I have an application using mbedTls 2.9.0 that's been running successfully for a few years. It secures connections for the AWS MQTT broker, for https GET/PUT transfers, and for SSL/TLS email servers - But only one secure connection at a time. I need to add support for an FTPS client. This requires opening/securing a control channel on port 21, then opening/securing a second port for data transfer.

Opening/securing the control channel works as expected. Then, when the client calls connect() for the data transfer socket, the server log shows messages indicating it is preparing for a TLS handshake.

Now, here's where I may be missing something... The client calls the same code as for the control connection: Allocates a second mbedtls_ssl_context, mbedtls_ssl_config, mbedtls_x509_crt, et.al, and calls some mbedtls_ssl_*() functions which were copy/pasted from example code several years ago. The server name and root cert are the same. I think the only difference in the second negotiation is the underlying socket descriptor allocated by the IP stack for the data channel.

When mbedtls_ssl_handshake() is called, both the filezilla log and client log show a successful handshake. The filezilla log then shows it trying to establish yet another secure data connection, which fails, and reports "TLS session of data connection not resumed."

Questions:

-- Is the above sequence correct for opening and securing a second connection?

-- In searching through ssl.h I see mbedtls_ssl_get_session() and mbedtls_ssl_set_session(). Are these relevant to the situation? I cannot tell from their one-sentence descriptions.