Maybe I've found the cause:
The "Issued by:" and the "Checking against:" is looping.
Firstly: PositiveSSL<->AddTrust then: AddTrust<->PositiveSSL
Certificate: OU=Domain Control
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=PositiveSSL CA 2
Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP
Network,CN=AddTrust External CA Root
Trusted
Idézem/Quoting Daniel Fazekas <fds...@gmail.com>:
On Jun 12, 2014, at 20:55, Szépe Viktor <vik...@szepe.net> wrote:
Your software is very tricky. After --with-ssl=yes openssl is not
denoted (in the bottom line) but doing some TLS operation!
Stripping symbols from the lftp binary can cause the openssl version
information to go missing from the version output.
Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes you won't reach the password prompt.
It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a
necessary intermediate certificate was left out.
$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1
Also fails with curl compiled with NSS:
$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain
Control Validated
* start date: Jun 07 00:00:00 2014 GMT
* expire date: Jun 07 23:59:59 2015 GMT
* common name: s1.tarhelydiktator.eu
* issuer: CN=PositiveSSL CA 2,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
To sum up, in my testing:
cl01.webspacecontrol.com:
openssl: OK
gnutls: OK
nss: OK
eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK
s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails
Not a fault of lftp in either case.
_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Szépe Viktor
--
+36-20-4242498 s...@szepe.net skype: szepe.viktor
Budapest, XX. kerület
_______________________________________________
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp