FTPS server data connection TLS reuse

A critical security issue was fixed in SFTPPlus version 4.35.0 regarding the FTPS server.

SFTPPlus can now be configured to enforce the use of the same TLS session for both command and data connections.

For backward compatibility, the TLS session reuse is not automatically enabled for existing configurations. You need to manually update the SFTPPlus configuration.

For TLS session reuse, you might also need to update your FTPS client. For example, use WinSCP version 6, or configure WinSCP version 5 to only use TLS 1.2. WinSCP version 5 does not work when TLS session reuse is enabled for TLS 1.3 connections.

In previous versions, reusing the TLS session was not enforced.

This could allow a malicious third party to hijack the data connection without any authentication, by only guessing the passive port number. As a result of such an attack, data can be leaked or corrupted. SFTP and HTTPS protocols are not affected. The security issue is mitigated when the FTPS server is configured to validate client connections against a certificate authority (CA).

In such a case, the malicious third party would also need a valid matching certificate signed by the configured Certificate Authority to successfully hijack the data connection. This issue affects all previous versions of SFTPPlus. [#6379]

You can check the full release notes here.

Security advisories newsletter

The security advisories newsletter is available to our customers as a convenient method for receiving information about security updates and best practices.

You can view the security advisories archive here (articles are made public 3 months after their initial internal release).