Bug#980119: Found the reason and the fix
Tim Kosse
tim.kosse at filezilla-project.org
Fri Feb 12 09:17:43 GMT 2021
Hello,
I managed to reproduce the issue, but only with the Debian package of
GnuTLS, not with a manually compiled version.
With this information I quickly found that the problem is the patch
48_0001-Fix-non-empty-session-id-TLS13_APPENDIX_D4.patch, it breaks TLS
session resumption if not using TLS 1.3.
FTP over TLS uses session resumption on the data connection as a
security measure against data connection stealing attacks.
It looks like upstream has already fixed the issue:
https://gitlab.com/gnutls/gnutls/-/commit/05ee0d49fe93d8812ef220c7b830c4b3553ac4fd
With this additional patch applied on top of the problematic one, the
error disappears.
Regards,
Tim Kosse
More information about the Pkg-gnutls-maint
mailing list