9

Using lftp to upload files to a remote server from two computers on my network. Using the exact same code this works fine on one and doesn't work on the other. Transcripts of a problem session and a successful session are shown below. The error that I get is:

Certificate verification: certificate common name doesn't match requested host name

Googling this error finds a solution that seems to work for most people (using: set ssl:verify-certificate no). But as you can see in the transcripts below this doesn't work for the "problem computer".

Because both computers use the same DNS and router to get on the internet I can only assume that this may be caused by a different setting on the problem computer. Would love to get suggestions for stuff to check other than lftp settings.

The problem computer

Stock Debian system jessie 8.7: 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux

lftp version being used:

$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:

Failing session (hostname replaced by "example"):

$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `ftp2@example.nl' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: (▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮)
lftp ftp2@example.nl@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<---  CCC
<---  PBSZ
<---  AUTH TLS
<---  MFF modify;UNIX.group;UNIX.mode;
<---  REST STREAM
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  LANG en-US.UTF-8*
<---  UTF8
<---  EPRT
<---  EPSV
<---  MDTM
<---  SSCN
<---  TVFS
<---  MFMT
<---  SIZE
<---  PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER ftp2@example.nl
<--- 331 Password required for ftp2@example.nl
---> PASS XXXX
<--- 230 User ftp2@example.nl logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35302
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘ example.nl’
<--- 425 Unable to build data connection: Operation not permitted
---- Closing data socket
<--- 450 LIST: Operation not permitted
**** extra server response
ls: Fatal error: max-retries exceeded
lftp ftp2@example.nl@example.nl:/>

The other computer

Debian-based Raspbian jessie 8.0 : 4.4.38+ #938 Thu Dec 15 15:17:54 GMT 2016 armv6l GNU/Linux On this computer I have the exact same version of lftp:

$ apt show lftp
Package: lftp
Version: 4.6.0-1+deb8u1
:
:

But now the lftp session gives no problems:

$ lftp
lftp :~> debug
lftp :~> set
set dns:order "inet6 inet"
set file:charset UTF-8
set ftp:timezone ""
set net:max-retries 2
set net:timeout 30
set ssl:verify-certificate no
set xfer:log yes
set xfer:log-file /tmp/lftp.log
set xfer:max-log-size 1048576
set xfer:max-redirections 10
set xfer:verify-command /usr/share/lftp/verify-file
lftp :~> open example.nl
---- using user `ftp2@example.nl' and password from ~/.netrc
---- Resolving host address...
---- 2 addresses found: ▮▮▮▮▮▮▮▮, ▮▮▮▮▮▮▮▮
lftp ftp2@example.nl@example.nl:~> dir
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
**** connect(control_sock): Network is unreachable
---- Closing control socket
---- Connecting to example.nl (▮▮▮▮▮▮▮▮) port 21
<--- 220 ProFTPD 1.3.5b Server ready.
---> FEAT
<--- 211-Features:
<---  CCC
<---  PBSZ
<---  AUTH TLS
<---  MFF modify;UNIX.group;UNIX.mode;
<---  REST STREAM
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  LANG en-US.UTF-8*
<---  UTF8
<---  EPRT
<---  EPSV
<---  MDTM
<---  SSCN
<---  TVFS
<---  MFMT
<---  SIZE
<---  PROT
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
<--- 200 Using default language en_US.UTF-8
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER ftp2@example.nl
<--- 331 Password required for ftp2@example.nl
---> PASS XXXX
<--- 230 User ftp2@example.nl logged in
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (▮▮▮▮▮▮▮▮).
---- Connecting data socket to (▮▮▮▮▮▮▮▮) port 35035
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.zxcs.nl
 Issued by: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: certificate common name doesn't match requested host name ‘example.nl’
---- Got EOF on data connection
---- Closing data socket
drwxr-xr-x  11 ftp      ftp          4096 Feb 11 16:56 .
drwxr-xr-x  11 ftp      ftp          4096 Feb 11 16:56 ..
drwxr-xr-x   2 ftp      ftp          4096 Dec 29 10:48 01.home
lftp ftp2@example.nl@example.nl:/>
Mausy5043
  • 1,327
  • 3
  • 9
  • 13
  • 1
    FTP data transfers are _always_ specified using IP addresses, never DNS names. Thus the certificate name checking against hostnames, for the data transfer connection, will never succeed. Also, the relevant `lftp` setting that you want, I think, is `ssl:check-hostname no`, rather than `ssl:verify-certificate`. – Castaglia Feb 27 '17 at 18:47
  • 2
    "FTP data transfers are always specified using IP addresses, never DNS names" This is new to me (do you have a reference for this?). I always `open` a connection to a FQDN not to an IP address. And also, it doesn't seem to explain why stuff IS working on the other computer. Re `ssl:check-hostname` : thanks for the suggestion, but it doesn't work. I've added the info to the question. – Mausy5043 Feb 28 '17 at 17:17
  • 1
    FTP uses _two_ TCP connections; one for the control channel (that's the one that's usually on port 21, and for which you are probably using a DNS name); the other is for data transfers (and the addresses/ports for these data transfer connections are negotiated as part of the protocol, using _only_ IP addresses). – Castaglia Feb 28 '17 at 17:20
  • Also, by using `ssl:check-hostname off`, you *have* changed the behavior that you originally reported: you are no longer seeing "certificate common name doesn't match requested host name". So you have effectively changed your post -- which makes it more confusing for future readers just what problem(s) you are trying to solve. – Castaglia Feb 28 '17 at 17:21
  • 1
    You are right. That addition was totally off-topic. I've removed the info as it does not help solve my problem. So, two computers, one method. One fails, one succeeds. All bets still on. – Mausy5043 Feb 28 '17 at 19:16
  • 1
    Well, the use of `ssl:check-hostname off` addresses the titled issue. But it sounds like the _real_ problem is that you have issues with data transfers; the "common name" check is a red-herring. Is that correct? If so, one potential cause of data transfer issues are firewalls/routers which inspect the FTP control channel to dynamically open ports for the data transfers; such network middleboxes often cannot work when the control channel becomes encrypted via TLS -- and thus will not open the necessary ports for the data transfer. – Castaglia Feb 28 '17 at 19:32
  • Your assistance is greatly appreciated. How would I test if the necessary ports are being opened or not? The firewall (both `ufw` and `iptables`) on the problem system is disabled. – Mausy5043 Feb 28 '17 at 20:37

3 Answers3

7

As the comments said, ssl:check-hostname will work. It can be set in lftp shell by

set ssl:check-hostname no
Vito Chou
  • 171
  • 1
  • 2
1

I was facing a similar problem in Amazon Linux 2 below helped me.

Append the file "/etc/lftp.conf" and try connecting again.

vi /etc/lftp.conf and append as below.

validate it as below.

cat /etc/lftp.conf | grep hostname
set ssl:check-hostname no
Santosh Garole
  • 383
  • 2
  • 11
0

The problem might be caused by outdated SSL libraries.
Also, if it is a ProFTPd server, there is a hint to add TLSOptions NoSessionReuseRequired in its config.
Have you seen you ftp server's logs?

Denis Yusupov
  • 69
  • 3