By using AWS re:Post, you agree to the AWS re:Post Terms of Use

FTP Transfer Family, FTPS, TLS resume failed

0

We have:

  • an AWS transfer family server with FTPS protocol
  • a custom hostname and a valid ACM certificate which is attached to the FTP server
  • a Lambda for the Identity provider

The client is using:

  • EXPLICIT AUTH TLS
  • our custom hostname
  • port 21

The problem is: the client can connect, the authentication is successfully (see below for the auth test result), but during the communication with the FTP server a TLS_RESUME_FAILURE occurs. The error in the customer client is "522 Data connection must use cached TLS session", and the error in the CloudWatch LogGroup of the transfer server is just "TLS_RESUME_FAILURE"

I have no clue why this is happen. Any ideas?

Here is the auth test result

{
    "Response": "{\"HomeDirectoryDetails\":\"[{\\\"Entry\\\":\\\"/\\\",\\\"Target\\\":\\\"/xxx/new\\\"}]\",\"HomeDirectoryType\":\"LOGICAL\",\"Role\":\"arn:aws:iam::123456789:role/ftp-s3-access-role\",\"Policy\":\"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"AllowListAccessToBucket\", \"Action\": [\"s3:ListBucket\"], \"Effect\": \"Allow\", \"Resource\": [\"arn:aws:s3:::xxx-prod\"]}, {\"Sid\": \"TransferDataBucketAccess\", \"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\", \"s3:GetObjectVersion\", \"s3:GetObjectACL\", \"s3:PutObjectACL\"], \"Resource\": [\"arn:aws:s3:::xxx-prod/xxx/new\", \"arn:aws:s3:::xxx-prod/xxx/new/*\"]}]}\",\"UserName\":\"test\",\"IdentityProviderType\":\"AWS_LAMBDA\"}",
    "StatusCode": 200,
    "Message": ""
}
  • Julian I have to thank you for posting your follow up to this question. It's been a week of suffering (including deploying a FTP server to ECS instead of using AWS Transfer) but your solution posted I think has solved my problems.

    Thank you!

1 Answer
2
Accepted Answer

When creating a Transfer server with FTPS (TLS) support, the default mode for TLS session resumption is ENFORCED which means the FTPS client needs to resume the same TLS session between control and data connections.

https://docs.aws.amazon.com/transfer/latest/userguide/API_ProtocolDetails.html#TransferFamily-Type-ProtocolDetails-TlsSessionResumptionMode

Not all FTPS clients can support TLS session resumption between control and data connections so this setting may need adjusting in your case.

AWS
answered 3 years ago
profile picture
EXPERT
reviewed 6 months ago
  • Thats it! Awesome. Thanks.

    The solution is to switch from ENFORCED to ENABLED

    aws transfer update-server --server-id SERVER_ID --protocol-details TlsSessionResumptionMode=ENABLED
    

    Thanks also to Christopher H. from Amazon, who also helped me successfully via AWS support.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions