$ ftp -s ftp.my.com
Connected to ftp.my.com.
220-| Welcome to XXXX FTP over SSL (FTPS) Server |
220-| We allow TLS connections on ports 21 and 990. |
220-| If you see "503 Login with USER first." use SSL. |
220
234 Proceed with negotiation.
TLS Auth Entered.
Error with certificate at depth 2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Connected to ftp.my.com.
220-| Welcome to XXXX FTP over SSL (FTPS) Server |
220-| We allow TLS connections on ports 21 and 990. |
220-| If you see "503 Login with USER first." use SSL. |
220
234 Proceed with negotiation.
TLS Auth Entered.
Error with certificate at depth 2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
...
...
Signature Algorithm: sha1WithRSAEncryption13...:ff
Error error 20:unable to get local issuer certificate
ERROR Error during the hand shake for the control connection
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.
First we should check to see if our vsFTP server is handing out the correct portions of the certificate that may include chained certs
1) Private Key
2) Public Key
3) Primary CA chain cert
4) Secondary CA chain cert
5) etc.
This document provides a good idea of howto take a better look at what your server is doing using the openssl client utility.
http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/
$ openssl s_client -showcerts -connect myftp.example.com:21
There is a typo in IBM's documentation on page 371 we see section "6.8.2 Setting up ftp to use TLS"
http://www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf
This document describes using the "~/.ftpcnt" file to store the path to the CA certificate. However after running "truss" on the ftp process while trying to connect we find:
kwrite(1, " T L S A u t h E n t".., 18) = 1864 EOPNOTSUPP0) = 0xD0538128
kopen("/home/nbausch/.ftpcnf", O_RDONLY) Err#2 ENOENT
So, the real file we should use is "~/.ftpcnf". To get this working you should download the CA bundle for your certificate that your server is presenting. If you are unsure you can look at the results of your "openssl s_client -showcerts" command above or choose to download an bundle of commonly used SSL certificates like those distributed with curl.
$ wget http://curl.haxx.se/ca/cacert.pem
Finally we need to create our "~/.ftpcnf" file with the path the our CA certificate file.
$ cat /home/nbausch/.ftpcnf
CA_PATH /home/nbausch/cacert.pem
And finally we can test our AIX ftp client using TLS to connect to a host:
$ ftp -s ftp.my.com
Connected to ftp.my.com.
220-| Welcome to xxxx FTP over SSL (FTPS) Server |
220-| We allow TLS connections on ports 21 and 990. |
220-| If you see "503 Login with USER first." use SSL. |
220
234 Proceed with negotiation.
TLS Auth Entered.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
49:xxxxxx:0e
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Validity
Not Before: Dec 29 00:00:00 2011 GMT
Not After : Dec 28 23:59:59 2013 GMT
Subject: C=US, ST=Illinois, L=xxx, O=xxx, OU=xxx, CN=ftp.my.com
TLSv1/SSLv3 ( DES-CBC3-SHA ), 168 bits
Name (ftp.my.com:nbausch): nbausch
331 Please specify the password.
Password:
230- Welcome XXX FTP Service.
230-
230- Notice: Files uploaded to this system will only be kept for
230- 7 days. Files are subject to anti-virus scanning
230- and deletion before 7 days if deemed a risk.
230-
230- Known Good FTP Clients & Examples:
230- FileZilla: (Windows/Mac/Linux) Server Type: (FTPES) Ports: (21/990)
230- lftp: lftp -u <user>,<pass> ftp.my.com -e "set ftp:ssl-protect-data true; get README.first"
230- lftp: lftp -u <user>,<pass> ftp.my.com -e "set ftp:ssl-protect-data true; cat README.first"
230- curl: curl -u <user>:<pass> -k --ftp-ssl-reqd ftp://ftp.my.com/README.first
230- openssl s_client -starttls ftp -connect ftp.my.com:21
230 Login successful.
200 PBSZ set to 0.
200 PROT now Private.
ftp> passive
Passive mode on.
227 Entering Passive Mode (10,236,32,91,84,157)
150 Here comes the directory listing.
TLSv1/SSLv3 ( DES-CBC3-SHA ), 168 bits
README.first
226 Directory send OK.