2022 14:15:29:195 -- DB null 31 19/10/2022 14:15:29:198 -- SelectCurrentDbActivity.OnResume 31 19/10/2022 14:15:29:198 -- DB null 31 19/10/2022 14:15:29:236 -- SelectCurrentDbActivity.OnPause 31 19/10/2022 14:15:29:271 -- FileSelect.OnCreate 19/10/2022 14:15:29:310 -- FileSelect.OnStart 19/10/2022 14:15:29:311 -- FileSelect.OnResume 19/10/2022 14:15:29:334 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:15:29:338 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:15:29:390 -- SelectCurrentDbActivity.OnStop 31 19/10/2022 14:15:29:768 -- PasswordActivity.OnStop 33 19/10/2022 14:15:29:769 -- PasswordActivity.OnDestroyTrue 33 19/10/2022 14:15:31:577 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:15:31:606 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:15:31:609 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:15:31:612 -- FileSelect.OnPause 19/10/2022 14:15:31:632 -- PasswordActivity.OnCreate 35 19/10/2022 14:15:31:632 -- PasswordActivity:apptask= 35 19/10/2022 14:15:31:687 -- GetIocFromLaunchIntent() 19/10/2022 14:15:31:688 -- no keyprovider specified 19/10/2022 14:15:31:690 -- Reset keyfile 19/10/2022 14:15:31:691 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:15:31:697 -- PasswordActivity.OnStart 35 19/10/2022 14:15:31:698 -- PasswordActivity.OnResume 35 19/10/2022 14:15:31:699 -- DB null 35 19/10/2022 14:15:31:699 -- starting: True, Finishing: False, _performingLoad: False 19/10/2022 14:15:31:700 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:15:31:702 -- Pre-loading database file starting 19/10/2022 14:15:31:703 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:15:31:704 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:15:31:705 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:15:31:706 -- CFS: OpenWhenNoLocalChanges 19/10/2022 14:15:31:706 -- CFS: hashing cached version 19/10/2022 14:15:31:707 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:15:31:757 -- PasswordModeSpinner item selected: 0 19/10/2022 14:15:31:891 -- found 80 in 81 19/10/2022 14:15:31:893 -- cannot autofill 19/10/2022 14:15:32:174 -- FileSelect.OnStop 19/10/2022 14:15:32:267 -- FileSelect.OnDestroyTrue 19/10/2022 14:15:33:375 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:15:34:10 -- CFS: Files in Sync 19/10/2022 14:15:34:15 -- Pre-loading database file completed 19/10/2022 14:15:42:380 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:15:42:382 -- LockingActivity: OnActivityResult 19/10/2022 14:15:42:382 -- PasswordActivity.OnActivityResult 874348/1000 19/10/2022 14:15:42:410 -- status message: Initializing... 19/10/2022 14:15:42:411 -- status submessage: 19/10/2022 14:15:42:445 -- status message: Loading database… 19/10/2022 14:15:42:451 -- System.IO.IOException: The file header is corrupted. Less data than expected could be read from the file. at KeePassLib.Serialization.BinaryReaderEx.ReadBytes (System.Int32 nCount) [0x0005f] in <1ca3161c0c784589b346af6c48422105>:0 at KeePassLib.Serialization.KdbxFile.LoadHeader (KeePassLib.Serialization.BinaryReaderEx br) [0x0002e] in <1ca3161c0c784589b346af6c48422105>:0 at KeePassLib.Serialization.KdbxFile.Load (System.IO.Stream sSource, KeePassLib.Serialization.KdbxFormat fmt, KeePassLib.Interfaces.IStatusLogger slLogger) [0x00084] in <1ca3161c0c784589b346af6c48422105>:0 at keepass2android.KdbxDatabaseFormat.PopulateDatabaseFromStream (KeePassLib.PwDatabase db, System.IO.Stream s, KeePassLib.Interfaces.IStatusLogger slLogger) [0x00013] in <0218d9a0a246400eb61cf9b0c47299ea>:0 at KeePassLib.PwDatabase.Open (System.IO.Stream s, System.String fileNameWithoutPathAndExt, KeePassLib.Serialization.IOConnectionInfo ioSource, KeePassLib.Keys.CompositeKey pwKey, KeePassLib.Interfaces.IStatusLogger slLogger, KeePassLib.IDatabaseFormat format) [0x000a6] in <1ca3161c0c784589b346af6c48422105>:0 at keepass2android.Database.PopulateDatabaseFromStream (KeePassLib.PwDatabase pwDatabase, System.IO.Stream s, KeePassLib.Serialization.IOConnectionInfo iocInfo, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger status, KeePassLib.IDatabaseFormat databaseFormat) [0x00013] in <0218d9a0a246400eb61cf9b0c47299ea>:0 at keepass2android.Database.LoadData (keepass2android.IKp2aApp app, KeePassLib.Serialization.IOConnectionInfo iocInfo, System.IO.MemoryStream databaseData, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger status, KeePassLib.IDatabaseFormat databaseFormat) [0x00033] in <0218d9a0a246400eb61cf9b0c47299ea>:0 at keepass2android.Kp2aApp.LoadDatabase (KeePassLib.Serialization.IOConnectionInfo ioConnectionInfo, System.IO.MemoryStream memoryStream, KeePassLib.Keys.CompositeKey compositeKey, keepass2android.ProgressDialogStatusLogger statusLogger, KeePassLib.IDatabaseFormat databaseFormat, System.Boolean makeCurrent) [0x000b9] in <7165a5adb3574afbabf24b0ad4c46188>:0 at keepass2android.LoadDb.TryLoad (System.IO.MemoryStream databaseStream) [0x00021] in <0218d9a0a246400eb61cf9b0c47299ea>:0 at keepass2android.LoadDb.Run () [0x000c2] in <0218d9a0a246400eb61cf9b0c47299ea>:0 19/10/2022 14:15:42:467 -- OnFinish message: An error occured: The file header is corrupted. Less data than expected could be read from the file. 19/10/2022 14:15:49:793 -- PasswordActivity.OnPause 35 19/10/2022 14:15:50:313 -- PasswordActivity.OnStop 35 19/10/2022 14:16:05:753 -- cannot autofill 19/10/2022 14:17:12:871 -- KeePass.OnCreate 36 19/10/2022 14:17:12:872 -- KeePass:apptask= 36 19/10/2022 14:17:12:873 -- Loaded task keepass2android.NullTask 19/10/2022 14:17:12:873 -- Task in activity KeePass 36 changed to NullTask 19/10/2022 14:17:12:874 -- KeePass.OnCreate 19/10/2022 14:17:12:883 -- KeePass.OnStart 36 19/10/2022 14:17:12:883 -- KeePass.OnStart 19/10/2022 14:17:12:927 -- SelectCurrentDbActivity.OnCreate 37 19/10/2022 14:17:12:928 -- SelectCurrentDbActivity:apptask= 37 19/10/2022 14:17:12:940 -- Loaded task keepass2android.NullTask 19/10/2022 14:17:12:940 -- Task in activity SelectCurrentDbActivity 37 changed to NullTask 19/10/2022 14:17:12:944 -- SelectCurrentDbActivity.OnStart 37 19/10/2022 14:17:12:946 -- SelectCurrentDbActivity.OnResume 37 19/10/2022 14:17:12:946 -- DB null 37 19/10/2022 14:17:12:963 -- SelectCurrentDbActivity.OnPause 37 19/10/2022 14:17:12:985 -- FileSelect.OnCreate 19/10/2022 14:17:13:18 -- FileSelect.OnStart 19/10/2022 14:17:13:35 -- SelectCurrentDbActivity.OnStop 37 19/10/2022 14:17:13:37 -- KeePass.OnStop 36 19/10/2022 14:17:13:37 -- KeePass.OnDestroyTrue 19/10/2022 14:17:13:38 -- KeePass.OnDestroyTrue 36 19/10/2022 14:17:13:79 -- PasswordActivity.OnCreate 38 19/10/2022 14:17:13:79 -- PasswordActivity:apptask= 38 19/10/2022 14:17:13:134 -- GetIocFromLaunchIntent() 19/10/2022 14:17:13:135 -- no keyprovider specified 19/10/2022 14:17:13:137 -- Reset keyfile 19/10/2022 14:17:13:138 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:17:13:234 -- PasswordActivity.OnStart 38 19/10/2022 14:17:13:236 -- PasswordActivity.OnResume 38 19/10/2022 14:17:13:236 -- DB null 38 19/10/2022 14:17:13:237 -- starting: True, Finishing: False, _performingLoad: False 19/10/2022 14:17:13:238 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:17:13:242 -- Pre-loading database file starting 19/10/2022 14:17:13:243 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:17:13:244 -- ftp://SETPink+Duck::2#192.168.1.71/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:17:13:244 -- ftp://SETPink+Duck:********:2#192.168.1.71/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:17:13:245 -- CFS: OpenWhenNoLocalChanges 19/10/2022 14:17:13:245 -- CFS: hashing cached version 19/10/2022 14:17:13:246 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:17:13:501 -- PasswordModeSpinner item selected: 0 19/10/2022 14:17:13:605 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:17:13:635 -- found 80 in 81 19/10/2022 14:17:13:637 -- cannot autofill 19/10/2022 14:17:13:836 -- CFS: Files in Sync 19/10/2022 14:17:13:837 -- Pre-loading database file completed 19/10/2022 14:17:13:858 -- FileSelect.OnStop 19/10/2022 14:17:13:947 -- FileSelect.OnDestroyTrue 19/10/2022 14:17:20:528 -- PasswordActivity.OnPause 38 19/10/2022 14:17:20:549 -- AppSettingsActivity.OnCreate 39 19/10/2022 14:17:20:549 -- AppSettingsActivity:apptask= 39 19/10/2022 14:17:20:635 -- AppSettingsActivity.OnStart 39 19/10/2022 14:17:20:636 -- AppSettingsActivity.OnResume 39 19/10/2022 14:17:20:638 -- DB null 39 19/10/2022 14:17:20:995 -- PasswordActivity.OnStop 38 19/10/2022 14:17:24:703 -- AppSettingsActivity.OnPause 39 19/10/2022 14:18:09:982 -- AppSettingsActivity.OnResume 39 19/10/2022 14:18:09:983 -- DB null 39 19/10/2022 14:18:12:961 -- AppSettingsActivity.OnPause 39 19/10/2022 14:18:13:406 -- AppSettingsActivity.OnStop 39

