Description of problem: An update of the system to 5.4 brings a newer lftp package (lftp-3.7.11-4.el5 replaced the previously installed lftp-3.5.1-2.fc6 package). An attempt to use ssl with the newer package leads to an error message : "ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received." A revert to the previous package solves the issue (i've only downgraded lftp but kept gnutls-1.4.1-3.el5_3.5) Version-Release number of selected component (if applicable): lftp-3.7.11-4.el5 How reproducible: Always Steps to Reproduce: 1.install from scratch (or upgrade) a system with 5.4 packages 2.try to use lftp in ssl mode 3. Actual results: error message "Fatal error: gnutls_handshake: A TLS fatal alert has been received." Expected results: ssl connection working Additional info:
I forgot to mention that it happens during ftp/ssl operation and using a client certificate/private key . Here is the log when 'debug' is used in the ~/.lftprc conf file : ---- Connecting to remote.ip (remote.ip) port 9021 <--- 220-extended FTP [MODE XDC][XDC/BASE64][PIPELINE] (1) <--- 220- 'removed' FTP server ready <--- 220 ---> AUTH TLS <--- 234 OK ---> USER $username **** gnutls_handshake: A TLS fatal alert has been received. ---- Closing control socket ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.
*** Bug 526931 has been marked as a duplicate of this bug. ***
I'm not able to reproduce it. Is the connected server under your control? Please, provide me configuration or link to the server. Could you attach results of 'set -a' command in lftp cmd line? Thanks Jiri
I can reproduce this issue with ftps using lftp-3.7.11-4.el5. The transaction that fails with this version of lftp succeeds when using a current source-compiled version of lftp (4.0.6) compiled against a current source-compiled version of openssl (1.0.0). I believe this to be an lftp problem, as I do not have the issue with RHEL provided curl-7.15.5-9.el5. In case it is worth noting, the server certificate is signed by an intermediate CA, but the certificate chain is complete. I do have control of the server but it is not externally accessible for testing. Here is a transcript of attempting (and failing) to list the files on the remote ftps server using the RHEL provided lftp. =========================================== $ lftp ftp://server.example.com -u test -d Password: ---- Resolving host address... ---- 1 address found: 10.200.200.200 lftp test.com:~> ls ---- Connecting to server.example.com (10.200.200.200) port 21 <--- 220 10.200.200.200 FTP server ready ---> FEAT <--- 211-Features: <--- MDTM <--- MFMT <--- TVFS <--- AUTH TLS <--- MFF modify;UNIX.group;UNIX.mode; <--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- 211 End ---> AUTH TLS <--- 234 AUTH TLS successful ---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; Certificate: C=US,ST=Missouri,L=Saint Louis,O=Example Inc,OU=Example Dept,CN=server.example.com Issued by: DC=com,DC=example,CN=ExampleIssuingCA Checking against: CN=ExampleRootCA ERROR: Certificate verification: Not trusted: no issuer was found Certificate: CN=ExampleRootCA Issued by: CN=ExampleRootCA Trusted **** Certificate verification: Not trusted: no issuer was found ---- Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found lftp test.com:~> set -a set bmk:auto-sync yes set bmk:save-passwords no set cache:cache-empty-listings no set cache:enable yes set cache:expire 60m set cache:expire-negative 1m set cache:size 16M set cmd:at-exit "" set cmd:cls-completion-default -FB set cmd:cls-default -F set cmd:csh-history off set cmd:default-protocol ftp set cmd:default-title "lftp \\h:\\w" set cmd:fail-exit no set cmd:interactive no set cmd:long-running 30 set cmd:ls-default "" set cmd:move-background yes set cmd:move-background-detach yes set cmd:parallel 1 set cmd:prompt "lftp \\S\\? \\u\\@\\h:\\w> " set cmd:queue-parallel 1 set cmd:remote-completion on set cmd:save-cwd-history yes set cmd:save-rl-history yes set cmd:set-term-status no set cmd:status-interval 0.8s set cmd:term-status "" set cmd:term-status/*rxvt* "\\e[11;0]\\e]2;\\T\\007\\e[11]" set cmd:term-status/*screen* \\e_\\T\\e\\ set cmd:term-status/*xterm* "\\e[11;0]\\e]2;\\T\\007\\e[11]" set cmd:time-style "%b %e %Y|%b %e %H:%M" set cmd:trace no set cmd:verbose no set cmd:verify-host yes set cmd:verify-path yes set cmd:verify-path-cached no set color:dir-colors "no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" set color:use-color auto set dns:SRV-query no set dns:cache-enable yes set dns:cache-expire 1h set dns:cache-size 256 set