Bug 131070 - SSL local issuer certificate can't be found because the corresponding parameter is not read correctly
Summary: SSL local issuer certificate can't be found because the corresponding paramet...
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: lftp (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: i686 Linux
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-27 09:09 UTC by David Tonhofer
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: lftp-3.0.6-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-08-30 16:36:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description David Tonhofer 2004-08-27 09:09:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1)

Description of problem:

I want to use lftp to connect to an FTP server that encrypts the
control connection.

The local machine has the trusted root CA certificate in 
/etc/ssl.crt (files and hash symlinks)

/etc/lftp.conf shows the following lines:

set ssl:ca-path "/etc/ssl.crt"
set ssl:verify-certificate yes

But the connecion fails:

"Fatal error: SSL connect: unable to get local issuer certificate"

When one checks the parameters on the lftp commandline using 'set -a',
one notices that the value for "ssl:ca-path" is somehow mangled.
Apparently there is a Form Feed character immediately after "/etc",
because the first line at the top of the screen now shows:

set ssl:cert-file ""
set ssl:crl-file ""
set ssl:crl-path ""
set ssl:key-file ""

But if one scrolls back, it is clear what happened:

set ftp:ssl-force no
set ftp:ssl-protect-data no
set ftp:stat-interval 1
set ftp:sync-mode on
set ftp:sync-mode/ftp.idsoftware.com on
set ftp:sync-mode/ftp.microsoft.com on
set ssl:cert-file ""
set ssl:crl-file ""
set ssl:crl-path ""
set ssl:key-file ""
set ssl:verify-certificate yes

I tried various ways of getting a 'good' value into 'ssl:ca-path'
from lftp's command line but it looks like lftp has a real problem 
with an absolute path in "ssl:ca-path". Any attempt to use an
absolute path results in a mangled value.

Using a relative path works. And this means there is a workaround:

Set up:

set ssl:ca-path "etc/ssl.crt"

Start lftp from "/". The certificate file can now be found.

This may or may not be related to bug 89172.

Version-Release number of selected component (if applicable):

How reproducible:

Comment 1 Jason Vas Dias 2004-08-30 16:36:09 UTC
 This is fixed in the latest lftp version in FC3/RHEL-4 :
 lftp-3.0.6-2 .
 I will try to get this into RHEL-3.0E-U4 .


Note You need to log in before you can comment on or make changes to this bug.