Re: [lftp] Make certificate verification great again

2017-03-11 Thread Alexander Lukyanov 
Your understanding of CA is correct. The Comodo certificate should be
present in the CA bundle for the verification to succeed.

вс, 12 марта 2017, 5:16 Nathanaël Naeri :

> I'm trying to connect to a FTP server that supports explicit FTPS
> using TLS, but I can't get certificate verification working. Most of
> the online help I find advises disabling certificate verification with
> "ssl:verify-certificate no", and I assume this is not good advice.
>
> My current understanding of the process is that lftp downloads the
> server's certificate when it negotiates TLS, then follows the
> certificate chain up to the certificate of a root CA, and trusts that
> root CA because it is in my list of trusted third parties, that I
> indicate to lftp using "ssl:ca-file
> /etc/ssl/certs/ca-certificates.crt" (the root CA certificates bundle
> file). This is, as far as I know, what web browsers do when they
> connect to HTTPS hosts (isn't it?).
>
> This doesn't appear to work so I guess I don't understand right. The
> debug output is:
>
> $ lftp -d -p 21 -u USER,PASS SERVER.seedbox.fr
> lftp u...@server.seedbox.fr:~> set ssl:ca-file
> /etc/ssl/certs/ca-certificates.crt
> lftp u...@server.seedbox.fr:~> ls
>  Connecting to SERVER.seedbox.fr (IPADDRESS) port 21
> <--- 220-- Welcome to Pure-FTPd [privsep] [TLS] --
> <--- [other 220 info]
> ---> FEAT
> <--- [feat reply]
> ---> AUTH TLS
> <--- 234 AUTH TLS OK.
> ---> OPTS UTF8 ON
> Certificate:
> C=FR,postalCode=77310,ST=Seine-et-Marne,L=PRINGY,street=IMPASSE
> DU BREAU,O=SDBX FRANCE,OU=0002 529997199,CN=*.seedbox.fr
>  Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
> Limited,CN=COMODO RSA Organization Validation Secure Server CA
> ERROR: Certificate verification: Not trusted
>  Certificate verification: Not trusted
>  Closing control socket
> ls: Fatal error: Certificate verification: Not trusted
>
> However, if I download the server's certificate beforehand, using a
> web browser or the OpenSSL CLI (openssl s_client -connect
> SERVER.seedbox.fr:21 -starttls ftp), and then points lftp to this
> certificate using "ssl ca-file
> /path/to/manually/downloaded/server/certificate.crt", the certificate
> verification succeeds. Why? What is verified in this case, precisely?
> That the certificate lftp downloads from the server during TLS
> negotiation is the same as one that was previously downloaded? How
> does that authenticates the server?
>
> And does this mean that the user has to maintain a certificate
> database of the servers they connect to? I thought the point of
> certificate hierarchies was that the user would only have to maintain
> a short list of trusted third party certificates (the root CA
> certificates).
>
> Thanks in advance for your help
> Naël
> ___
> lftp mailing list
> lftp@uniyar.ac.ru
> http://univ.uniyar.ac.ru/mailman/listinfo/lftp
>
___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp

[lftp] Make certificate verification great again

2017-03-11 Thread Nathanaël Naeri 
I'm trying to connect to a FTP server that supports explicit FTPS
using TLS, but I can't get certificate verification working. Most of
the online help I find advises disabling certificate verification with
"ssl:verify-certificate no", and I assume this is not good advice.

My current understanding of the process is that lftp downloads the
server's certificate when it negotiates TLS, then follows the
certificate chain up to the certificate of a root CA, and trusts that
root CA because it is in my list of trusted third parties, that I
indicate to lftp using "ssl:ca-file
/etc/ssl/certs/ca-certificates.crt" (the root CA certificates bundle
file). This is, as far as I know, what web browsers do when they
connect to HTTPS hosts (isn't it?).

This doesn't appear to work so I guess I don't understand right. The
debug output is:

$ lftp -d -p 21 -u USER,PASS SERVER.seedbox.fr
lftp u...@server.seedbox.fr:~> set ssl:ca-file
/etc/ssl/certs/ca-certificates.crt
lftp u...@server.seedbox.fr:~> ls
 Connecting to SERVER.seedbox.fr (IPADDRESS) port 21
<--- 220-- Welcome to Pure-FTPd [privsep] [TLS] --
<--- [other 220 info]
---> FEAT
<--- [feat reply]
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> OPTS UTF8 ON
Certificate: C=FR,postalCode=77310,ST=Seine-et-Marne,L=PRINGY,street=IMPASSE
DU BREAU,O=SDBX FRANCE,OU=0002 529997199,CN=*.seedbox.fr
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA
Limited,CN=COMODO RSA Organization Validation Secure Server CA
ERROR: Certificate verification: Not trusted
 Certificate verification: Not trusted
 Closing control socket
ls: Fatal error: Certificate verification: Not trusted

However, if I download the server's certificate beforehand, using a
web browser or the OpenSSL CLI (openssl s_client -connect
SERVER.seedbox.fr:21 -starttls ftp), and then points lftp to this
certificate using "ssl ca-file
/path/to/manually/downloaded/server/certificate.crt", the certificate
verification succeeds. Why? What is verified in this case, precisely?
That the certificate lftp downloads from the server during TLS
negotiation is the same as one that was previously downloaded? How
does that authenticates the server?

And does this mean that the user has to maintain a certificate
database of the servers they connect to? I thought the point of
certificate hierarchies was that the user would only have to maintain
a short list of trusted third party certificates (the root CA
certificates).

Thanks in advance for your help
Naël
___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp