Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

FTP Transfer Family, FTPS, TLS resume failed

0

We have:

  • an AWS transfer family server with FTPS protocol
  • a custom hostname and a valid ACM certificate which is attached to the FTP server
  • a Lambda for the Identity provider

The client is using:

  • EXPLICIT AUTH TLS
  • our custom hostname
  • port 21

The problem is: the client can connect, the authentication is successfully (see below for the auth test result), but during the communication with the FTP server a TLS_RESUME_FAILURE occurs. The error in the customer client is "522 Data connection must use cached TLS session", and the error in the CloudWatch LogGroup of the transfer server is just "TLS_RESUME_FAILURE"

I have no clue why this is happen. Any ideas?

Here is the auth test result

{
    "Response": "{\"HomeDirectoryDetails\":\"[{\\\"Entry\\\":\\\"/\\\",\\\"Target\\\":\\\"/xxx/new\\\"}]\",\"HomeDirectoryType\":\"LOGICAL\",\"Role\":\"arn:aws:iam::123456789:role/ftp-s3-access-role\",\"Policy\":\"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"AllowListAccessToBucket\", \"Action\": [\"s3:ListBucket\"], \"Effect\": \"Allow\", \"Resource\": [\"arn:aws:s3:::xxx-prod\"]}, {\"Sid\": \"TransferDataBucketAccess\", \"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\", \"s3:GetObjectVersion\", \"s3:GetObjectACL\", \"s3:PutObjectACL\"], \"Resource\": [\"arn:aws:s3:::xxx-prod/xxx/new\", \"arn:aws:s3:::xxx-prod/xxx/new/*\"]}]}\",\"UserName\":\"test\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""
}
  • dustin-stamped
    3 years ago

    Julian I have to thank you for posting your follow up to this question. It's been a week of suffering (including deploying a FTP server to ECS instead of using AWS Transfer) but your solution posted I think has solved my problems.

    Thank you!

Topics
ServerlessInternet of Things (IoT)Migration & ModernizationCompute
Tags
AWS Transfer FamilyTransport Layer Security (TLS)AWS Lambda
Language
English
asked 3 years ago1.8K views
1 Answer
2
Accepted Answer

When creating a Transfer server with FTPS (TLS) support, the default mode for TLS session resumption is ENFORCED which means the FTPS client needs to resume the same TLS session between control and data connections.

https://docs.aws.amazon.com/transfer/latest/userguide/API_ProtocolDetails.html#TransferFamily-Type-ProtocolDetails-TlsSessionResumptionMode

Not all FTPS clients can support TLS session resumption between control and data connections so this setting may need adjusting in your case.

AWS
answered 3 years ago
EXPERT
reviewed a year ago
  • Julian Kleinhans
    3 years ago

    Thats it! Awesome. Thanks.

    The solution is to switch from ENFORCED to ENABLED

    aws transfer update-server --server-id SERVER_ID --protocol-details TlsSessionResumptionMode=ENABLED

    Thanks also to Christopher H. from Amazon, who also helped me successfully via AWS support.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content