IBM Support

FTP SSL/TLS session resumption / reuse support in Sterling B2B Integrator

Technical Blog Post


Abstract

FTP SSL/TLS session resumption / reuse support in Sterling B2B Integrator

Body

You may see the following error:

450 TLS session of data connection has not resumed or the session does not match the control connection

 

Currently, SSL/TLS session resumption / reuse is not supported that Sterling B2B Integrator 5.2.6+ build as the client connecting to the remote FTP server.

 

In short, from our research, here is our L3 team's reply:                         
                                                                        
The security provider IBMJSSE we are using does not support SSL resumption for same host and different ports.                           
For example, we can't avoid this error if the remote FTP server requires reuse of the session opened for control channel. This error message is from the FTP  server and SI acts as a client.
                                                                        
In order to workaround the issue, the server side needs be able to disable session resumption / reuse.

Please note that in general, the issue is not a security risk.  But, rather, it is more on the performance side of things.                                      
                                                                        
Your SI build uses IBM JDK/JSSE. It is currently a limitation on IBM  JSSE involved.                                                          
Currently, there is no API available in JSEE for reuse of SSL session for different ports.                                                    
The security provider we use from SB2BI 5.2.6.x build and above uses IBMJSSE that does not support SSL resumption for same host and different ports.                           
IBM uses Oracle's specification for SSL implementation and Oracle is not willing to support this.                                                
                                                                        
The technote IT14521 showed fixes that we have to allow session reuse and that only applies to a lower SB2BI build that uses certicom as the security provider.                                                  
i.e. 5.2.5_12+ uses Certicom as security provider and 5.2.6.x uses IBM as security provider                                                       
                                                                        
We can reproduce the issue with FileZilla server as an example with the following test result:  
                                                                        
FileZilla Server custom port range from 5000 to 5050                    
AND                                                                     
enabling PROT P                                                         
AND                                                                     
enabling TLS Session Resumption                                         
==> getting error: 450 TLS session of data connection has not resumed or
the session does not match the control connection.                      
                                                                        
So the issue is with the above case where we would get the "450" error from the server.

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11120695