Re: [lftp] Make certificate verification great again

Just an update to close the thread: the hosting company has changed their server setup to include the intermediate CA certificates in addition to the server certificates. I can now confirm that the certificate chain is indeed visible when connecting with lftp (in debug mode), and certificate

Re: [lftp] Make certificate verification great again

On Mon, Mar 20, 2017 at 11:49:46PM +0100, Daniel Fazekas wrote: > On Mar 20, 2017, at 14:55, Nathanaël Naeri wrote: > > Is that an issue that this hosting company could do something about? I > > can ask their sysadmins for help. > > It's a common setup mistake to make

Re: [lftp] Make certificate verification great again

@Alexander: Sure, SERVER=pool222, and other numbers would probably work I suppose. I originally assumed it was irrelevant since CN=*.seedbox.fr but apparently it's not without importance. The error happens when I run the first "ls" command (lftp 4.7.7 w/ GnuTLS 3.5.10): $ ./lftp lftp :~> debug

Re: [lftp] Make certificate verification great again

On Mar 20, 2017, at 14:55, Nathanaël Naeri wrote: > Is that an issue that this hosting company could do something about? I > can ask their sysadmins for help. It's a common setup mistake to make for server admins that they only add the server certificate to their

Re: [lftp] Make certificate verification great again

Does the "Not trusted" error happen just after connecting or when doing the data connection? Can you provide at least the server name? пн, 20 мар. 2017 г. в 16:55, Nathanaël Naeri : > It appears that "open -d https://www.seedbox.fr; works indeed > ("Trusted",

Re: [lftp] Make certificate verification great again

It appears that "open -d https://www.seedbox.fr; works indeed ("Trusted", certificate chain printed out as in your previous message), but "open -d -p 21 -u USER,PASS SERVER.seedbox.fr" doesn't ("Certificate verification: Not trusted", same output as reported in my first message). Using lftp 4.7.7

Re: [lftp] Make certificate verification great again

Thank you for your answer. I have updated my version of GnuTLS to 3.5.10 and compiled lftp 4.7.7 against it. The resulting "./lftp --version" shows "Libraries used: Readline 6.3, Expat 2.1.0, GnuTLS 3.5.10, zlib 1.2.8". Yet the error I reported in my first message remains: "Certificate

Re: [lftp] Make certificate verification great again

I can't reproduce the problem. Here is what I get with OpenSSL 1.0.2k: Certificate depth: 3; subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root; issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Certificate depth:

Re: [lftp] Make certificate verification great again

PS: The certificate chain that I can follow manually using OpenSSL is different than that shown by my browser (Firefox > Page Info). I don't know why that is. It goes as follow: AddTrust External CA Root COMODO RSA AddTrust CA COMODO RSA Organization Validation Secure Server CA

Re: [lftp] Make certificate verification great again

Thanks for your answer. I have checked that Comodo's root CA certificate is present in the certificate bundle file, however Comodo's intermediate CA certificate (that signed the server's certificate) isn't, as is normal if I understand correctly. The certificate hierarchy is as follow (as shown

Re: [lftp] Make certificate verification great again

Your understanding of CA is correct. The Comodo certificate should be present in the CA bundle for the verification to succeed. вс, 12 марта 2017, 5:16 Nathanaël Naeri : > I'm trying to connect to a FTP server that supports explicit FTPS > using TLS, but I can't get