and

Keepass2Android log (Android 10 to FileZilla Server 1.5.1 via cellular network, FZ server open to *) 19/10/2022 14:44:33:558 -- AppSettingsActivity.OnPause 6 19/10/2022 14:44:33:572 -- PasswordActivity.OnStart 5 19/10/2022 14:44:33:575 -- PasswordActivity.OnResume 5 19/10/2022 14:44:33:575 -- DB null 5 19/10/2022 14:44:33:576 -- starting: True, Finishing: False, _performingLoad: False 19/10/2022 14:44:33:577 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:44:34:19 -- AppSettingsActivity.OnStop 6 19/10/2022 14:44:34:21 -- AppSettingsActivity.OnDestroyTrue 6 19/10/2022 14:44:34:590 -- PasswordActivity.OnPause 5 19/10/2022 14:44:34:604 -- SelectCurrentDbActivity 4: OnActivityResult FirstUser/1 19/10/2022 14:44:34:604 -- TryGetFromActivityResult: no data 19/10/2022 14:44:34:618 -- SelectCurrentDbActivity.OnStart 4 19/10/2022 14:44:34:622 -- SelectCurrentDbActivity.OnResume 4 19/10/2022 14:44:34:623 -- DB null 4 19/10/2022 14:44:34:623 -- SelectCurrentDbActivity.OnResume 4 19/10/2022 14:44:34:624 -- DB null 4 19/10/2022 14:44:34:653 -- SelectCurrentDbActivity.OnPause 4 19/10/2022 14:44:34:689 -- FileSelect.OnCreate 19/10/2022 14:44:34:731 -- FileSelect.OnStart 19/10/2022 14:44:34:732 -- FileSelect.OnResume 19/10/2022 14:44:34:756 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:44:34:760 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:44:34:823 -- SelectCurrentDbActivity.OnStop 4 19/10/2022 14:44:35:218 -- PasswordActivity.OnStop 5 19/10/2022 14:44:35:220 -- PasswordActivity.OnDestroyTrue 5 19/10/2022 14:45:19:902 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:45:19:934 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:45:19:937 -- FTP: IocToUri out = ftp://192.168.1.71/Passwords/Passwords.kdbx 19/10/2022 14:45:19:940 -- FileSelect.OnPause 19/10/2022 14:45:19:960 -- PasswordActivity.OnCreate 7 19/10/2022 14:45:19:960 -- PasswordActivity:apptask= 7 19/10/2022 14:45:20:11 -- GetIocFromLaunchIntent() 19/10/2022 14:45:20:11 -- no keyprovider specified 19/10/2022 14:45:20:13 -- Reset keyfile 19/10/2022 14:45:20:14 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:45:20:19 -- PasswordActivity.OnStart 7 19/10/2022 14:45:20:20 -- PasswordActivity.OnResume 7 19/10/2022 14:45:20:20 -- DB null 7 19/10/2022 14:45:20:21 -- starting: True, Finishing: False, _performingLoad: False 19/10/2022 14:45:20:22 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:45:20:24 -- Pre-loading database file starting 19/10/2022 14:45:20:25 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx isCached = True 19/10/2022 14:45:20:26 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx localVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:45:20:26 -- ftp://SETPink+Duck::2#pinkduck.myddns.me/Passwords/Passwords.kdbx baseVersionHash = E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 19/10/2022 14:45:20:27 -- CFS: OpenWhenNoLocalChanges 19/10/2022 14:45:20:27 -- CFS: hashing cached version 19/10/2022 14:45:20:28 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:45:20:75 -- PasswordModeSpinner item selected: 0 19/10/2022 14:45:20:180 -- found 80 in 81 19/10/2022 14:45:20:181 -- cannot autofill 19/10/2022 14:45:20:491 -- FileSelect.OnStop 19/10/2022 14:45:20:551 -- FileSelect.OnDestroyTrue 19/10/2022 14:45:22:152 -- FTP: IocToUri out = ftp://pinkduck.myddns.me/Passwords/Passwords.kdbx 19/10/2022 14:45:22:915 -- CFS: Files in Sync 19/10/2022 14:45:22:921 -- Pre-loading database file completed 19/10/2022 14:46:42:36 -- PasswordActivity.OnPause 7 19/10/2022 14:46:42:53 -- AppSettingsActivity.OnCreate 8 19/10/2022 14:46:42:54 -- AppSettingsActivity:apptask= 8 19/10/2022 14:46:42:141 -- AppSettingsActivity.OnStart 8 19/10/2022 14:46:42:142 -- AppSettingsActivity.OnResume 8 19/10/2022 14:46:42:143 -- DB null 8 19/10/2022 14:46:42:543 -- PasswordActivity.OnStop 7

