We've installed a vsftpd server on Ubuntu 20.04 with SSL enabled. While it works with FileZilla and other clients, a custom-developed Go app is complaining about the TLS session ticket lifetime hint value:
time="2022-09-20T10:13:21.309Z" level=info msg="goftp: 20.639 #9 opening control connection to 1.2.3.4:21"
time="2022-09-20T10:13:21.348Z" level=info msg="goftp: 20.677 #9 sending command AUTH TLS"
time="2022-09-20T10:13:21.366Z" level=info msg="goftp: 20.695 #9 got 234-Proceed with negotiation."
time="2022-09-20T10:13:21.366Z" level=info msg="goftp: 20.695 #9 sending command USER username"
time="2022-09-20T10:13:21.426Z" level=info msg="goftp: 20.756 #9 error reading response: tls: received a session ticket with invalid lifetime"
time="2022-09-20T10:13:21.426Z" level=info msg="goftp: 20.756 #9 closing"
time="2022-09-20T10:13:21.426Z" level=info msg="goftp: 20.756 #9 error connecting: error reading response: tls: received a session ticket with invalid lifetime"
Indeed, the server is returning an extremely high value, although (my understanding) of the RFC doesn't seem to enforce a maximum.
❯ openssl s_client -tls1_2 -crlf -connect 192.168.1.6:21 -starttls ftp
CONNECTED(00000003)
depth=0 CN = SRV052.aa.local
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = SRV052.aa.local
verify return:1
---
Certificate chain
0 s:/CN=SRV052.aa.local
i:/CN=SRV052.aa.local
---
Server certificate
-----BEGIN CERTIFICATE-----
STRIPPED
-----END CERTIFICATE-----
subject=/CN=SRV052.aa.local
issuer=/CN=SRV052.aa.local
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1525 bytes and written 344 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7F8A44371544B96BE7F1017010FAE690E957E779C2404A200C608D91302BD0B5
Session-ID-ctx:
Master-Key: BAAA1420212A770FFB01A7DD8D4F36154FCB4DB9E07625DC33D84D6063E42EC5FB5D293A28F7F661EAC40DBA98725F2E
TLS session ticket lifetime hint: 2147483647 (seconds)
TLS session ticket:
0000 - d2 7e f7 c2 a9 c8 41 5f-db 9f ec e8 a8 91 ef 73 .~....A_.......s
0010 - 64 ce 52 52 c7 cb 86 e8-ba 1f 9c d1 ea bd ba 90 d.RR............
0020 - a8 9d ff a0 98 ef a5 f4-60 9f 6e 1f 50 6a c2 ec ........`.n.Pj..
0030 - 44 75 b7 d1 4e cb 11 ee-d6 65 ac e7 d5 e6 94 b6 Du..N....e......
0040 - f9 a6 01 be 88 e7 e1 96-04 fb 57 0a 3f 84 c6 b4 ..........W.?...
0050 - 6b 6d 83 b4 e5 8e 25 d5-43 e9 ee c3 fb 84 87 38 km....%.C......8
0060 - c5 3a 01 fa 14 c9 f9 5d-59 16 d8 da b7 03 10 d7 .:.....]Y.......
0070 - 55 48 89 be 9a a8 62 80-fa 1e 36 1b b5 b3 8b d0 UH....b...6.....
0080 - d4 05 1e 70 38 de 4c a2-01 b3 60 2d 66 a2 b7 69 ...p8.L...`-f..i
0090 - f0 77 d8 44 34 01 e3 ae-28 24 8f dd 55 47 2d 90 .w.D4...($..UG-.
Start Time: 1663680824
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
220 (vsFTPd 3.0.5)
I did a quick search on the goftp GH page, but couldn't find any issue with that param.
Other FTP servers I run do not return such high numbers. But I didn't find any vsftpd configuration option for that.
What is generating the TLS session ticket lifetime hint value during the connection?
