Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 131070 - SSL local issuer certificate can't be found because the corresponding parameter is not read correctly
SSL local issuer certificate can't be found because the corresponding paramet...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: lftp (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Depends On:
  Show dependency treegraph
Reported: 2004-08-27 05:09 EDT by David Tonhofer
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: lftp-3.0.6-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-08-30 12:36:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Tonhofer 2004-08-27 05:09:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1)

Description of problem:

I want to use lftp to connect to an FTP server that encrypts the
control connection.

The local machine has the trusted root CA certificate in 
/etc/ssl.crt (files and hash symlinks)

/etc/lftp.conf shows the following lines:

set ssl:ca-path "/etc/ssl.crt"
set ssl:verify-certificate yes

But the connecion fails:

"Fatal error: SSL connect: unable to get local issuer certificate"

When one checks the parameters on the lftp commandline using 'set -a',
one notices that the value for "ssl:ca-path" is somehow mangled.
Apparently there is a Form Feed character immediately after "/etc",
because the first line at the top of the screen now shows:

set ssl:cert-file ""
set ssl:crl-file ""
set ssl:crl-path ""
set ssl:key-file ""

But if one scrolls back, it is clear what happened:

set ftp:ssl-force no
set ftp:ssl-protect-data no
set ftp:stat-interval 1
set ftp:sync-mode on
set ftp:sync-mode/ftp.idsoftware.com on
set ftp:sync-mode/ftp.microsoft.com on
set ssl:cert-file ""
set ssl:crl-file ""
set ssl:crl-path ""
set ssl:key-file ""
set ssl:verify-certificate yes

I tried various ways of getting a 'good' value into 'ssl:ca-path'
from lftp's command line but it looks like lftp has a real problem 
with an absolute path in "ssl:ca-path". Any attempt to use an
absolute path results in a mangled value.

Using a relative path works. And this means there is a workaround:

Set up:

set ssl:ca-path "etc/ssl.crt"

Start lftp from "/". The certificate file can now be found.

This may or may not be related to bug 89172.

Version-Release number of selected component (if applicable):

How reproducible:
Comment 1 Jason Vas Dias 2004-08-30 12:36:09 EDT
 This is fixed in the latest lftp version in FC3/RHEL-4 :
 lftp-3.0.6-2 .
 I will try to get this into RHEL-3.0E-U4 .


Note You need to log in before you can comment on or make changes to this bug.