FileZilla Client’s detailed successful connection log: 14:56:15 Trace: CControlSocket::SendNextCommand() 14:56:15 Trace: CFtpLogonOpData::Send() in state 0 14:56:15 Status: Resolving address of pinkduck.myddns.me 14:56:15 Status: Connecting to 92.13.35.160:21... 14:56:15 Status: Connection established, waiting for welcome message... 14:56:15 Trace: CFtpControlSocket::OnReceive() 14:56:15 Response: 220-FileZilla Server 1.5.1 14:56:15 Response: 220-Please visit https://filezilla-project.org/ 14:56:15 Response: 220 Private; for authorised use only. 14:56:15 Trace: CFtpLogonOpData::ParseResponse() in state 1 14:56:15 Trace: CControlSocket::SendNextCommand() 14:56:15 Trace: CFtpLogonOpData::Send() in state 2 14:56:15 Command: AUTH TLS 14:56:15 Trace: CFtpControlSocket::OnReceive() 14:56:15 Response: 234 Using authentication type TLS. 14:56:15 Trace: CFtpLogonOpData::ParseResponse() in state 2 14:56:15 Status: Initializing TLS... 14:56:15 Trace: tls_layer_impl::client_handshake() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: TLS handshakep: About to send CLIENT HELLO 14:56:15 Trace: TLS handshakep: Sent CLIENT HELLO 14:56:15 Trace: tls_layer_impl::on_send() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: tls_layer_impl::on_read() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: tls_layer_impl::on_read() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: TLS handshakep: Received SERVER HELLO 14:56:15 Trace: TLS handshakep: Processed SERVER HELLO 14:56:15 Trace: tls_layer_impl::on_read() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS 14:56:15 Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS 14:56:15 Trace: TLS handshakep: Received CERTIFICATE 14:56:15 Trace: TLS handshakep: Processed CERTIFICATE 14:56:15 Trace: tls_layer_impl::on_read() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: TLS handshakep: Received CERTIFICATE VERIFY 14:56:15 Trace: TLS handshakep: Processed CERTIFICATE VERIFY 14:56:15 Trace: tls_layer_impl::on_read() 14:56:15 Trace: tls_layer_impl::continue_handshake() 14:56:15 Trace: TLS handshakep: Received FINISHED 14:56:15 Trace: TLS handshakep: Processed FINISHED 14:56:15 Trace: TLS handshakep: About to send FINISHED 14:56:15 Trace: TLS handshakep: Sent FINISHED 14:56:15 Trace: TLS Handshake successful 14:56:15 Trace: Protocol: TLS1.3, Key exchange: ECDHE-SECP384R1-ECDSA-SECP256R1-SHA256, Cipher: AES-256-GCM, MAC: AEAD, ALPN: x-filezilla-ftp 14:56:15 Trace: tls_layer_impl::verify_certificate() 14:56:15 Trace: System trust store decision: false 14:56:15 Trace: Sending certificate_verification_event 14:56:15 Trace: CFtpControlSocket::SetAsyncRequestReply 14:56:15 Trace: set_verification_result(true) 14:56:15 Status: TLS connection established. 14:56:15 Trace: CControlSocket::SendNextCommand() 14:56:15 Trace: CFtpLogonOpData::Send() in state 6 14:56:15 Command: USER Pink Duck 14:56:15 Trace: CFtpControlSocket::OnReceive() 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 331 Please, specify the password. 14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 6 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpLogonOpData::Send() in state 6 14:56:16 Command: PASS *********** 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 230 Login successful. 14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 6 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpLogonOpData::Send() in state 8 14:56:16 Command: FEAT 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 211-Features: 14:56:16 Response: MDTM 14:56:16 Response: REST STREAM 14:56:16 Response: SIZE 14:56:16 Response: MLST type*;size*;modify*;perm*; 14:56:16 Response: MLSD 14:56:16 Response: AUTH SSL 14:56:16 Response: AUTH TLS 14:56:16 Response: PROT 14:56:16 Response: PBSZ 14:56:16 Response: UTF8 14:56:16 Response: TVFS 14:56:16 Response: EPSV 14:56:16 Response: EPRT 14:56:16 Response: MFMT 14:56:16 Response: 211 End 14:56:16 Trace: CFtpLogonOpData::ParseResponse() in state 8 14:56:16 Status: Logged in 14:56:16 Trace: Measured latency of 103 ms 14:56:16 Trace: CFtpControlSocket::ResetOperation(0) 14:56:16 Trace: CControlSocket::ResetOperation(0) 14:56:16 Trace: CFtpLogonOpData::Reset(0) in state 15 14:56:16 Trace: CFileZillaEnginePrivate::ResetOperation(0) 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpListOpData::Send() in state 0 14:56:16 Status: Retrieving directory listing... 14:56:16 Trace: CFtpChangeDirOpData::Send() in state 0 14:56:16 Trace: CFtpChangeDirOpData::Send() in state 1 14:56:16 Command: PWD 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 257 "/" is current directory. 14:56:16 Trace: CFtpChangeDirOpData::ParseResponse() in state 1 14:56:16 Trace: CFtpControlSocket::ResetOperation(0) 14:56:16 Trace: CControlSocket::ResetOperation(0) 14:56:16 Trace: CFtpChangeDirOpData::Reset(0) in state 1 14:56:16 Trace: CFtpListOpData::SubcommandResult(0) in state 1 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpListOpData::Send() in state 2 14:56:16 Trace: CFtpRawTransferOpData::Send() in state 0 14:56:16 Trace: CFtpRawTransferOpData::Send() in state 1 14:56:16 Command: TYPE I 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 200 Type set to I 14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 1 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpRawTransferOpData::Send() in state 2 14:56:16 Command: PASV 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Trace: TLS handshakep: Received NEW SESSION TICKET 14:56:16 Trace: TLS handshakep: Processed NEW SESSION TICKET 14:56:16 Trace: gnutls_record_recv returned spurious EAGAIN 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 227 Entering Passive Mode (192,168,1,71,7,255) 14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 2 14:56:16 Status: Server sent passive reply with unroutable address. Using server address instead. 14:56:16 Trace: Reply: 192.168.1.71, peer: 92.13.35.160 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpRawTransferOpData::Send() in state 4 14:56:16 Trace: Binding data connection source IP to control connection source IP 192.168.100.49 14:56:16 Trace: tls_layer_impl::client_handshake() 14:56:16 Trace: Trying to resume existing TLS session. 14:56:16 Command: MLSD 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 150 About to start data transfer. 14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 4 14:56:16 Trace: CControlSocket::SendNextCommand() 14:56:16 Trace: CFtpRawTransferOpData::Send() in state 5 14:56:16 Trace: tls_layer_impl::on_send() 14:56:16 Trace: tls_layer_impl::continue_handshake() 14:56:16 Trace: TLS handshakep: About to send CLIENT HELLO 14:56:16 Trace: TLS handshakep: Sent CLIENT HELLO 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: tls_layer_impl::continue_handshake() 14:56:16 Trace: TLS handshakep: Received SERVER HELLO 14:56:16 Trace: TLS handshakep: Processed SERVER HELLO 14:56:16 Trace: TLS handshakep: Received ENCRYPTED EXTENSIONS 14:56:16 Trace: TLS handshakep: Processed ENCRYPTED EXTENSIONS 14:56:16 Trace: TLS handshakep: Received FINISHED 14:56:16 Trace: TLS handshakep: Processed FINISHED 14:56:16 Trace: TLS handshakep: About to send FINISHED 14:56:16 Trace: TLS handshakep: Sent FINISHED 14:56:16 Trace: TLS Handshake successful 14:56:16 Trace: TLS Session resumed 14:56:16 Trace: Protocol: TLS1.3, Key exchange: unknown, Cipher: AES-256-GCM, MAC: AEAD, ALPN: ftp-data 14:56:16 Trace: tls_layer_impl::verify_certificate() 14:56:16 Trace: set_verification_result(true) 14:56:16 Trace: CTransferSocket::OnConnect 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CTransferSocket::OnReceive(), m_transferMode=0 14:56:16 Trace: CTransferSocket::TransferEnd(1) 14:56:16 Trace: tls_layer_impl::shutdown() 14:56:16 Trace: tls_layer_impl::continue_shutdown() 14:56:16 Trace: CFtpControlSocket::TransferEnd() 14:56:16 Trace: tls_layer_impl::on_read() 14:56:16 Trace: CFtpControlSocket::OnReceive() 14:56:16 Response: 226 Operation successful 14:56:16 Trace: CFtpRawTransferOpData::ParseResponse() in state 7 14:56:16 Trace: CFtpControlSocket::ResetOperation(0) 14:56:16 Trace: CControlSocket::ResetOperation(0) 14:56:16 Trace: CFtpRawTransferOpData::Reset(0) in state 7 14:56:16 Trace: CFtpListOpData::SubcommandResult(0) in state 3 14:56:16 Trace: CFtpControlSocket::ResetOperation(0) 14:56:16 Trace: CControlSocket::ResetOperation(0) 14:56:16 Trace: CFtpListOpData::Reset(0) in state 3 14:56:16 Status: Directory listing of "/" successful 14:56:16 Trace: CFileZillaEnginePrivate::ResetOperation(0)

Nov 12 '22 10:11 PinkDuck

Just some related news:

According to "Enable TLS tickets / resumption with OpenSSL on Linux" dotnet runtime 7.0 got an "automatic" SslStream resumption now. (BTW: some people are already asking to allow disabling that.)
The FluentFTP.GnuTLS claims "Fixes SSL session resume failures" as one of its main benefits.

Apr 28 '23 02:04 i3v

FileZilla Server updated to GnuTLS 3.8.0 in v1.6.7 (released 20th Feb 2023), so I'll give that a try shortly to see if it resolves.

Apr 28 '23 08:04 PinkDuck

Unfortunately not:

<29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Response] 150 Starting data transfer. <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::on_read() <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::continue_handshake() <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received CLIENT HELLO <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed CLIENT HELLO <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER HELLO <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER HELLO <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send CERTIFICATE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent CERTIFICATE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER KEY EXCHANGE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER KEY EXCHANGE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send SERVER HELLO DONE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent SERVER HELLO DONE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::on_read() <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] tls_layer_impl::continue_handshake() <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received CLIENT KEY EXCHANGE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed CLIENT KEY EXCHANGE <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Received FINISHED <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Processed FINISHED <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send NEW SESSION TICKET <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent NEW SESSION TICKET <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: About to send FINISHED <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS handshakep: Sent FINISHED <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] TLS Handshake successful <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Protocol: TLS1.2, Key exchange: ECDHE-X25519-ECDSA-SHA512, Cipher: AES-128-GCM, MAC: AEAD, ALPN: <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] session::on_socket_event(): source = data, flag = 2, error = 0, state = 2 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Client wants a secure data connection. <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] securer(1) ENTERING state = 2 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] securer(1) EXITING state = -1 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] ~securer(1) ENTERING state = -1 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] ~securer(1) EXITING state = -1 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Error] TLS session of data connection not resumed. <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Response] 425 Unable to build data connection: TLS session of data connection not resumed. <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] session::close_data_connection(): prev data_connection_status = 2 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Removed done events: 0 <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 Pink Duck [Trace] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted. <29-04-2023 10:32:37> FTP Session 3 192.168.1.164 [Trace] Session 0x274c5637030 with ID 3 destroyed.

Apr 29 '23 09:04 PinkDuck

@PinkDuck , my point actually was that (theoretically) it should be easy to patch keepass2android (new FTPClient in particular) to use GnuTlsStream, like suggested in the "FTPS Connection using GnuTLS".

I'm not saying there are no caveats possible, though.

Apr 30 '23 17:04 i3v

@PhilippC , sorry for bumping, but could you please look into this? AFAIU, this is a pretty real security issue. And this issue is still there in the current Google Play version ("1.10-pre"), despite there was some effort to improve the FTP support, including the FluentFTP version update.
At least FileZilla devs definitely do think that this is a major issue:

FileZilla bugtracker 10700, 12991, 12450 — they were pretty strict for both client and server about this 9 years ago already.
FileZilla forum thread1, thread2 — the "Require TLS session resumption on data connection" is mandatory since FileZilla server 1.0 . The most recent version that allows to disable these File Transfer security features is probably the ancient 0.9.60. That old version is insecure by itself.
They even provided a PoC exploit.
BTW, they were also pretty strict about the "Disable IP check" since about version 1.0 for the same reason as well (1,2), even though it seem to be just a "mitigation" for this same vulnerability.

AFAIU, newest FluentFTP versions make it fairly easy to use the "GnuTLS" version that got this fixed (and they do recommend it regularly: 773 ).

Aug 11 '24 17:08 i3v

I tried to use GnuTLS, but failed. I created https://github.com/robinrodricks/FluentFTP/issues/1736.

https://github.com/PhilippC/keepass2android/tree/1617-use-gnu-tls-stream

Apr 01 '25 12:04 PhilippC

please verify that this is fixed in https://github.com/PhilippC/keepass2android/releases/tag/v1.14-pre0

Jul 15 '25 18:07 PhilippC

@PhilippC , Thanks for trying out GnuTLS! Sadly, with keepass2android.keepass2android-Signed-arm64.apk on my Android12 (MIUI13) smartphone: I am able to connect to my local FileZilla Server 1.10.3 only if I select "No encryption (FTP)". The "Implicit encryption ..." and "Explicit encryption ..." options fail (my server provides both on two separate ports).

The error message shown by KeePass (for both "implicit" and "explicit") is:

Error
Cannot connect to file provider service
GNUTLS .dll load/call validation error

The connection history (as reported by the server) looks like this: explicit:

"Date/Time","Info","Type","Message"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Response","220-FileZilla Server 1.10.3"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Response","220-Please visit https://filezilla-project.org/"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Response","220 Welcome to i3v's ftp server!"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Command","AUTH TLS"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Response","234 Using authentication type TLS."
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Error","GnuTLS error -110: The TLS connection was non-properly terminated."
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Status","Client did not properly shut down TLS connection"
"2025-07-15 23:29:17","FTP Session 692 192.168.166.1","Error","Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted."

implicit:

"Date/Time","Info","Type","Message"
"2025-07-15 23:25:24","FTP Session 691 192.168.166.1","Error","GnuTLS error -110: The TLS connection was non-properly terminated."
"2025-07-15 23:25:24","FTP Session 691 192.168.166.1","Status","Client did not properly shut down TLS connection"
"2025-07-15 23:25:24","FTP Session 691 192.168.166.1","Error","Failed securing control connection. Reason: ECONNABORTED - Connection aborted."

Jul 15 '25 20:07 i3v

it seems like currently there is no (easy) wat to integrate GnuTLS :-( (https://github.com/robinrodricks/FluentFTP/issues/1736)

Aug 12 '25 08:08 PhilippC