Re: [lftp] Certificate validation confusion

2018-03-18 Thread Alexander Lukyanov 
Yes, that would be good.

пт, 16 мар. 2018 г. в 10:08, Manfred Lotz :

> On Thu, 15 Mar 2018 21:58:17 +
> Alexander Lukyanov  wrote:
>
> > I think the name of your certificate was recognized as a false value.
> > The ssl:verify-certificate setting expacts a boolean value (true,
> > false, yes, no, on, off, 1, 0).
> >
>
> Yes, you are right. My fault. Actually the file name started with a
> letter 'F'.
>
> But why doesn't ResMgr.cc check boolean values more thoroughly?
>
> I think values should be either the full value or a single letter, and
> case-insensitive. For instance: f,F, false and any lower/upper case
> combination of 'false'. Something like: ftp.certificate should give an
> "Invalid boolean value".
>
> Then specyfing a filename would have given a warning.
>
> What do you think.
>
>
> --
> Manfred
> ___
> lftp mailing list
> lftp@uniyar.ac.ru
> http://univ.uniyar.ac.ru/mailman/listinfo/lftp
>
___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp

Re: [lftp] Certificate validation confusion

2018-03-16 Thread Manfred Lotz 
On Thu, 15 Mar 2018 21:58:17 +
Alexander Lukyanov  wrote:

> I think the name of your certificate was recognized as a false value.
> The ssl:verify-certificate setting expacts a boolean value (true,
> false, yes, no, on, off, 1, 0).
> 

Yes, you are right. My fault. Actually the file name started with a
letter 'F'.

But why doesn't ResMgr.cc check boolean values more thoroughly?

I think values should be either the full value or a single letter, and
case-insensitive. For instance: f,F, false and any lower/upper case
combination of 'false'. Something like: ftp.certificate should give an
"Invalid boolean value".

Then specyfing a filename would have given a warning. 

What do you think.


-- 
Manfred
___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp

[lftp] Certificate validation confusion

2018-03-12 Thread Manfred Lotz 
Hi there,

I have an ftps server on z/OS. The ftps server certificate is signed by
the company's internal CA.

On the client side this is a Fedora 27 system with lftp 4.8.3

First the two case which works fine (and which I understand).

1. I have set

set ftp:ssl-force true
set ftp:ssl_auth tls

No certificate specified, no certificate installed in the Linux
system and I get:

ERROR: Certificate verification: Not trusted (66:7C

and the connection will be closed.

2. Same as 1. but now I have copied the root certificate of the
company's internal CA into /etc/pki-ca-trust-source/anchor/ directory
and I have run 
 sudo update-ca-trust

This time the ftp server's certificate can be validated and things are
fine.


Now the case I don't understand:

I have set:
set ftp:ssl-force true
set ftp:ssl_auth tls
set ssl:verify-certificate ZOS_SELF_SIGNED

where ZOS_SELF_SIGNED is just a self signed certificate in PEM
format created on the z/OS system.

Now I get 

WARNING: Certificate verification: Not trusted (66:7C

and I can list files on the remote site and download files from the
remote site. 

Question: Why do I get a warning only?  I had expected to get an error
here.


-- 
Thanks,
Manfred


___
lftp mailing list
lftp@uniyar.ac.ru
http://univ.uniyar.ac.ru/mailman/listinfo/lftp