[lftp] lftp script
Q Is it possible to execute this file? #!/usr/bin/lftp set ftp:ssl-allow off open ftp://.; A Yes. All you need to modify is: #!/usr/bin/lftp -f Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] Openstack swift
Thank you! Are you planning to support Openstack swift ? Idézem/Quoting Alexander V. Lukyanov lavv...@gmail.com: lftp-4.6.2 has been released. Changes: * new command edit instead of the edit alias. * new setting ssl:priority for disabling selected protocols. * new settings fish:auto-confirm and sftp:auto-confirm. * new setting file:use-lock to lock local files before accessing. * ftp: fixed disconnecting on timeout (broken in 4.6.0). * http: enclose ipv6 address in brackets in URLs and Host header. * fixed mirror for http protocol with redirections. * fixed `bookmark edit' to use correct XDG path if XDG is used. * fixed a wildcard certificate validation vulnerability (CVE-2014-0139). * fixed proxy authentication for CONNECT method. * fixed exit code of `help' command. * fixed sftp to show file names with slashes. * fixed pget status display when all chunks are done except the first one. * Ukrainian translation updated (Yuri Chornoivan). * Russian translation updated. Get it from http://lftp.yar.ru/get.html or your favorite mirror. Fedora binaries are also available. -- Alexander. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] Enhancement: lls, lmv, lrm, lcp
Typing !ls now is harder than lls. +1 Idézem/Quoting Andrew Pennebaker andrew.penneba...@gmail.com: LFTP often offers a local equivalent to remote commands, with L (l) prefixes: * cd / lcd * pwd/lpwd Other local operations can be performed by spelling out local operation, e.g. local ls, but it would be nice to have an abbreviated term out of the box. Could the next version of LFTP feature out-of-the-box aliases for: * lls (local ls) * lcp (local cp) * lmv (local mv) * lrm (local rm) Cheers, Andrew Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] Problem with Spam in Gmail with this list
GitHub issues are very convenient. -- Ezen a készüléken nehéz gépelni. Elnézést! On February 11, 2015 3:38:21 PM CET, Juan Simón deced...@gmail.com wrote: Google Groups is a good option, don't you think? 2015-02-11 12:18 GMT+01:00 Alexander V. Lukyanov l...@netis.ru: On Wed, Feb 11, 2015 at 09:43:26AM +0100, Juan Simón wrote: Hi, I have a problem related to this mail list. Gmail considers some mails of this list like spam. I have added the email address of this list in contacts but it still occurs. Is there any solution? I would like to change the list location. Is there a good and free list server? -- Alexander. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] RSS/ATOM feed
What can we do now? I cannot write a bug report because I do not know how TLS works and I can't speak C. Are you able to read gnutls_certificate_get_peers's source? Idézem/Quoting Alexander V. Lukyanov l...@netis.ru: On Mon, Oct 27, 2014 at 04:28:11PM +0100, Szépe Viktor wrote: Thank you for the feed! I still have Certificate verification: Not trusted: no issuer was found with GNUTLS. With your Fedora it is OK. With gnutls-cli it is also OK on my Debian system. The problem comes with lftp on my Debian system. On Fedora 'Issued by' is always == 'Checking against'. On Debian there is a mis-comparition. I think it may be a bug in gnutls' function gnutls_certificate_get_peers. It returns the certificate chain, probably it has a missing link or wrong order. Is it a gnutls issue or an lftp? (gnutls-cli never fails) Probably gnutls-cli uses another certificate verification method. -- Alexander. Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] RSS/ATOM feed
Could you start a release notification feed for http://lftp.yar.ru/events.html ? Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] RSS/ATOM feed
Thank you for the feed! I still have Certificate verification: Not trusted: no issuer was found with GNUTLS. With your Fedora it is OK. With gnutls-cli it is also OK on my Debian system. The problem comes with lftp on my Debian system. On Fedora 'Issued by' is always == 'Checking against'. On Debian there is a mis-comparition. The second cert's 'Issued by' == the first cert's 'Checking against'. But not on all servers! In case of my server (szepe.net) with proftpd 1.3.3 (properly set up) certs are chekced against their issuers. On many other shared hosing (cPanel) configs ( ecbiz153.inmotionhosting.com , server5.megacp.com , eu1.solid-hosting.net ) is fails. Is it a gnutls issue or an lftp? (gnutls-cli never fails) Fedora 19 = Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Trusted Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Debian == Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] tail -f
Now I issue `cat /log/error.log | tail` one in a while to see log file changes 1 It is possible to loop `cat /log/error.log | tail; sleep2` ? 2 Is it possible to add a tail -f feature? To see only the new lines. Thank you! Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] TLS issue again
Good morning! Here is the new release: LFTP | Version 4.5.3 | Copyright (c) 1996-2014 Alexander V. Lukyanov Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7 -- When connecting to eu1.solid-hosting.net with SSL, it fails. Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found -- When compiled with OpenSSL it is OK. Certificate verification: subjectAltName: ‘eu1.solid-hosting.net’ matched -- Also GnuTLS-cli tool says it is OK. gnutls-cli --verbose --crlf --x509cafile /etc/ssl/certs/ca-certificates.crt --starttls --port 21 eu1.solid-hosting.net - Status: The certificate is trusted. - Description: (TLS1.2)-(RSA)-(AES-128-GCM) - Session ID: C6:91:43:5C:CD:99:43:33:BD:54:BE:85:CF:6B:B6:8D:94:29:8B:1C:67:2E:31:14:C8:ED:BA:BA:CC:B6:BA:B3 - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-GCM - MAC: AEAD - Compression: NULL - Channel binding 'tls-unique': db5113e45fd57ad0ac846d47 Could you explaint why lftp+gnutls3 fails. Thank you! Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] cert validation
Thank you for your previous answer! This is another issue: --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: 2.5.4.13=#13104b476d656156446b6b4b397939413830,C=HU,ST=Budapest,L=Budapest,O=MICROWARE HUNGARY Kft.,CN=*.webspacecontrol.com,EMAIL=dom...@microware.hu Issued by:C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Checking against: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Trusted Certificate: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Issued by: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority Trusted ERROR: Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Closing control socket ls: Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Please consider CN=*.webspacecontrol.com and ‘cl01.webspacecontrol.com.’ as matching. Thank you! Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] cert validation
Oh' I am very sorry. I've left in the trailng dot. ‘cl01.webspacecontrol.com.’ should be ‘cl01.webspacecontrol.com’ Case closed. Idézem/Quoting Szépe Viktor vik...@szepe.net: Thank you for your previous answer! This is another issue: --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: 2.5.4.13=#13104b476d656156446b6b4b397939413830,C=HU,ST=Budapest,L=Budapest,O=MICROWARE HUNGARY Kft.,CN=*.webspacecontrol.com,EMAIL=dom...@microware.hu Issued by:C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Checking against: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Trusted Certificate: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Issued by: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority Trusted ERROR: Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Closing control socket ls: Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘cl01.webspacecontrol.com.’ Please consider CN=*.webspacecontrol.com and ‘cl01.webspacecontrol.com.’ as matching. Thank you! Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] certificated validation
Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! After set ssl:ca-path /etc/ssl/certs/ OR set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp says: --- 234 AUTH TLS successful --- OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; Certificate depth: 0; subject: /OU=Domain Control Validated/OU=PositiveSSL/CN=s1.tarhelydiktator.eu; issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 ERROR: Certificate verification: unable to get local issuer certificate SSL_connect: unable to get local issuer certificate Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. Thank you! # /home/viktor/src/lftp-4.5.2/src/lftp --version LFTP | Version 4.5.2 | Copyright (c) 1996-2014 Alexander V. Lukyanov LFTP is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with LFTP. If not, see http://www.gnu.org/licenses/. Send bug reports and questions to the mailing list lftp@uniyar.ac.ru. Libraries used: Readline 6.2, Expat 2.1.0, zlib 1.2.7 Idézem/Quoting Alexander V. Lukyanov l...@netis.ru: On Wed, Jun 11, 2014 at 01:55:23AM +0200, Szépe Viktor wrote: Could you help me how to solve to Not trusted: no issuer was found error? Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy) 4.5.1 does the same. Also with fresh ca bundle https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt You can try running lftp eu1.solid-hosting.net yourself without a password. Thank you! openssl says it is OK You can try to compile lftp with openssl (configure --with-openssl) and see if it helps. -- Alexander. Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] certificated validation
Thank you for your answer! Yes, this is a left out intermediate cert (but it is included on Windows 7) lftp work with openssl My original question was that the stock Debain/wheezy lftp (compiled with gnutls) couldn't verify a valid cert. # lftp -u '***,***' eu1.solid-hosting.net -e 'debug' lftp shsz...@eu1.solid-hosting.net:~ set ftp:ssl-force 1 lftp shsz...@eu1.solid-hosting.net:~ set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp shsz...@eu1.solid-hosting.net:~ ls Connecting to eu1.solid-hosting.net (94.23.121.230) port 21 --- 220-- Welcome to Pure-FTPd [privsep] [TLS] -- . . . --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found gnutls-cli 3 works: echo AUTH TLS echo press: ENTER + Ctrl+D # gnutls-cli 3.2.15 gnutls-cli --verbose --crlf --x509cafile=/etc/ssl/certs/ca-certificates.crt --starttls --port 21 eu1.solid-hosting.net - Status: The certificate is trusted. - Description: (TLS1.2)-(RSA)-(AES-128-GCM) - Session ID: F4:FE:58:66:16:DB:95:A7:54:EA:C0:D7:7D:8D:A3:39:C8:76:D5:A2:23:FC:53:91:26:B7:D8:13:75:2C:85:6C - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-GCM - MAC: AEAD - Compression: NULL It seems to be a gnutls problem because gnutls-cli (GnuTLS) 2.8.6 fails: - The hostname in the certificate matches 'eu1.solid-hosting.net'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.1 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL But after compiling lftp with gnutls 3 Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7 the problem persists. It is very strange that to root ca is not trusted by lftp: Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Could it be that set ssl:ca-file /etc/ssl/certs/ca-certificates.crt is useless? Please help! Idézem/Quoting Daniel Fazekas fds...@gmail.com: On Jun 12, 2014, at 20:55, Szépe Viktor vik...@szepe.net wrote: Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output. Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. It appears the server is at fault here and lftp is working properly. Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out. $ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=21:unable to verify the first certificate verify return:1 Also fails with curl compiled with NSS: $ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/ [...] AUTH SSL 234 AUTH SSL successful * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated * start date: Jun 07 00:00:00 2014 GMT * expire date: Jun 07 23:59:59 2015 GMT * common name: s1
Re: [lftp] certificated validation
Maybe I've found the cause: The Issued by: and the Checking against: is looping. Firstly: PositiveSSL-AddTrust then: AddTrust-PositiveSSL Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Idézem/Quoting Daniel Fazekas fds...@gmail.com: On Jun 12, 2014, at 20:55, Szépe Viktor vik...@szepe.net wrote: Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output. Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. It appears the server is at fault here and lftp is working properly. Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out. $ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=21:unable to verify the first certificate verify return:1 Also fails with curl compiled with NSS: $ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/ [...] AUTH SSL 234 AUTH SSL successful * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated * start date: Jun 07 00:00:00 2014 GMT * expire date: Jun 07 23:59:59 2015 GMT * common name: s1.tarhelydiktator.eu * issuer: CN=PositiveSSL CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. To sum up, in my testing: cl01.webspacecontrol.com: openssl: OK gnutls: OK nss: OK eu1.solid-hosting.net openssl: OK gnutls: fails nss: OK s1.tarhelydiktator.eu openssl: fails nss: fails gnutls: fails Not a fault of lftp in either case. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] certificated validation
Could you help me how to solve to Not trusted: no issuer was found error? Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy) 4.5.1 does the same. Also with fresh ca bundle https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt You can try running lftp eu1.solid-hosting.net yourself without a password. Thank you! openssl says it is OK # openssl s_client -connect eu1.solid-hosting.net:21 -starttls ftp -CAfile /etc/ssl/certs/ca-certificates.crt CONNECTED(0003) depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = eu1.solid-hosting.net verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=eu1.solid-hosting.net i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- # lftp eu1.solid-hosting.net lftp shsz...@eu1.solid-hosting.net:~ set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp shsz...@eu1.solid-hosting.net:~ debug lftp shsz...@eu1.solid-hosting.net:~ ls / Connecting to eu1.solid-hosting.net (94.23.121.230) port 21 --- 220-- Welcome to Pure-FTPd [privsep] [TLS] -- --- 220-You are user number 1 of 100 allowed. --- 220-Local time is now 00:24. Server port: 21. --- 220-This is a private system - No anonymous login --- 220-IPv6 connections are also welcome on this server. --- 220 You will be disconnected after 3 minutes of inactivity. --- FEAT --- 211-Extensions supported: --- EPRT --- IDLE --- MDTM --- SIZE --- MFMT --- REST STREAM --- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; --- MLSD --- AUTH TLS --- PBSZ --- PROT --- TVFS --- ESTA --- PASV --- EPSV --- SPSV --- ESTP --- 211 End. --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