dns:fatal-timeout 7d set dns:max-retries 1000 set dns:order inet set dns:use-fork yes set file:charset UTF-8 set fish:charset "" set fish:connect-program "ssh -a -x" set fish:shell /bin/sh set ftp:abor-max-wait 15s set ftp:acct "" set ftp:anon-pass lftp@ set ftp:anon-user anonymous set ftp:auto-passive-mode yes set ftp:auto-sync-mode "icrosoft FTP Service|MadGoat|MikroTik" set ftp:bind-data-socket yes set ftp:charset "" set ftp:client lftp/3.7.11 set ftp:device-prefix no set ftp:fix-pasv-address yes set ftp:fxp-force no set ftp:fxp-passive-source no set ftp:fxp-passive-sscn yes set ftp:home "" set ftp:ignore-pasv-address no set ftp:lang "" set ftp:list-empty-ok no set ftp:list-options "" set ftp:nop-interval 120 set ftp:passive-mode on set ftp:port-ipv4 "" set ftp:port-range full set ftp:prefer-epsv no set ftp:proxy "" set ftp:proxy-auth-type user set ftp:rest-list no set ftp:rest-stor yes set ftp:retry-530 "too many|overloaded|try (again |back )?later|is restricted to|maximum number|number of connect|only.*session.*allowed|more connection|already connected" set ftp:retry-530-anonymous "Login incorrect" set ftp:site-group "" set ftp:skey-allow yes set ftp:skey-force no set ftp:ssl-allow yes set ftp:ssl-allow-anonymous no set ftp:ssl-auth TLS set ftp:ssl-data-use-keys yes set ftp:ssl-force on set ftp:ssl-protect-data on set ftp:ssl-protect-fxp no set ftp:ssl-protect-list on set ftp:ssl-shutdown-timeout 5 set ftp:ssl-use-ccc yes set ftp:stat-interval 1 set ftp:sync-mode on set ftp:sync-mode/ftp.idsoftware.com on set ftp:sync-mode/ftp.microsoft.com on set ftp:sync-mode/sunsolve.sun.com on set ftp:timezone GMT set ftp:trust-feat no set ftp:use-abor yes set ftp:use-allo yes set ftp:use-feat yes set ftp:use-fxp yes set ftp:use-hftp yes set ftp:use-mdtm yes set ftp:use-mdtm-overloaded no set ftp:use-mlsd no set ftp:use-pret yes set ftp:use-quit yes set ftp:use-site-chmod yes set ftp:use-site-idle no set ftp:use-site-utime yes set ftp:use-site-utime2 yes set ftp:use-size yes set ftp:use-stat yes set ftp:use-stat-for-list no set ftp:use-telnet-iac yes set ftp:verify-address no set ftp:verify-port no set ftp:waiting-150-timeout 5 set ftp:web-mode off set ftps:initial-prot P set hftp:cache yes set hftp:cache-control "" set hftp:proxy "" set hftp:use-authorization yes set hftp:use-head yes set hftp:use-mkcol no set hftp:use-propfind no set hftp:use-type yes set http:accept */* set http:accept-charset "" set http:accept-language "" set http:authorization "" set http:cache yes set http:cache-control "" set http:cookie "" set http:post-content-type application/x-www-form-urlencoded set http:proxy "" set http:put-content-type "" set http:put-method PUT set http:referer "" set http:set-cookies no set http:use-mkcol yes set http:use-propfind no set http:user-agent lftp/3.7.11 set https:proxy "" set mirror:dereference no set mirror:exclude-regex "(^|/)(\\.in\\.|\\.nfs)" set mirror:include-regex "" set mirror:order "*.sfv *.sig *.md5* *.sum * */" set mirror:parallel-directories yes set mirror:parallel-transfer-count 1 set mirror:set-permissions yes set mirror:skip-noaccess no set mirror:use-pget-n 1 set module:path /usr/lib/lftp/3.7.11:/usr/lib/lftp set net:connection-limit 0 set net:connection-takeover yes set net:idle 3m set net:limit-max 0 set net:limit-rate 0:0 set net:limit-total-max 0 set net:limit-total-rate 0:0 set net:max-retries 1000 set net:no-proxy "" set net:persist-retries 0 set net:reconnect-interval-base 30 set net:reconnect-interval-max 600 set net:reconnect-interval-multiplier 1.5 set net:socket-bind-ipv4 "" set net:socket-bind-ipv6 "" set net:socket-buffer 0 set net:socket-maxseg 0 set net:timeout 5m set pget:default-n 5 set pget:save-status 10s set sftp:charset "" set sftp:connect-program "ssh -a -x" set sftp:max-packets-in-flight 16 set sftp:protocol-version 4 set sftp:server-program sftp set sftp:size-read 32k set sftp:size-write 32k set sftp:use-full-path yes set ssl:ca-file /home/test/ca_full.pem set ssl:cert-file /home/test/download.crt set ssl:check-hostname yes set ssl:crl-file "" set ssl:key-file /home/test/download.key set ssl:verify-certificate yes set xfer:buffer-size 0x10000 set xfer:clobber yes set xfer:destination-directory "" set xfer:disk-full-fatal no set xfer:eta-period 120 set xfer:eta-terse yes set xfer:log yes set xfer:make-backup yes set xfer:max-redirections 10 set xfer:rate-period 15 set xfer:verify no set xfer:verify-command /usr/share/lftp/verify-file lftp test.com:/> quit =========================================== Here is a transcript of attempting (and and succeeding) to list the files on the remote ftps server using the source-compiled current version of lftp. =========================================== $ /tmp/lftp-4.0.6/src/lftp ftp://server.example.com -u test -d Password: ---- Resolving host address... ---- 1 address found: 10.200.200.200 lftp test.com:~> ls ---- Connecting to server.example.com (10.200.200.200) port 21 <--- 220 10.200.200.200 FTP server ready ---> FEAT <--- 211-Features: <--- MDTM <--- MFMT <--- TVFS <--- AUTH TLS <--- MFF modify;UNIX.group;UNIX.mode; <--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- 211 End ---> AUTH TLS <--- 234 AUTH TLS successful ---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; Certificate depth: 2; subject: /CN=ExampleRootCA; issuer: /CN=ExampleRootCA Certificate depth: 1; subject: /DC=com/DC=example/CN=ExampleIssuingCA; issuer: /CN=ExampleRootCA Certificate depth: 0; subject: /C=US/ST=Missouri/L=Saint Louis/O=Example Inc/OU=Example Dept/CN=server.example.com; issuer: /DC=com/DC=example/CN=ExampleIssuingCA <--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; ---> USER test <--- 232 User test logged in ---> PWD <--- 257 "/" is the current directory ---> PBSZ 0 <--- 200 PBSZ 0 successful ---> PROT P <--- 200 Protection set to Private ---> CCC <--- 200 Clearing control channel protection ---> PASV <--- 227 Entering Passive Mode (10,200,200,200,135,139). ---- Connecting data socket to (10.200.200.200) port 34699 ---- Data connection established ---> LIST -a <--- 150 Opening BINARY mode data connection for file list Certificate depth: 2; subject: /CN=ExampleRootCA; issuer: /CN=ExampleRootCA Certificate depth: 1; subject: /DC=com/DC=example/CN=ExampleIssuingCA; issuer: /CN=ExampleRootCA Certificate depth: 0; subject: /C=US/ST=Missouri/L=Saint Louis/O=Example Inc/OU=Example Dept/CN=server.example.com; issuer: /DC=com/DC=example/CN=ExampleIssuingCA d--------- 49 ftp ftp 12288 Apr 26 21:45 . d--------- 49 ftp ftp 12288 Apr 26 21:45 .. <snip> <--- 226 Transfer complete lftp test.com:/> set -a set bmk:auto-sync yes set bmk:save-passwords no set cache:cache-empty-listings no set cache:enable yes set cache:expire 60m set cache:expire-negative 1m set cache:size 16M set cmd:at-exit "" set cmd:cls-completion-default -FB set cmd:cls-default -F set cmd:csh-history off set cmd:default-protocol ftp set cmd:default-title "lftp \\h:\\w" set cmd:fail-exit no set cmd:interactive no set cmd:long-running 30 set cmd:ls-default "" set cmd:move-background yes set cmd:move-background-detach yes set cmd:parallel 1 set cmd:prompt "lftp \\S\\? \\u\\@\\h:\\w> " set cmd:queue-parallel 1 set cmd:remote-completion on set cmd:save-cwd-history yes set cmd:save-rl-history yes set cmd:set-term-status no set cmd:status-interval 0.8s set cmd:stifle-rl-history 500 set cmd:term-status "" set cmd:time-style "%b %e %Y|%b %e %H:%M" set cmd:trace no set cmd:verbose no set cmd:verify-host yes set cmd:verify-path yes set cmd:verify-path-cached no set color:dir-colors "no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" set color:use-color auto set dns:SRV-query no set dns:cache-enable yes set dns:cache-expire 1h set dns:cache-size 256 set dns:fatal-timeout 7d set dns:max-retries 1000 set dns:order inet set dns:use-fork yes set file:charset UTF-8 set fish:charset "" set fish:connect-program "ssh -a -x" set fish:shell /bin/sh set ftp:abor-max-wait 15s set ftp:acct "" set ftp:anon-pass lftp@ set ftp:anon-user anonymous set ftp:auto-passive-mode yes set ftp:auto-sync-mode "" set ftp:bind-data-socket yes set ftp:charset "" set ftp:client lftp/4.0.6 set ftp:device-prefix no set ftp:fix-pasv-address yes set ftp:fxp-force no set ftp:fxp-passive-source no set ftp:fxp-passive-sscn yes set ftp:home "" set ftp:ignore-pasv-address no set ftp:lang "" set ftp:list-empty-ok no set ftp:list-options "" set ftp:nop-interval 120 set ftp:passive-mode on set ftp:port-ipv4 "" set ftp:port-range full set ftp:prefer-epsv no set ftp:proxy "" set ftp:proxy-auth-type user set ftp:rest-list no set ftp:rest-stor yes set ftp:retry-530 "too many|overloaded|try (again |back )?later|is restricted to|maximum number|number of connect|only.*session.*allowed|more connection|already connected|simultaneous login" set ftp:retry-530-anonymous "Login incorrect" set ftp:site-group "" set ftp:skey-allow yes set ftp:skey-force no set ftp:ssl-allow yes set ftp:ssl-allow-anonymous no set ftp:ssl-auth TLS set ftp:ssl-copy-sid yes set ftp:ssl-data-use-keys yes set ftp:ssl-force on set ftp:ssl-protect-data on set ftp:ssl-protect-fxp no set ftp:ssl-protect-list on set ftp:ssl-shutdown-timeout 5 set ftp:ssl-use-ccc yes set ftp:stat-interval 1 set ftp:sync-mode on set ftp:timezone GMT set ftp:trust-feat no set ftp:use-abor yes set ftp:use-allo yes set ftp:use-feat yes set ftp:use-fxp yes set ftp:use-hftp yes set ftp:use-mdtm yes set ftp:use-mdtm-overloaded no set ftp:use-mlsd no set ftp:use-pret yes set ftp:use-quit yes set ftp:use-site-chmod yes set ftp:use-site-idle no set ftp:use-site-utime yes set ftp:use-site-utime2 yes set ftp:use-size yes set ftp:use-stat yes set ftp:use-stat-for-list no set ftp:use-telnet-iac yes set ftp:verify-address no set ftp:verify-port no set ftp:waiting-150-timeout 5 set ftp:web-mode off set ftps:initial-prot P set hftp:cache yes set hftp:cache-control "" set hftp:proxy "" set hftp:use-authorization yes set hftp:use-head yes set hftp:use-mkcol no set hftp:use-propfind no set hftp:use-type yes set http:accept */* set http:accept-charset "" set http:accept-language "" set http:authorization "" set http:cache yes set http:cache-control "" set http:cookie "" set http:post-content-type application/x-www-form-urlencoded set http:proxy "" set http:put-content-type "" set http:put-method PUT set http:referer "" set http:set-cookies no set http:use-mkcol yes set http:use-propfind no set http:user-agent lftp/4.0.6 set https:proxy "" set mirror:dereference no set mirror:exclude-regex "(^|/)(\\.in\\.|\\.nfs)" set mirror:include-regex "" set mirror:order "*.sfv *.sig *.md5* *.sum * */" set mirror:parallel-directories yes set mirror:parallel-transfer-count 1 set mirror:set-permissions yes set mirror:skip-noaccess no set mirror:use-pget-n 1 set module:path /usr/local/lib/lftp/4.0.6:/usr/local/lib/lftp set net:connection-limit 0 set net:connection-takeover yes set net:idle 3m set net:limit-max 0 set net:limit-rate 0:0 set net:limit-total-max 0 set net:limit-total-rate 0:0 set net:max-retries 1000 set net:no-proxy "" set net:persist-retries 0 set net:reconnect-interval-base 30 set net:reconnect-interval-max 600 set net:reconnect-interval-multiplier 1.5 set net:socket-bind-ipv4 "" set net:socket-bind-ipv6 "" set net:socket-buffer 0 set net:socket-maxseg 0 set net:timeout 5m set pget:default-n 5 set pget:save-status 10s set sftp:charset "" set sftp:connect-program "ssh -a -x" set sftp:max-packets-in-flight 16 set sftp:protocol-version 4 set sftp:server-program sftp set sftp:size-read 32k set sftp:size-write 32k set sftp:use-full-path yes set ssl:ca-file /home/test/ca_full.pem set ssl:ca-path "" set ssl:cert-file /home/test/download.crt set ssl:check-hostname yes set ssl:crl-file "" set ssl:crl-path "" set ssl:key-file /home/test/download.key set ssl:verify-certificate yes set torrent:ip "" set torrent:max-peers 60 set torrent:port-range 6881-6889 set torrent:seed-max-time 30d set torrent:seed-min-peers 3 set torrent:stop-on-ratio 2.0 set xfer:auto-rename no set xfer:buffer-size 0x10000 set xfer:clobber yes set xfer:destination-directory "" set xfer:disk-full-fatal no set xfer:eta-period 120 set xfer:eta-terse yes set xfer:log yes set xfer:make-backup yes set xfer:max-redirections 5 set xfer:rate-period 15 set xfer:verify no set xfer:verify-command "" lftp test.com:/> quit ---> QUIT ---- Closing control socket
Created attachment 409848 [details] results of ftp -a
(In reply to comment #3) > I'm not able to reproduce it. Is the connected server under your control? > Please, provide me configuration or link to the server. > Could you attach results of 'set -a' command in lftp cmd line? > > Thanks Jiri No, unfortunately the remote server isn't under our control and because it's a bank i doubt they'll agree on sending me the logs ... i've attached the results of 'set -a' (see above) and i confirm that the problem is still present in RHEL5.5
(In reply to comment #4) > I can reproduce this issue with ftps using lftp-3.7.11-4.el5. The transaction > that fails with this version of lftp succeeds when using a current > source-compiled version of lftp (4.0.6) compiled against a current > source-compiled version of openssl (1.0.0). I believe this to be an lftp > problem, as I do not have the issue with RHEL provided curl-7.15.5-9.el5. lftp-3.7.11-4.el5 is built with gnutls due to licence conflict (see #458777). You've mentioned building lftp-4.0.6 with openssl what is comparable to lftp-3.5.1-2 mentioned in bug description above (also built with openssl). Plese, could you test lftp-4.0.6 once more but build using --with-gnutls --without-openssl? I suppose server.example.com is your test server. May I have details: which ftp server + conf?
You are correct, server.example.com is my server. It is running proftpd-1.3.3. Here is its configuration: ================================================================================ ServerType standalone DefaultServer on DefaultAddress 10.200.200.200 Port 21 Umask 022 022 MaxClients 25 MaxInstances 30 MultilineRFC2228 on IdentLookups off AllowOverride off User ftp Group ftp AuthPAMConfig proftpd <IfModule mod_cap.c> CapabilitiesEngine on CapabilitiesSet +CAP_CHOWN +CAP_DAC_OVERRIDE </IfModule> <IfModule mod_tls.c> TLSEngine on TLSOptions NoSessionReuseRequired TLSCipherSuite HIGH:MEDIUM:!COMPLEMENTOFDEFAULT:!COMPLEMENTOFALL TLSRequired off TLSRSACertificateFile /etc/pki/tls/certs/server.crt TLSRSACertificateKeyFile /etc/pki/tls/private/server.key TLSCertificateChainFile /etc/pki/tls/certs/ca_full.pem TLSCACertificateFile /etc/pki/tls/certs/upload_client_ca.pem TLSVerifyClient on TLSRenegotiate none TLSLog /var/log/proftpd-tls.log </IfModule> LoginPasswordPrompt off DirFakeGroup on DirFakeUser on DirFakeMode 0000 <Global> ServerIdent off <Limit ALL> IgnoreHidden on </Limit> <Directory /*> AllowOverwrite on HideNoAccess on HideFiles ^\. </Directory> AllowRetrieveRestart on AllowStoreRestart off DefaultTransferMode binary DeferWelcome on DefaultRoot ~ DeleteAbortedStores on HiddenStores on ShowSymlinks on DirFakeGroup off DirFakeUser off AllowOverwrite on RootLogin off AuthAliasOnly off RequireValidShell off UseFtpUsers on AuthPAM on WtmpLog on </Global> UseReverseDNS off TimesGMT off DefaultTransferMode binary DeferWelcome on ServerName server.example.com ================================================================================ I have compiled lftp-4.0.6 with the requested flags and tested against the same ftps server, and it fails with the same error as in my previous report. I am compiling against the RHEL provided gnutls-devel-1.4.1-3.el5_4.8. $ /tmp/lftp-4.0.6/src/lftp ftp://server.example.com -u test -d Password: ---- Resolving host address... ---- 1 address found: 10.200.200.200 lftp test.com:~> ls ---- Connecting to server.example.com (10.200.200.200) port 21 <--- 220 10.200.200.200 FTP server ready ---> FEAT <--- 211-Features: <--- MDTM <--- MFMT <--- TVFS <--- AUTH TLS <--- MFF modify;UNIX.group;UNIX.mode; <--- MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- 211 End ---> AUTH TLS <--- 234 AUTH TLS successful ---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner; Certificate: C=US,ST=Missouri,L=Saint Louis,O=Example Inc,OU=Example Dept,CN=server.example.com Issued by: DC=com,DC=example,CN=ExampleIssuingCA Checking against: CN=ExampleRootCA ERROR: Certificate verification: Not trusted: no issuer was found Certificate: CN=ExampleRootCA Issued by: CN=ExampleRootCA Trusted **** Certificate verification: Not trusted: no issuer was found ---- Closing control socket ls: Fatal error: Certificate verification: Not trusted: no issuer was found lftp test.com:~> set -a set bmk:auto-sync yes set bmk:save-passwords no set cache:cache-empty-listings no set cache:enable yes set cache:expire 60m set cache:expire-negative 1m set cache:size 16M set cmd:at-exit "" set cmd:cls-completion-default -FB set cmd:cls-default -F set cmd:csh-history off set cmd:default-protocol ftp set cmd:default-title "lftp \\h:\\w" set cmd:fail-exit no set cmd:interactive no set cmd:long-running 30 set cmd:ls-default "" set cmd:move-background yes set cmd:move-background-detach yes set cmd:parallel 1 set cmd:prompt "lftp \\S\\? \\u\\@\\h:\\w> " set cmd:queue-parallel 1 set cmd:remote-completion on set cmd:save-cwd-history yes set cmd:save-rl-history yes set cmd:set-term-status no set cmd:status-interval 0.8s set cmd:stifle-rl-history 500 set cmd:term-status "" set cmd:time-style "%b %e %Y|%b %e %H:%M" set cmd:trace no set cmd:verbose no set cmd:verify-host yes set cmd:verify-path yes set cmd:verify-path-cached no set color:dir-colors "no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:" set color:use-color auto set dns:SRV-query no set dns:cache-enable yes set dns:cache-expire 1h set dns:cache-size 256 set dns:fatal-timeout 7d set dns:max-retries 1000 set dns:order inet set dns:use-fork yes set file:charset UTF-8 set fish:charset "" set fish:connect-program "ssh -a -x" set fish:shell /bin/sh set ftp:abor-max-wait 15s set ftp:acct "" set ftp:anon-pass lftp@ set ftp:anon-user anonymous set ftp:auto-passive-mode yes set ftp:auto-sync-mode "" set ftp:bind-data-socket yes set ftp:charset "" set ftp:client lftp/4.0.6 set ftp:device-prefix no set ftp:fix-pasv-address yes set ftp:fxp-force no set ftp:fxp-passive-source no set ftp:fxp-passive-sscn yes set ftp:home "" set ftp:ignore-pasv-address no set ftp:lang "" set ftp:list-empty-ok no set ftp:list-options "" set ftp:nop-interval 120 set ftp:passive-mode on set ftp:port-ipv4 "" set ftp:port-range full set ftp:prefer-epsv no set ftp:proxy "" set ftp:proxy-auth-type user set ftp:rest-list no set ftp:rest-stor yes set ftp:retry-530 "too many|overloaded|try (again |back )?later|is restricted to|maximum number|number of connect|only.*session.*allowed|more connection|already connected|simultaneous login" set ftp:retry-530-anonymous "Login incorrect" set ftp:site-group "" set ftp:skey-allow yes set ftp:skey-force no set ftp:ssl-allow yes set ftp:ssl-allow-anonymous no set ftp:ssl-auth TLS set ftp:ssl-copy-sid yes set ftp:ssl-data-use-keys yes set ftp:ssl-force on set ftp:ssl-protect-data on set ftp:ssl-protect-fxp no set ftp:ssl-protect-list on set ftp:ssl-shutdown-timeout 5 set ftp:ssl-use-ccc yes set ftp:stat-interval 1 set ftp:sync-mode on set ftp:timezone GMT set ftp:trust-feat no set ftp:use-abor yes set ftp:use-allo yes set ftp:use-feat yes set ftp:use-fxp yes set ftp:use-hftp yes set ftp:use-mdtm yes set ftp:use-mdtm-overloaded no set ftp:use-mlsd no set ftp:use-pret yes set ftp:use-quit yes set ftp:use-site-chmod yes set ftp:use-site-idle no set ftp:use-site-utime yes set ftp:use-site-utime2 yes set ftp:use-size yes set ftp:use-stat yes set ftp:use-stat-for-list no set ftp:use-telnet-iac yes set ftp:verify-address no set ftp:verify-port no set ftp:waiting-150-timeout 5 set ftp:web-mode off set ftps:initial-prot P set hftp:cache yes set hftp:cache-control "" set hftp:proxy "" set hftp:use-authorization yes set hftp:use-head yes set hftp:use-mkcol no set hftp:use-propfind no set hftp:use-type yes set http:accept */* set http:accept-charset "" set http:accept-language "" set http:authorization "" set http:cache yes set http:cache-control "" set http:cookie "" set http:post-content-type application/x-www-form-urlencoded set http:proxy "" set http:put-content-type "" set http:put-method PUT set http:referer "" set http:set-cookies no set http:use-mkcol yes set http:use-propfind no set http:user-agent lftp/4.0.6 set https:proxy "" set mirror:dereference no set mirror:exclude-regex "(^|/)(\\.in\\.|\\.nfs)" set mirror:include-regex "" set mirror:order "*.sfv *.sig *.md5* *.sum * */" set mirror:parallel-directories yes set mirror:parallel-transfer-count 1 set mirror:set-permissions yes set mirror:skip-noaccess no set mirror:use-pget-n 1 set module:path /usr/local/lib/lftp/4.0.6:/usr/local/lib/lftp set net:connection-limit 0 set net:connection-takeover yes set net:idle 3m set net:limit-max 0 set net:limit-rate 0:0 set net:limit-total-max 0 set net:limit-total-rate 0:0 set net:max-retries 1000 set net:no-proxy "" set net:persist-retries 0 set net:reconnect-interval-base 30 set net:reconnect-interval-max 600 set net:reconnect-interval-multiplier 1.5 set net:socket-bind-ipv4 "" set net:socket-bind-ipv6 "" set net:socket-buffer 0 set net:socket-maxseg 0 set net:timeout 5m set pget:default-n 5 set pget:save-status 10s set sftp:charset "" set sftp:connect-program "ssh -a -x" set sftp:max-packets-in-flight 16 set sftp:protocol-version 4 set sftp:server-program sftp set sftp:size-read 32k set sftp:size-write 32k set sftp:use-full-path yes set ssl:ca-file /home/test/ca_full.pem set ssl:cert-file /tmp/download.crt set ssl:check-hostname yes set ssl:crl-file "" set ssl:key-file /tmp/download.key set ssl:verify-certificate yes set torrent:ip "" set torrent:max-peers 60 set torrent:port-range 6881-6889 set torrent:seed-max-time 30d set torrent:seed-min-peers 3 set torrent:stop-on-ratio 2.0 set xfer:auto-rename no set xfer:buffer-size 0x10000 set xfer:clobber yes set xfer:destination-directory "" set xfer:disk-full-fatal no set xfer:eta-period 120 set xfer:eta-terse yes set xfer:log yes set xfer:make-backup yes set xfer:max-redirections 5 set xfer:rate-period 15 set xfer:verify no set xfer:verify-command "" lftp test.com:~>
There are two issues. The issue with Barry Brimer's proftpd can be fixed with setting TLSVerifyClient off I don't know if this option is fully compatible to vsftpd's require_cert + validate_cert. The second mentioned option don't accept self-signed certificates and therefore ssl handshake fails. Switching off ensure the server don't validate certificate. The first described issue is probably due to version of SSL used by server. Gnutls supports TLSv1 and SSLv3 (TLSv1 is based on SSLv3). Could you find out which SSL versions are supported by server? This could be fixed by explicit asking for correct version. Is the debug log in comment #1 complete? (output of lftp -d ...)
Changing TLSVerifyClient to 'off' did not solve this problem for either the RHEL-supplied lftp or the lftp-4.0.6 that I have been testing with. I find it interesting that when I compiled the same version of lftp against openssl, it works, and when I compile it against the RHEL-provided gnutls, it doesn't. Wouldn't that seem to indicate a problem in the RHEL-provided gnutls?
(In reply to comment #9) > > The first described issue is probably due to version of SSL used by server. > Gnutls supports TLSv1 and SSLv3 (TLSv1 is based on SSLv3). > Could you find out which SSL versions are supported by server? This could be > fixed by explicit asking for correct version. > Is the debug log in comment #1 complete? (output of lftp -d ...) Unfortunately, i've no information about the remote ftp server (but i think it runs on a Windows platform). I can try to rebuild the lftp-4.0.6 SRPM from RPMforge within a mock build environment but against gnutls instead of openssl to see if that solves the issue but as said, previous version from (up to 5.3) had no issue
(In reply to comment #10) > Changing TLSVerifyClient to 'off' did not solve this problem for either the > RHEL-supplied lftp or the lftp-4.0.6 that I have been testing with. I find it I have to specify my proftpd settings. I've used only: TLSRSACertificateFile /etc/ssl/certs/server.crt TLSRSACertificateKeyFile /etc/ssl/private/server.key > interesting that when I compiled the same version of lftp against openssl, it > works, and when I compile it against the RHEL-provided gnutls, it doesn't. > Wouldn't that seem to indicate a problem in the RHEL-provided gnutls? Your issue is **** Certificate verification: Not trusted: no issuer was found There is issue with certificate verification. There is difference between openssl and gnutls certificate handling. I'll deeper investigate it.
(In reply to comment #11) > Unfortunately, i've no information about the remote ftp server (but i think it > runs on a Windows platform). I can try to rebuild the lftp-4.0.6 SRPM from > RPMforge within a mock build environment but against gnutls instead of openssl > to see if that solves the issue but as said, previous version from (up to 5.3) > had no issue I'm convinced this will work fine with openssl. I see as a less probable problem with setting ssl:* options of lftp. The problem is one of these: - lftp didn't force usage of SSLv3 or TLS and therefore server don't accept handshake. It could be fixed using additional (new) option. You can try still: set ftp:ssl-auth SSL but I don't expect great things of this. - server supports only SSL < SSLv3 and gunutls is not able to create connection with this one.
Created attachment 426585 [details] Test patch asking server for SSLv3 session Hi, I'd like to identify if your issue is invoked by insufficient handling SSL version or the server don't support SSL3 version supported by gnutls library. 1. Please could you test gnutls-cli contained in gnutls-utils package by this way: gnutls-cli -r hostname This should get certificate from remote machine. You can try to find an information about protocol type. We have to focus on SSL3.0 or TLS1.0. 2. Please do test lftp build with openssl as you has offered earlier. 3. If #1 succeeded try to use build with gnutls and attached patch. You have to use set ftp:ssl-auth SSL This is mandatory option to ask server for SSL3.0. Thank you in advance Jiri
Are you asking for me or for Fabian to perform these tests? As there are two of us involved in the testing at this point, it might be helpful to indicate who you are asking to test what. According to tests iterating protocols and ciphers using openssl s_client, my server supports both SSLv3 and TLSv1, and does not support SSLv2. I did use gnutls-cli to test connectivity to my server as you suggested above. Here is the result. $ gnutls-cli -p 21 --x509cafile /home/test/ca_full.pem --x509certfile /tmp/download.crt --x509keyfile /tmp/download.key -r server.example.com Processed 2 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'server.example.com'... Connecting to '10.200.200.200:21'... *** Fatal error: A record packet with illegal version was received. *** Handshake has failed GNUTLS ERROR: A record packet with illegal version was received. I also restricted my server to only use TLSv1, tested and then restricted it only to use SSLv3 with the same results. This would seem to indicate that this is more likely to be a gnutls issue than an lftp issue.
My previous test result was incorrect. Upon further review of the gnutls-cli options, using the '-s' flag to indicate the use of starttls appears to provide the correct instructions to make a valid connection: $ gnutls-cli -p 21 --x509cafile /home/test/ca_full.pem --x509certfile /tmp/download.crt --x509keyfile /tmp/download.key -r server.example.com -s Processed 2 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'server.example.com'... Connecting to '10.200.200.200:21'... - Simple Client Mode: 220 10.200.200.200 FTP server ready
The questions in comment #14 were intended for Fabian. There is always an e-mail address behind the question mark that indicates asked person. I'm sorry for confusing I'll ask you directly in comments.
Hello, Just adding that we are seeing this problem too (the one Fabian is seeing, Barry's problem seems to be unrelated). I suspect we are talking to the same server as Fabian, as our target server is also a bank (server header is: 220 Global eXchange Services Secure FTP Version 2.2.18). We eventually "fixed" this after discussion with GXS by reverting to lftp-3.5.1-2.fc6.i386.rpm. I can confirm that in our case, building version 3.7.1 with --with-openssl=/usr fixes this problem. Building without causes the same problem, see the following log (with debug level 99): FileCopy(0x83ecbb8) enters state INITIAL FileCopy(0x83ecbb8) enters state DO_COPY ---- dns cache hit ---- Connecting to 204.90.230.81 (204.90.230.81) port 6366 GNUTLS: HSK[8581078]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: RSA_ARCFOUR_MD5 GNUTLS: HSK[8581078]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 GNUTLS: HSK[8581078]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 GNUTLS: EXT[8581078]: Sending extension SAFE_RENEGOTIATION GNUTLS: HSK[8581078]: CLIENT HELLO was send [68 bytes] GNUTLS: REC[8581078]: Sending Packet[0] Handshake(22) with length: 68 GNUTLS: REC[8581078]: Sent Packet[1] Handshake(22) with length: 73 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_buffers.c:289 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: REC[8581078]: Expected Packet[0] Handshake(22) with length: 1 GNUTLS: REC[8581078]: Received Packet[0] Alert(21) with length: 2 GNUTLS: REC[8581078]: Decrypted Packet[0] Alert(21) with length: 2 GNUTLS: REC[8581078]: Alert[2|10] - Unexpected message - was received GNUTLS: ASSERT: gnutls_record.c:682 GNUTLS: ASSERT: gnutls_record.c:1037 GNUTLS: ASSERT: gnutls_buffers.c:1087 GNUTLS: ASSERT: gnutls_handshake.c:1051 GNUTLS: ASSERT: gnutls_handshake.c:2488 **** gnutls_handshake: A TLS fatal alert has been received. ---- Closing control socket ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.
