Thank you for your answer!
Yes, this is a "left out intermediate cert" (but it is included on
Windows 7) lftp work with openssl
My original question was that the stock Debain/wheezy lftp (compiled
with gnutls) couldn't verify a valid cert.
# lftp -u '***,***' eu1.solid-hosting.net -e 'debug'
lftp shsz...@eu1.solid-hosting.net:~> set ftp:ssl-force 1
lftp shsz...@eu1.solid-hosting.net:~> set ssl:ca-file
/etc/ssl/certs/ca-certificates.crt
lftp shsz...@eu1.solid-hosting.net:~> ls
---- Connecting to eu1.solid-hosting.net (94.23.121.230) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
.
.
.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Trusted
**** Certificate verification: Not trusted: no issuer was found
---- Closing control socket
ls: Fatal error: Certificate verification: Not trusted: no issuer was found
gnutls-cli 3 works:
echo "AUTH TLS"
echo "press: ENTER + Ctrl+D"
# gnutls-cli 3.2.15
gnutls-cli --verbose --crlf
--x509cafile=/etc/ssl/certs/ca-certificates.crt --starttls --port 21
eu1.solid-hosting.net
- Status: The certificate is trusted.
- Description: (TLS1.2)-(RSA)-(AES-128-GCM)
- Session ID:
F4:FE:58:66:16:DB:95:A7:54:EA:C0:D7:7D:8D:A3:39:C8:76:D5:A2:23:FC:53:91:26:B7:D8:13:75:2C:85:6C
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
It seems to be a gnutls problem because
gnutls-cli (GnuTLS) 2.8.6 fails:
- The hostname in the certificate matches 'eu1.solid-hosting.net'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
But after compiling lftp with gnutls 3
Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7
the problem persists. It is very strange that to root ca is not
trusted by lftp:
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found
Could it be that
set ssl:ca-file /etc/ssl/certs/ca-certificates.crt
is useless?
Please help!
Idézem/Quoting Daniel Fazekas <fds...@gmail.com>:
On Jun 12, 2014, at 20:55, Szépe Viktor <vik...@szepe.net> wrote:
Your software is very tricky. After --with-ssl=yes openssl is not
denoted (in the bottom line) but doing some TLS operation!
Stripping symbols from the lftp binary can cause the openssl version
information to go missing from the version output.
Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.
It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a
necessary intermediate certificate was left out.
$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1
Also fails with curl compiled with NSS:
$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain
Control Validated
* start date: Jun 07 00:00:00 2014 GMT
* expire date: Jun 07 23:59:59 2015 GMT
* common name: s1.tarhelydiktator.eu
* issuer: CN=PositiveSSL CA 2,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
To sum up, in my testing:
cl01.webspacecontrol.com:
openssl: OK
gnutls: OK
nss: OK
eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK
s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails
Not a fault of lftp in either case.
_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Szépe Viktor
--
+36-20-4242498 s...@szepe.net skype: szepe.viktor
Budapest, XX. kerület
_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp