Re: [lftp] certificated validation

2014-06-12 Thread Szépe Viktor

Maybe I've found the cause:

The "Issued by:" and the "Checking against:" is looping.
Firstly: PositiveSSL<->AddTrust then: AddTrust<->PositiveSSL


Certificate: OU=Domain Control  
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
 Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

ERROR: Certificate verification: Not trusted: no issuer was found


Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2

ERROR: Certificate verification: Not trusted: no issuer was found


Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

  Trusted



Idézem/Quoting Daniel Fazekas :


On Jun 12, 2014, at 20:55, Szépe Viktor  wrote:

Your software is very tricky. After --with-ssl=yes openssl is not  
denoted (in the bottom line) but doing some TLS operation!


Stripping symbols from the lftp binary can cause the openssl version  
information to go missing from the version output.



Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes  you won't reach the password prompt.


It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a  
necessary intermediate certificate was left out.


$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(0003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=21:unable to verify the first certificate
verify return:1

Also fails with curl compiled with NSS:

$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]

AUTH SSL

< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain  
Control Validated

*   start date: Jun 07 00:00:00 2014 GMT
*   expire date: Jun 07 23:59:59 2015 GMT
*   common name: s1.tarhelydiktator.eu
* 	issuer: CN=PositiveSSL CA 2,O=COMODO CA  
Limited,L=Salford,ST=Greater Manchester,C=GB

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.


To sum up, in my testing:
cl01.webspacecontrol.com:
openssl: OK
gnutls: OK
nss: OK

eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK

s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails

Not a fault of lftp in either case.


___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp



Szépe Viktor
--
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, XX. kerület





___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp


Re: [lftp] certificated validation

2014-06-12 Thread Szépe Viktor


Thank you for your answer!
Yes, this is a "left out intermediate cert" (but it is included on  
Windows 7) lftp work with openssl


My original question was that the stock Debain/wheezy lftp (compiled  
with gnutls) couldn't verify a valid cert.


# lftp -u '***,***' eu1.solid-hosting.net -e 'debug'
lftp shsz...@eu1.solid-hosting.net:~> set ftp:ssl-force 1
lftp shsz...@eu1.solid-hosting.net:~> set ssl:ca-file  
/etc/ssl/certs/ca-certificates.crt

lftp shsz...@eu1.solid-hosting.net:~> ls
 Connecting to eu1.solid-hosting.net (94.23.121.230) port 21
<--- 220-- Welcome to Pure-FTPd [privsep] [TLS] --
.
.
.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control  
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
 Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2

ERROR: Certificate verification: Not trusted: no issuer was found
Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

  Trusted
 Certificate verification: Not trusted: no issuer was found
 Closing control socket
ls: Fatal error: Certificate verification: Not trusted: no issuer was found


gnutls-cli 3 works:

echo "AUTH TLS"
echo "press: ENTER + Ctrl+D"
# gnutls-cli 3.2.15
gnutls-cli --verbose --crlf  
--x509cafile=/etc/ssl/certs/ca-certificates.crt --starttls --port 21  
eu1.solid-hosting.net


- Status: The certificate is trusted.
- Description: (TLS1.2)-(RSA)-(AES-128-GCM)
- Session ID:  
F4:FE:58:66:16:DB:95:A7:54:EA:C0:D7:7D:8D:A3:39:C8:76:D5:A2:23:FC:53:91:26:B7:D8:13:75:2C:85:6C

- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL


It seems to be a gnutls problem because
gnutls-cli (GnuTLS) 2.8.6 fails:


- The hostname in the certificate matches 'eu1.solid-hosting.net'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL

But after compiling lftp with gnutls 3

Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7

the problem persists. It is very strange that to root ca is not  
trusted by lftp:


Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2

ERROR: Certificate verification: Not trusted: no issuer was found

Could it be that
set ssl:ca-file /etc/ssl/certs/ca-certificates.crt
is useless?

Please help!



Idézem/Quoting Daniel Fazekas :


On Jun 12, 2014, at 20:55, Szépe Viktor  wrote:

Your software is very tricky. After --with-ssl=yes openssl is not  
denoted (in the bottom line) but doing some TLS operation!


Stripping symbols from the lftp binary can cause the openssl version  
information to go missing from the version output.



Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes  you won't reach the password prompt.


It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a  
necessary intermediate certificate was left out.


$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(0003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
s1.tarhelydiktator.eu

verify error:num=21:unable to verify the first certificate
verify return:1

Also fails with curl compiled with NSS:

$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]

AUTH SSL

< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain  
Control Validated

*   start date: Jun 07 00:00:00 2014 GMT
*   expire date: Jun 07 23:59:59 2015 GMT
*   common name: s1.tarhelydiktator.eu
* 	issuer:

Re: [lftp] certificated validation

2014-06-12 Thread Daniel Fazekas
On Jun 12, 2014, at 20:55, Szépe Viktor  wrote:

> Your software is very tricky. After --with-ssl=yes openssl is not denoted (in 
> the bottom line) but doing some TLS operation!

Stripping symbols from the lftp binary can cause the openssl version 
information to go missing from the version output.

> Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
> With set ftp:ssl-force yes  you won't reach the password prompt.

It appears the server is at fault here and lftp is working properly.
Only the ftp server's administrator could fix this. Possibly a necessary 
intermediate certificate was left out.

$ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp
CONNECTED(0003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
s1.tarhelydiktator.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
s1.tarhelydiktator.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
s1.tarhelydiktator.eu
verify error:num=21:unable to verify the first certificate
verify return:1

Also fails with curl compiled with NSS:

$ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/
[...]
> AUTH SSL
< 234 AUTH SSL successful
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control 
Validated
*   start date: Jun 07 00:00:00 2014 GMT
*   expire date: Jun 07 23:59:59 2015 GMT
*   common name: s1.tarhelydiktator.eu
*   issuer: CN=PositiveSSL CA 2,O=COMODO CA Limited,L=Salford,ST=Greater 
Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.


To sum up, in my testing:
cl01.webspacecontrol.com:
openssl: OK
gnutls: OK
nss: OK

eu1.solid-hosting.net
openssl: OK
gnutls: fails
nss: OK

s1.tarhelydiktator.eu
openssl: fails
nss: fails
gnutls: fails

Not a fault of lftp in either case.


___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp


Re: [lftp] certificated validation

2014-06-12 Thread Szépe Viktor
Your software is very tricky. After --with-ssl=yes openssl is not  
denoted (in the bottom line) but doing some TLS operation!


After set ssl:ca-path /etc/ssl/certs/ OR set ssl:ca-file  
/etc/ssl/certs/ca-certificates.crt

lftp says:
<--- 234 AUTH TLS successful
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
Certificate depth: 0; subject: /OU=Domain Control  
Validated/OU=PositiveSSL/CN=s1.tarhelydiktator.eu; issuer:  
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA  
Limited/CN=PositiveSSL CA 2

ERROR: Certificate verification: unable to get local issuer certificate
 SSL_connect: unable to get local issuer certificate

Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu
With set ftp:ssl-force yes  you won't reach the password prompt.

Thank you!


# /home/viktor/src/lftp-4.5.2/src/lftp --version
LFTP | Version 4.5.2 | Copyright (c) 1996-2014 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LFTP.  If not, see .

Send bug reports and questions to the mailing list .

Libraries used: Readline 6.2, Expat 2.1.0, zlib 1.2.7







Idézem/Quoting "Alexander V. Lukyanov" :


On Wed, Jun 11, 2014 at 01:55:23AM +0200, Szépe Viktor wrote:

Could you help me how to solve to "Not trusted: no issuer was found" error?
Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
4.5.1 does the same.
Also with fresh ca bundle
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt

You can try running  lftp eu1.solid-hosting.net  yourself without a  
password.


Thank you!


openssl says it is OK


You can try to compile lftp with openssl (configure --with-openssl)  
and see if it helps.


--
   Alexander.



Szépe Viktor
--
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, XX. kerület





___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp


Re: [lftp] certificated validation

2014-06-10 Thread Alexander V. Lukyanov
On Wed, Jun 11, 2014 at 01:55:23AM +0200, Szépe Viktor wrote:
> Could you help me how to solve to "Not trusted: no issuer was found" error?
> Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
> 4.5.1 does the same.
> Also with fresh ca bundle
> https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt
>
> You can try running  lftp eu1.solid-hosting.net  yourself without a password.
>
> Thank you!
>
>
> openssl says it is OK

You can try to compile lftp with openssl (configure --with-openssl) and see if 
it helps.

--
   Alexander.
___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp


[lftp] certificated validation

2014-06-10 Thread Szépe Viktor

Could you help me how to solve to "Not trusted: no issuer was found" error?
Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy)
4.5.1 does the same.
Also with fresh ca bundle  
https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt


You can try running  lftp eu1.solid-hosting.net  yourself without a password.

Thank you!


openssl says it is OK

# openssl s_client -connect eu1.solid-hosting.net:21 -starttls ftp  
-CAfile /etc/ssl/certs/ca-certificates.crt

CONNECTED(0003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,  
CN = AddTrust External CA Root

verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA  
Limited, CN = PositiveSSL CA 2

verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =  
eu1.solid-hosting.net

verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=eu1.solid-hosting.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA  
Limited/CN=PositiveSSL CA 2
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust  
External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust  
External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA  
Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust  
External CA Root

---



# lftp eu1.solid-hosting.net
lftp shsz...@eu1.solid-hosting.net:~> set ssl:ca-file  
/etc/ssl/certs/ca-certificates.crt


lftp shsz...@eu1.solid-hosting.net:~> debug

lftp shsz...@eu1.solid-hosting.net:~> ls /
 Connecting to eu1.solid-hosting.net (94.23.121.230) port 21
<--- 220-- Welcome to Pure-FTPd [privsep] [TLS] --
<--- 220-You are user number 1 of 100 allowed.
<--- 220-Local time is now 00:24. Server port: 21.
<--- 220-This is a private system - No anonymous login
<--- 220-IPv6 connections are also welcome on this server.
<--- 220 You will be disconnected after 3 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  MFMT
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  AUTH TLS
<---  PBSZ
<---  PROT
<---  TVFS
<---  ESTA
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTP
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: OU=Domain Control  
Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net
 Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

ERROR: Certificate verification: Not trusted: no issuer was found

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root
 Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2

ERROR: Certificate verification: Not trusted: no issuer was found

Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA  
Limited,CN=PositiveSSL CA 2
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP  
Network,CN=AddTrust External CA Root

  Trusted
 Certificate verification: Not trusted: no issuer was found
 Closing control socket
ls: Fatal error: Certificate verification: Not trusted: no issuer was found

Szépe Viktor
--
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, XX. kerület





___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp