I'm attempting to connect to a SecureTransport 4.7 server using FTP/SSL. Here's my lftp version info:
LFTP | Version 4.0.9 | Copyright (c) 1996-2010 Alexander V. Lukyanov LFTP is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with LFTP. If not, see <http://www.gnu.org/licenses/>. Send bug reports and questions to the mailing list <[email protected]>. Libraries used: Readline 5.1, Expat 2.0.0, OpenSSL 0.9.8a 11 Oct 2005 When I try to start TLS, I get a certificate signature failure. The Intermediate cert in question is in my /etc/ssl/certs directory, properly hashed and linked. My CA cert bundle is fresh, just made today from the Mozilla bundle. Other FTP/SSL sites that I connect to work with this setup. I've been working on this for quite some time, and it almost seems like nothing I do with certificates affects the results. What am I doing wrong? Any guidance would be greatly appreciated. ---> FEAT <--- 211-Extensions supported <--- AUTH <--- USER <--- PASS <--- QUIT <--- PORT <--- PASV <--- EPSV <--- TYPE <--- STRU <--- MODE <--- RETR <--- STOR <--- ABOR <--- DELE <--- CWD <--- XCWD <--- LIST <--- NLST <--- SITE <--- SYST <--- STAT <--- HELP <--- NOOP <--- MKD <--- XMKD <--- RMD <--- XRMD <--- PWD <--- XPWD <--- CDUP <--- XCUP <--- SIZE <--- MDTM <--- RNFR <--- RNTO <--- REST <--- FEAT <--- ADAT <--- PROT <--- PBSZ <--- APPE <--- XCRC <--- CCC <--- COMB <--- UTF8 <--- 211 END ---> AUTH TLS <--- 234 SSLv23/TLSv1 ---> OPTS UTF8 ON Certificate depth: 2; subject: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Certificate depth: 1; subject: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ERROR: Certificate verification: certificate signature failure Certificate depth: 2; subject: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Certificate depth: 1; subject: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ERROR: Certificate verification: certificate signature failure **** SSL_connect: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag ---- Closing control socket ls: Fatal error: SSL_connect: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag If I disable certificate verification, I get this: ---> AUTH TLS <--- 234 SSLv23/TLSv1 ---> OPTS UTF8 ON Certificate depth: 2; subject: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Certificate depth: 1; subject: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign; issuer: /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority WARNING: Certificate verification: certificate signature failure Certificate depth: 0; subject: /C=US/ST=Delaware/L=New Castle/O=Citigroup/OU=PSPI/CN=securefiletransferuat.citigroup.com; issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign WARNING: Certificate verification: certificate signature failure **** SSL_connect: tlsv1 alert decrypt error ---- Closing control socket ls: Fatal error: SSL_connect: tlsv1 alert decrypt error The source system in question is behind a firewall, with the lftp ports opened to the target system. Are there additional ports I need opened for certificate verification? -- Sandy Freedom is the opportunity to take responsibility for your actions. I don't speak for anyone but myself, and sometimes not even that.
