On 2012-11-18, Rodolfo Gouveia <rgouv...@cosmico.net> wrote: > On Fri, Nov 16, 2012 at 08:23:40PM +0000, Rodolfo Gouveia wrote: >> Hello, >> It seems that https://www.prelude-ids.org doesn't play well with >> the ftp(1). >> I normally get an 'improper response': >> >> $ ftp -v -d >> https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz >> host www.prelude-ids.org, port (null), path >> attachments/download/241/libprelude-1.0.1.tar.gz, save as >> libprelude-1.0.1.tar.gz. >> Trying 88.190.33.136... >> Requesting >> https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz >> received 'f' >> ftp: Improper response from www.prelude-ids.org > > Tried this with wget and got: > $ wget > https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz > --2012-11-18 19:34:08-- > https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz > Resolving www.prelude-ids.org (www.prelude-ids.org)... 88.190.33.136 > Connecting to www.prelude-ids.org (www.prelude-ids.org)|88.190.33.136|:443... > connected. > ERROR: cannot verify www.prelude-ids.org's certificate, issued by > `/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL > CA': > Unable to locally verify the issuer's authority. > To connect to www.prelude-ids.org insecurely, use `--no-check-certificate'. > > So maybe the problem is the certificate?
No this is just because /etc/ssl/cert.pem is hopelessly out of date. You can use the one from http://curl.haxx.se/docs/caextract.html :- # ftp -o/etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem (this is a repackaged version of the Mozilla certificate store). > This particular URL is from a port that I'm working on so > I'll be using wget for FETCH_CMD. FETCH_CMD may not be used in a port Makefile, it's a user setting only, this file would need to be mirrored for now (if the license permits). One thing I noticed is that if I connect with openssl s_client and make a GET or HEAD request using the HOST header, this server does a renegotiation. Not sure why (doesn't seem to be SNI). But in any event ftp(1) doesn't seem to handle it very well.. <...> HEAD / HTTP/1.0 HOST: www.prelude-ids.org depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 read R BLOCK HTTP/1.1 200 OK Date: Tue, 20 Nov 2012 12:29:19 GMT Server: Apache <...>