Your understanding of CA is correct. The Comodo certificate should be
present in the CA bundle for the verification to succeed.

вс, 12 марта 2017, 5:16 Nathanaël Naeri <>:

> I'm trying to connect to a FTP server that supports explicit FTPS
> using TLS, but I can't get certificate verification working. Most of
> the online help I find advises disabling certificate verification with
> "ssl:verify-certificate no", and I assume this is not good advice.
> My current understanding of the process is that lftp downloads the
> server's certificate when it negotiates TLS, then follows the
> certificate chain up to the certificate of a root CA, and trusts that
> root CA because it is in my list of trusted third parties, that I
> indicate to lftp using "ssl:ca-file
> /etc/ssl/certs/ca-certificates.crt" (the root CA certificates bundle
> file). This is, as far as I know, what web browsers do when they
> connect to HTTPS hosts (isn't it?).
> This doesn't appear to work so I guess I don't understand right. The
> debug output is:
> $ lftp -d -p 21 -u USER,PASS
> lftp> set ssl:ca-file
> /etc/ssl/certs/ca-certificates.crt
> lftp> ls
> ---- Connecting to (IPADDRESS) port 21
> <--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
> <--- [other 220 info]
> ---> FEAT
> <--- [feat reply]
> ---> AUTH TLS
> <--- 234 AUTH TLS OK.
> ---> OPTS UTF8 ON
> Certificate:
> C=FR,postalCode=77310,ST=Seine-et-Marne,L=PRINGY,street=IMPASSE
> DU BREAU,O=SDBX FRANCE,OU=0002 529997199,CN=*
>  Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
> Limited,CN=COMODO RSA Organization Validation Secure Server CA
> ERROR: Certificate verification: Not trusted
> **** Certificate verification: Not trusted
> ---- Closing control socket
> ls: Fatal error: Certificate verification: Not trusted
> However, if I download the server's certificate beforehand, using a
> web browser or the OpenSSL CLI (openssl s_client -connect
> -starttls ftp), and then points lftp to this
> certificate using "ssl ca-file
> /path/to/manually/downloaded/server/certificate.crt", the certificate
> verification succeeds. Why? What is verified in this case, precisely?
> That the certificate lftp downloads from the server during TLS
> negotiation is the same as one that was previously downloaded? How
> does that authenticates the server?
> And does this mean that the user has to maintain a certificate
> database of the servers they connect to? I thought the point of
> certificate hierarchies was that the user would only have to maintain
> a short list of trusted third party certificates (the root CA
> certificates).
> Thanks in advance for your help
> Naël
> _______________________________________________
> lftp mailing list
lftp mailing list

Reply via email to