FTPS - LFTP problem

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















We have some trouble in my company with ftps access with a provider.



Here is our configuration:



  • Ubuntu 14.04

  • LFTP | Version 4.6.3a


  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt

Certificate authority = GlobalSign



#/home/USER/.lftp/conf
set cmd:time-style "%Y%m%d%H%M"
set ftp:ssl-protect-list false
set net:timeout 30
set net:max-retries 1
set ftp:ssl-allow true
set ftp:ssl-protect-data false
set ssl:ca-file AuthorityRoot.crt / AuthorityRootCa.crt (both file in one ) # i dont even know if this is correct
set ssl:cert-file our_cert.crt
set ssl:key-file ourkey.key
set xfer:clobber on
set ssl:verify-certificate false


Our command:



lftp -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit" -u username,pwd ftp://provider.com -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?










share|improve this question
























  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45







  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56







  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17












  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42
















0















We have some trouble in my company with ftps access with a provider.



Here is our configuration:



  • Ubuntu 14.04

  • LFTP | Version 4.6.3a


  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt

Certificate authority = GlobalSign



#/home/USER/.lftp/conf
set cmd:time-style "%Y%m%d%H%M"
set ftp:ssl-protect-list false
set net:timeout 30
set net:max-retries 1
set ftp:ssl-allow true
set ftp:ssl-protect-data false
set ssl:ca-file AuthorityRoot.crt / AuthorityRootCa.crt (both file in one ) # i dont even know if this is correct
set ssl:cert-file our_cert.crt
set ssl:key-file ourkey.key
set xfer:clobber on
set ssl:verify-certificate false


Our command:



lftp -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit" -u username,pwd ftp://provider.com -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?










share|improve this question
























  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45







  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56







  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17












  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42














0












0








0








We have some trouble in my company with ftps access with a provider.



Here is our configuration:



  • Ubuntu 14.04

  • LFTP | Version 4.6.3a


  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt

Certificate authority = GlobalSign



#/home/USER/.lftp/conf
set cmd:time-style "%Y%m%d%H%M"
set ftp:ssl-protect-list false
set net:timeout 30
set net:max-retries 1
set ftp:ssl-allow true
set ftp:ssl-protect-data false
set ssl:ca-file AuthorityRoot.crt / AuthorityRootCa.crt (both file in one ) # i dont even know if this is correct
set ssl:cert-file our_cert.crt
set ssl:key-file ourkey.key
set xfer:clobber on
set ssl:verify-certificate false


Our command:



lftp -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit" -u username,pwd ftp://provider.com -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?










share|improve this question
















We have some trouble in my company with ftps access with a provider.



Here is our configuration:



  • Ubuntu 14.04

  • LFTP | Version 4.6.3a


  • Our_cert.crt

  • our_key.key


  • provider.crt


  • AuthorityRoot.crt

  • AuthorityRootCa.crt

Certificate authority = GlobalSign



#/home/USER/.lftp/conf
set cmd:time-style "%Y%m%d%H%M"
set ftp:ssl-protect-list false
set net:timeout 30
set net:max-retries 1
set ftp:ssl-allow true
set ftp:ssl-protect-data false
set ssl:ca-file AuthorityRoot.crt / AuthorityRootCa.crt (both file in one ) # i dont even know if this is correct
set ssl:cert-file our_cert.crt
set ssl:key-file ourkey.key
set xfer:clobber on
set ssl:verify-certificate false


Our command:



lftp -e "debug 9; source /home/USER/.lftp/conf ;ls ;quit" -u username,pwd ftp://provider.com -p PORT


But when we try to reach our provider, we have an error:



**** SSL_connect: sslv3 alert handshake failure


Our provider can see when we try to reach them, they can validate our cert but we cant validate their cert.
Everything is ok on their side.




Btw:

Everything worked fine before yesterday when their certs was expired and they also switch CA. We just replace authorityRootCa.crt (the file with everything inside in the field ssl:ca-file) with the new one




Can someone tell me where should we put our certs or what's wrong here?
Should we add provider.crt in our file ourcert.crt?







ubuntu ssl lftp ftps






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 16 at 23:06









fra-san

1,4071215




1,4071215










asked Jan 16 at 20:21









ydlydl

1




1












  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45







  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56







  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17












  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42


















  • The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

    – Rui F Ribeiro
    Jan 16 at 20:45







  • 3





    you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

    – A.B
    Jan 16 at 21:56







  • 2





    @RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

    – A.B
    Jan 16 at 22:17












  • oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

    – A.B
    Jan 17 at 12:42

















The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

– Rui F Ribeiro
Jan 16 at 20:45






The problem is that ssl3 has been obsoleted and it is not supported anymore, I think.

– Rui F Ribeiro
Jan 16 at 20:45





3




3





you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

– A.B
Jan 16 at 21:56






you should be able to debug this with openssl s_client -starttls ftp -CAfile AuthorityRootCa.crt -cert our_cert.crt -key ourkey.key -servername provider.com -connect provider.com:PORT. if PORT is 990 instead of 21 then -starttls ftp should be removed. the CAfile should be the CA bundle

– A.B
Jan 16 at 21:56





2




2





@RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

– A.B
Jan 16 at 22:17






@RuiFRibeiro I think the error was defined first for sslv3, I don't think this message means the protocol is sslv3. random example: chromium.googlesource.com/chromium/src/net/+/…

– A.B
Jan 16 at 22:17














oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

– A.B
Jan 17 at 12:42






oh I missed the provider.crt part. Yes won't hurt to try to bundle it to Our_cert for the debug command above. Also, be sure to have all cert data in PEM format (not DER etc.) for that command.

– A.B
Jan 17 at 12:42











0






active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494916%2fftps-lftp-problem%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f494916%2fftps-lftp-problem%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?