FTPS - LFTP problem












0















We have some trouble in my company with ftps access with a provider.



Here is our configuration:




  • Ubuntu 14.04

  • LFTP | Version 4.6.3a




  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt


Certificate authority = GlobalSign



#/home/USER/.lftp/conf

set cmd:time-style "%Y%m%d%H%M"

set ftp:ssl-protect-list false

set net:timeout 30

set net:max-retries 1

set ftp:ssl-allow true

set ftp:ssl-protect-data false

set ssl:ca-file   AuthorityRoot.crt / AuthorityRootCa.crt (both file in one )  # i dont even know if this is correct

set ssl:cert-file our_cert.crt

set ssl:key-file  ourkey.key

set xfer:clobber on

set ssl:verify-certificate false


Our command:



lftp   -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit"   -u username,pwd ftp://provider.com  -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?






ubuntu ssl lftp ftps







share|improve this question

























  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45








  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56








  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17













  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42


















0















We have some trouble in my company with ftps access with a provider.



Here is our configuration:




  • Ubuntu 14.04

  • LFTP | Version 4.6.3a




  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt


Certificate authority = GlobalSign



#/home/USER/.lftp/conf

set cmd:time-style "%Y%m%d%H%M"

set ftp:ssl-protect-list false

set net:timeout 30

set net:max-retries 1

set ftp:ssl-allow true

set ftp:ssl-protect-data false

set ssl:ca-file   AuthorityRoot.crt / AuthorityRootCa.crt (both file in one )  # i dont even know if this is correct

set ssl:cert-file our_cert.crt

set ssl:key-file  ourkey.key

set xfer:clobber on

set ssl:verify-certificate false


Our command:



lftp   -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit"   -u username,pwd ftp://provider.com  -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?






ubuntu ssl lftp ftps







share|improve this question

























  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45








  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56








  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17













  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42
















0












0








0








We have some trouble in my company with ftps access with a provider.



Here is our configuration:




  • Ubuntu 14.04

  • LFTP | Version 4.6.3a




  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt


Certificate authority = GlobalSign



#/home/USER/.lftp/conf

set cmd:time-style "%Y%m%d%H%M"

set ftp:ssl-protect-list false

set net:timeout 30

set net:max-retries 1

set ftp:ssl-allow true

set ftp:ssl-protect-data false

set ssl:ca-file   AuthorityRoot.crt / AuthorityRootCa.crt (both file in one )  # i dont even know if this is correct

set ssl:cert-file our_cert.crt

set ssl:key-file  ourkey.key

set xfer:clobber on

set ssl:verify-certificate false


Our command:



lftp   -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit"   -u username,pwd ftp://provider.com  -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?






ubuntu ssl lftp ftps







share|improve this question
















We have some trouble in my company with ftps access with a provider.



Here is our configuration:




  • Ubuntu 14.04

  • LFTP | Version 4.6.3a




  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt


Certificate authority = GlobalSign



#/home/USER/.lftp/conf

set cmd:time-style "%Y%m%d%H%M"

set ftp:ssl-protect-list false

set net:timeout 30

set net:max-retries 1

set ftp:ssl-allow true

set ftp:ssl-protect-data false

set ssl:ca-file   AuthorityRoot.crt / AuthorityRootCa.crt (both file in one )  # i dont even know if this is correct

set ssl:cert-file our_cert.crt

set ssl:key-file  ourkey.key

set xfer:clobber on

set ssl:verify-certificate false


Our command:



lftp   -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit"   -u username,pwd ftp://provider.com  -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?






ubuntu ssl lftp ftps




ubuntu ssl lftp ftps






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 16 at 23:06









fra-san

1,3971215




1,3971215










asked Jan 16 at 20:21









ydlydl

1




1













  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45








  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56








  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17













  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42





















  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45








  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56








  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17













  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42



















The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

– Rui F Ribeiro
Jan 16 at 20:45







The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

– Rui F Ribeiro
Jan 16 at 20:45






3




3





you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

– A.B
Jan 16 at 21:56







you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

– A.B
Jan 16 at 21:56






2




2





@RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

– A.B
Jan 16 at 22:17







@RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

– A.B
Jan 16 at 22:17















oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

– A.B
Jan 17 at 12:42







oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

– A.B
Jan 17 at 12:42












0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494916%2fftps-lftp-problem%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494916%2fftps-lftp-problem%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

Image
0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
Read more

is 'sed' thread safe

Image
2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
Read more

How to make a Squid Proxy server?

Image
1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
Read more