Also, I tried gnutls-cli and it seems to confirm that this is a GnuTLS issue, not lftp-related: root@papp04 ~ # gnutls-cli -r 204.90.230.81 -p 6366 Resolving '204.90.230.81'... Connecting to '204.90.230.81:6366'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [10]: Unexpected message *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. I was going to scrub the IP and port, but it seems they don't even firewall this service, so it must be classified as "public". You should be able to do testing against it (though GXS might not like it ;). Feel free to contact me if further info is required. It'd also be good if Fabian could confirm if this is indeed the same server (it's very possible this is just buggy software on GXS's side).
By the way (forgot to mention), the server supports SSL3.0, as that's what OpenSSL negotiates to: root@papp04 ~ # openssl s_client -host 204.90.230.81 -port 6366 CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify return:1 depth=0 /C=US/ST=Ohio/L=Brook Park/O=GXS/OU=GSEI/CN=sftp.dfs.gxswtme.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Ohio/L=Brook Park/O=GXS/OU=GSEI/CN=sftp.dfs.gxswtme.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network --- Server certificate -----BEGIN CERTIFICATE----- MIIE/DCCA+SgAwIBAgIQEYlr3IKJfGEUgSz1pA9ucTANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwNjIx MDAwMDAwWhcNMTMwNjIwMjM1OTU5WjBtMQswCQYDVQQGEwJVUzENMAsGA1UECBME T2hpbzETMBEGA1UEBxQKQnJvb2sgUGFyazEMMAoGA1UEChQDR1hTMQ0wCwYDVQQL FARHU0VJMR0wGwYDVQQDFBRzZnRwLmRmcy5neHN3dG1lLmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAxFFMqj/Zisg8z5cDCQWAHLPWxzEAX2iYmS38RqMZ YP0fQaoTer8+vitPYp7n8/soCh/7eUzpAOveTYSUXpjGwgOgBoJ/tsGnr+wjeKjH FaKKtQNu5yB2xU0xD6Np/DI6q37O/DBiyVusqS7WbxkktuiY5lqeug+e9+2hjhCr JqsCAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+ MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9T VlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzg Vy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZl cmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEu dmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBc MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ KoZIhvcNAQEFBQADggEBAEs0zj5Dx/XAxQp3aPmscXr87ZheCbkN8UwXUxC+chWJ zF+4/KnW2e55LjhZNo6N04+jMvi/nHo9nhT/c8HDDC0Af/eYxGu60FB2KcLccwzN KzVWTmvzMcQg7kE+23l/V1Jwy1oCzyKWxUlpsuZfLeWT1q/0g7VIyopuKgOBxd4k e0yAzM5oSjScFNuu8VA/ItdZiMLQ4Sci2QGb6rI4CMXJq14G2D472LKj140mhmLC fQ7oV6t9z7cAZnsRm5+y31UWw9kQUZHaZ+dIV47p5Jd4nuXy6hEnf1tNWw+UiiYZ /czz7MlUdVTAebDy1lHb+gnO2Z5WQNBcHRmzam6t9R0= -----END CERTIFICATE----- subject=/C=US/ST=Ohio/L=Brook Park/O=GXS/OU=GSEI/CN=sftp.dfs.gxswtme.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 --- No client certificate CA names sent --- SSL handshake has read 3527 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 609275125C54C8D13884DFDAFDFF557D Session-ID-ctx: Master-Key: 35ECD54F138FA832E8406F24E1656E4CD6ED0E48A8005ABF63C4D0E8D0DB81D1E849BD6F248979BA8349D850E473E096 Key-Arg : None Krb5 Principal: None Start Time: 1277744814 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 Global eXchange Services Secure FTP Version 2.2.18 (Session #31867)
Hi, thank you for your report. Server 204.90.230.81 is somehow broken. This server needs to force SSL3.0. Gnutls-cli works when 'protocols' option is used: gnutls-cli -r 204.90.230.81 -p 6366 --protocols SSL3.0 Thanks to this I'm convinced the patch attached in comment #14 in combination with 'set ftp:ssl-auth SSL' should fix this issue. Could you verify it? Thanks, Jiri
Hi Jiri and thanks for the quick response! I can confirm that the SSL connection is successfully established with the above patch and 'set ftp:ssl-auth SSL'. We'll upgrade our test and production systems when a new package version is available from RH. Thanks again, David
Hey David, thanks for your report. This is good news. Jiri
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: As a side effect of changing underlying cryptographic library from OpenSSL to GnuTLS in the past, starting with lftp-3.7.11-4.el5_5.3, some previously offered TLS ciphers were droped. In handshake, lftp does not offer these previously offered ciphers: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA Of course lftp still offers variety of other TLS ciphers: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA For servers without support for any of these, it is now possible to force SSLv3 connection instead of TLS using 'set ftp:ssl-auth SSL' configuration directive. This works both for implicit and explicit FTPS.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ -As a side effect of changing underlying cryptographic library from OpenSSL to GnuTLS in the past, starting with lftp-3.7.11-4.el5_5.3, some previously offered TLS ciphers were droped. In handshake, lftp does not offer these previously offered ciphers: +As a side effect of changing underlying cryptographic library from OpenSSL to GnuTLS in the past, starting with lftp-3.7.11-4.el5_5.3, some previously offered TLS ciphers were dropped. In handshake, lftp does not offer these previously offered ciphers: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA @@ -12,7 +12,7 @@ TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA -Of course lftp still offers variety of other TLS ciphers: +Of course, lftp still offers variety of other TLS ciphers: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1541.html