Re: [lftp] certificated validation
Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! After set ssl:ca-path /etc/ssl/certs/ OR set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp says: --- 234 AUTH TLS successful --- OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; Certificate depth: 0; subject: /OU=Domain Control Validated/OU=PositiveSSL/CN=s1.tarhelydiktator.eu; issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 ERROR: Certificate verification: unable to get local issuer certificate SSL_connect: unable to get local issuer certificate Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. Thank you! # /home/viktor/src/lftp-4.5.2/src/lftp --version LFTP | Version 4.5.2 | Copyright (c) 1996-2014 Alexander V. Lukyanov LFTP is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with LFTP. If not, see http://www.gnu.org/licenses/. Send bug reports and questions to the mailing list lftp@uniyar.ac.ru. Libraries used: Readline 6.2, Expat 2.1.0, zlib 1.2.7 Idézem/Quoting Alexander V. Lukyanov l...@netis.ru: On Wed, Jun 11, 2014 at 01:55:23AM +0200, Szépe Viktor wrote: Could you help me how to solve to Not trusted: no issuer was found error? Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy) 4.5.1 does the same. Also with fresh ca bundle https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt You can try running lftp eu1.solid-hosting.net yourself without a password. Thank you! openssl says it is OK You can try to compile lftp with openssl (configure --with-openssl) and see if it helps. -- Alexander. Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] certificated validation
On Jun 12, 2014, at 20:55, Szépe Viktor vik...@szepe.net wrote: Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output. Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. It appears the server is at fault here and lftp is working properly. Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out. $ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=21:unable to verify the first certificate verify return:1 Also fails with curl compiled with NSS: $ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/ [...] AUTH SSL 234 AUTH SSL successful * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated * start date: Jun 07 00:00:00 2014 GMT * expire date: Jun 07 23:59:59 2015 GMT * common name: s1.tarhelydiktator.eu * issuer: CN=PositiveSSL CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. To sum up, in my testing: cl01.webspacecontrol.com: openssl: OK gnutls: OK nss: OK eu1.solid-hosting.net openssl: OK gnutls: fails nss: OK s1.tarhelydiktator.eu openssl: fails nss: fails gnutls: fails Not a fault of lftp in either case. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] certificated validation
Thank you for your answer! Yes, this is a left out intermediate cert (but it is included on Windows 7) lftp work with openssl My original question was that the stock Debain/wheezy lftp (compiled with gnutls) couldn't verify a valid cert. # lftp -u '***,***' eu1.solid-hosting.net -e 'debug' lftp shsz...@eu1.solid-hosting.net:~ set ftp:ssl-force 1 lftp shsz...@eu1.solid-hosting.net:~ set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp shsz...@eu1.solid-hosting.net:~ ls Connecting to eu1.solid-hosting.net (94.23.121.230) port 21 --- 220-- Welcome to Pure-FTPd [privsep] [TLS] -- . . . --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found gnutls-cli 3 works: echo AUTH TLS echo press: ENTER + Ctrl+D # gnutls-cli 3.2.15 gnutls-cli --verbose --crlf --x509cafile=/etc/ssl/certs/ca-certificates.crt --starttls --port 21 eu1.solid-hosting.net - Status: The certificate is trusted. - Description: (TLS1.2)-(RSA)-(AES-128-GCM) - Session ID: F4:FE:58:66:16:DB:95:A7:54:EA:C0:D7:7D:8D:A3:39:C8:76:D5:A2:23:FC:53:91:26:B7:D8:13:75:2C:85:6C - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-GCM - MAC: AEAD - Compression: NULL It seems to be a gnutls problem because gnutls-cli (GnuTLS) 2.8.6 fails: - The hostname in the certificate matches 'eu1.solid-hosting.net'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.1 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL But after compiling lftp with gnutls 3 Libraries used: Readline 6.2, Expat 2.1.0, GnuTLS 3.2.15, zlib 1.2.7 the problem persists. It is very strange that to root ca is not trusted by lftp: Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Could it be that set ssl:ca-file /etc/ssl/certs/ca-certificates.crt is useless? Please help! Idézem/Quoting Daniel Fazekas fds...@gmail.com: On Jun 12, 2014, at 20:55, Szépe Viktor vik...@szepe.net wrote: Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output. Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. It appears the server is at fault here and lftp is working properly. Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out. $ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=21:unable to verify the first certificate verify return:1 Also fails with curl compiled with NSS: $ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/ [...] AUTH SSL 234 AUTH SSL successful * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated * start date: Jun 07 00:00:00 2014 GMT * expire date: Jun 07 23:59:59 2015 GMT * common name:
