0

We have some trouble in my company with ftps access with a provider.

Here is our configuration:

  • Ubuntu 14.04
  • LFTP | Version 4.6.3a
  • Our_cert.crt

  • our_key.key

  • provider.crt

  • AuthorityRoot.crt
  • AuthorityRootCa.crt

Certificate authority = GlobalSign

#/home/USER/.lftp/conf
set cmd:time-style "%Y%m%d%H%M"
set ftp:ssl-protect-list false
set net:timeout 30
set net:max-retries 1
set ftp:ssl-allow true
set ftp:ssl-protect-data false
set ssl:ca-file   AuthorityRoot.crt / AuthorityRootCa.crt (both file in one )  # i dont even know if this is correct
set ssl:cert-file our_cert.crt
set ssl:key-file  ourkey.key
set xfer:clobber on
set ssl:verify-certificate false

Our command:

lftp   -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit"   -u username,pwd ftp://provider.com  -p PORT

But when we try to reach our provider, we have an error:

**** SSL_connect: sslv3 alert handshake failure

Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert. Everything is ok on their side.

Btw:
Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one

Can someone tell me where should we put our certs or what's wrong here? Should we add provider.crt in our file ourcert.crt?

fra-san
  • 9,931
  • 2
  • 21
  • 42
ydl
  • 1
  • 1
  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think. – Rui F Ribeiro Jan 16 '19 at 20:45
  • 3
    you should be able to debug this with `openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT`. if PORT is 990 instead of 21 then `-starttls ftp` should be removed. the CAfile should be the CA bundle – A.B Jan 16 '19 at 21:56
  • 2
    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: https://chromium.googlesource.com/chromium/src/net/+/da2861eefdcb86178c697d0fc39b458f3a4ec900/socket/ssl_client_socket_impl.cc#1772 – A.B Jan 16 '19 at 22:17
  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command. – A.B Jan 17 '19 at 12:42

0 Answers0