From d41c8d6e0dd1f9a85b81206a032a4628c0ae6e6e Mon Sep 17 00:00:00 2001 From: Patrick Juchli Date: Wed, 29 Apr 2026 22:01:32 +0200 Subject: [PATCH 1/2] Use session event to support TLS 1.3 --- src/FtpContext.ts | 6 ++++++ src/transfer.ts | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/FtpContext.ts b/src/FtpContext.ts index 76b06bb..1b7effb 100644 --- a/src/FtpContext.ts +++ b/src/FtpContext.ts @@ -61,6 +61,8 @@ export class FTPContext { ipFamily: number | undefined = undefined /** Options for TLS connections. */ tlsOptions: TLSConnectionOptions = {} + /** Most recent TLS session from the control connection, used to resume the session on data connections. */ + tlsSessionStore: Buffer | undefined = undefined /** Current task to be resolved or rejected. */ protected _task: Task | undefined /** A multiline response might be received as multiple chunks. */ @@ -150,6 +152,7 @@ export class FTPContext { this.dataSocket = undefined // This being a reset, reset any other state apart from the socket. this.tlsOptions = {} + this.tlsSessionStore = undefined this._partialResponse = "" if (this._socket) { const newSocketUpgradesExisting = socket.localPort === this._socket.localPort @@ -175,6 +178,9 @@ export class FTPContext { // Control being closed without error by server is treated as an error. socket.on("close", hadError => { if (!hadError) this.closeWithError(new Error("Server closed connection unexpectedly.")) }) this._setupDefaultErrorHandlers(socket, "control socket") + if (socket instanceof TLSSocket) { + socket.on("session", session => { this.tlsSessionStore = session }) + } } this._socket = socket } diff --git a/src/transfer.ts b/src/transfer.ts index 00bd598..549cfda 100644 --- a/src/transfer.ts +++ b/src/transfer.ts @@ -130,7 +130,7 @@ export function connectForPassiveTransfer(host: string, port: number, ftp: FTPCo // security: If a completely new session would be negotiated, a hacker // could guess the port and connect to the new data connection before we do // by just starting his/her own TLS session. - session: ftp.socket.getSession() + session: ftp.tlsSessionStore ?? ftp.socket.getSession() })) // It's the responsibility of the transfer task to wait until the // TLS socket issued the event 'secureConnect'. We can't do this From 3be2fc79691d029257bd177f274fe1bcb9f8a783 Mon Sep 17 00:00:00 2001 From: Patrick Juchli Date: Wed, 29 Apr 2026 22:45:01 +0200 Subject: [PATCH 2/2] Renew TLS session ticket after each data connection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TLS 1.3 mandates single-use session tickets (RFC 8446 ยง4.6.1). After a data connection resumes using the control connection's ticket, the server issues a new ticket on that data connection. Capture it via the 'session' event and store it in tlsSessionStore so the next data connection presents a fresh ticket rather than the already-spent one. Without this, servers enforcing single-use tickets (e.g. ProFTPD with TLS 1.3) accept only the first data connection and reject all subsequent ones with a TLS negotiation failure. --- src/transfer.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/transfer.ts b/src/transfer.ts index 549cfda..d75ee6a 100644 --- a/src/transfer.ts +++ b/src/transfer.ts @@ -132,6 +132,10 @@ export function connectForPassiveTransfer(host: string, port: number, ftp: FTPCo // by just starting his/her own TLS session. session: ftp.tlsSessionStore ?? ftp.socket.getSession() })) + // When the server issues a new session ticket after this data connection's + // TLS handshake (TLS 1.3 single-use tickets), capture it so the next data + // connection can present a fresh ticket and resume successfully. + socket.on("session", session => { ftp.tlsSessionStore = session }) // It's the responsibility of the transfer task to wait until the // TLS socket issued the event 'secureConnect'. We can't do this // here because some servers will start upgrading after the