Re: [lftp] certificated validation
Maybe I've found the cause: The Issued by: and the Checking against: is looping. Firstly: PositiveSSL-AddTrust then: AddTrust-PositiveSSL Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Idézem/Quoting Daniel Fazekas fds...@gmail.com: On Jun 12, 2014, at 20:55, Szépe Viktor vik...@szepe.net wrote: Your software is very tricky. After --with-ssl=yes openssl is not denoted (in the bottom line) but doing some TLS operation! Stripping symbols from the lftp binary can cause the openssl version information to go missing from the version output. Could you test it and fix it? An example hostname is s1.tarhelydiktator.eu With set ftp:ssl-force yes you won't reach the password prompt. It appears the server is at fault here and lftp is working properly. Only the ftp server's administrator could fix this. Possibly a necessary intermediate certificate was left out. $ openssl s_client -connect s1.tarhelydiktator.eu:21 -starttls ftp CONNECTED(0003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = s1.tarhelydiktator.eu verify error:num=21:unable to verify the first certificate verify return:1 Also fails with curl compiled with NSS: $ curl -v --ssl-reqd ftp://s1.tarhelydiktator.eu/ [...] AUTH SSL 234 AUTH SSL successful * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=s1.tarhelydiktator.eu,OU=PositiveSSL,OU=Domain Control Validated * start date: Jun 07 00:00:00 2014 GMT * expire date: Jun 07 23:59:59 2015 GMT * common name: s1.tarhelydiktator.eu * issuer: CN=PositiveSSL CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. To sum up, in my testing: cl01.webspacecontrol.com: openssl: OK gnutls: OK nss: OK eu1.solid-hosting.net openssl: OK gnutls: fails nss: OK s1.tarhelydiktator.eu openssl: fails nss: fails gnutls: fails Not a fault of lftp in either case. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
Re: [lftp] certificated validation
On Wed, Jun 11, 2014 at 01:55:23AM +0200, Szépe Viktor wrote: Could you help me how to solve to Not trusted: no issuer was found error? Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy) 4.5.1 does the same. Also with fresh ca bundle https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt You can try running lftp eu1.solid-hosting.net yourself without a password. Thank you! openssl says it is OK You can try to compile lftp with openssl (configure --with-openssl) and see if it helps. -- Alexander. ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp
[lftp] certificated validation
Could you help me how to solve to Not trusted: no issuer was found error? Maybe lftp cannot parse ca-certificates.crt? (Debian wheezy) 4.5.1 does the same. Also with fresh ca bundle https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt You can try running lftp eu1.solid-hosting.net yourself without a password. Thank you! openssl says it is OK # openssl s_client -connect eu1.solid-hosting.net:21 -starttls ftp -CAfile /etc/ssl/certs/ca-certificates.crt CONNECTED(0003) depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = eu1.solid-hosting.net verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=eu1.solid-hosting.net i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- # lftp eu1.solid-hosting.net lftp shsz...@eu1.solid-hosting.net:~ set ssl:ca-file /etc/ssl/certs/ca-certificates.crt lftp shsz...@eu1.solid-hosting.net:~ debug lftp shsz...@eu1.solid-hosting.net:~ ls / Connecting to eu1.solid-hosting.net (94.23.121.230) port 21 --- 220-- Welcome to Pure-FTPd [privsep] [TLS] -- --- 220-You are user number 1 of 100 allowed. --- 220-Local time is now 00:24. Server port: 21. --- 220-This is a private system - No anonymous login --- 220-IPv6 connections are also welcome on this server. --- 220 You will be disconnected after 3 minutes of inactivity. --- FEAT --- 211-Extensions supported: --- EPRT --- IDLE --- MDTM --- SIZE --- MFMT --- REST STREAM --- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; --- MLSD --- AUTH TLS --- PBSZ --- PROT --- TVFS --- ESTA --- PASV --- EPSV --- SPSV --- ESTP --- 211 End. --- AUTH TLS --- 234 AUTH TLS OK. --- OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid; Certificate: OU=Domain Control Validated,OU=PositiveSSL,CN=eu1.solid-hosting.net Issued by:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by:C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 ERROR: Certificate verification: Not trusted: no issuer was found Certificate: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=PositiveSSL CA 2 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate verification: Not trusted: no issuer was found Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found Szépe Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, XX. kerület ___ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp