Re: ftp does not accept standalone certificates

Tue, 26 Apr 2016 07:42:18 -0700 

On 2016/04/26 16:04, Elmar Stellnberger wrote:
> >Synopsis: ftp does not accept standalone certificates
> >Category:    security/certificate management
> >Environment:
>       System      : OpenBSD 5.9
>       Details     : OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
>                        
> [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
> 
>       Architecture: OpenBSD.i386
>       Machine     : i386
> >Description:
>   The ftp program does not allow downloads by provision of a self-signed or
> not root-ca-validated cert. Though this may be good as a default behaviour
> some people may prefer to validate certificates on their own by comparing
> the sha256 hash of the cert or by use of DNSSEC/DANE via dig. If so no
> root-ca will be given; just a standalone cert as validated via other means.
> The ftp program should be perpared for this case. AFAIK the only program
> which allows for this kind of manual validation by the time is stunnel.
> 
> >How-To-Repeat:
>   in an empty directory do the following:
> $ ftp -S capath=. -S cafile=../www.elstel.org.pem
> https://www.elstel.org/auxil/estellnb.pubkey.asc
> Trying 91.102.11.177...
> Requesting https://www.elstel.org/auxil/estellnb.pubkey.asc

Okay, let's look at this server:

$ openssl s_client -connect www.elstel.org:443 -servername www.elstel.org       
      
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", OU = Domain Validated SSL, CN = Secure 
Site Starter DV SSL CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=elstel.org
   i:/C=US/O=GeoTrust, Inc./OU=Domain Validated SSL/CN=Secure Site Starter DV 
SSL CA - G2
 1 s:/C=US/O=GeoTrust, Inc./OU=Domain Validated SSL/CN=Secure Site Starter DV 
SSL CA - G2
   i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authority - G3
---
<snip>

> www.elstel.org.pem contains the following:

And this is certificate 0 from the chain; CN=elstel.org issued by
GeoTrust's "Secure Site Starter DV SSL CA - G2". So this one should
already be accepted, and shouldn't need any additional flag to do
so, except it's not working because you're running into this problem:

http://article.gmane.org/gmane.os.openbsd.tech/47048

Reply via email to