1

I need help to establish secure ftp connection from linux client to z/OS host running FTPS server.

From FTPS server admin I have got following information: Host IP address, port, CA certificate file with .der extension. FTPS server supports TLS v1.1 and v1.2

I am trying to use lftp client on Linux side. (Is it a right choise?). Having no experience in secure protocols I am trying to guess from lftp man pages which parameters I can use to provide server information I have.

With max debug level of 9 for lftp I get following:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
gnutls_x509_crt_list_import: No certificate was found.
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

Appreciate any advice on what's wrong in above attempt and how to troubleshoot this connection problem.

Meanwhile I read more about certificates and realized that I probably treated .der certificate that I have got from admin not correctly. Following instructions on how to add CA certificate on Linux (I use Ubuntu 16.04) did below steps:

  1. Converted .der certificate to .pem

     openssl x509 -inform der -in carootcert.der -out carootcert.pem

  2. Copied it to /usr/local/share/ca-certificates under crt extension

     sudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt

  3. Run

     sudo update-ca-certificates

Now repeated my attempt:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> 
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-
certificates.crt"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

Now I have got one error message less. No message about no certificate found, but still having unexpected TLS package...
Any advice on how to further troubleshoot?

Just found out that it is possible to get more debug information by further rising debug level. Hope it helps.

lftp -u us15030,******* -p 990 ftps://9.17.211.10
closed FD 5
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
lftp us15030@9.17.211.10:~> ls
FileCopy(0x2197970) enters state INITIAL
FileCopy(0x2197970) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
GNUTLS: REC[0x259e240]: Allocating epoch #0
GNUTLS: REC[0x259e240]: Allocating epoch #1
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes]
GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0
GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252
GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590
GNUTLS: Received record packet of unknown type 50
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x259e240]: Start of epoch cleanup
GNUTLS: REC[0x259e240]: End of epoch cleanup
GNUTLS: REC[0x259e240]: Epoch #0 freed
GNUTLS: REC[0x259e240]: Epoch #1 freed
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
Gryu
  • 479
  • 1
  • 6
  • 14
Leonid Tepliakov
  • 51
  • 1
  • 8
  • I read more about certificates and realized that I probably treated .der certificate that I have got from admin not correctly. Following instructions on how to add CA certificate on linux (I use Ubuntu 16.04) did below steps: 1. Converted .der certificate to .pem openssl x509 -inform der -in carootcert.der -out carootcert.pem 2. Copied it to /usr/local/share/ca-certificates under crt extension sudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt – Leonid Tepliakov Jan 15 '19 at 12:28
  • Instead of adding a comment, I'd suggest editing your original question to add in what you did. – Kevin McKenzie Jan 15 '19 at 20:18

1 Answers1

3

I have found an answer. FTPS server admin updated me additional information. The server is configured for explicit AT-TLS.

So below commands did the job for me:

lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com

set ftp:ssl-force true

set ftp:ssl-protect-data true

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

get /tmp/ttt.txt.gz

Just FYI: noticed a curious thing. The above script does not work if I use digital ip address instead of symbolic.

lftp -u us15030,******** ftp://9.17.211.10

Certificate verification fails:

Fatal error: Certificate verification: certificate common name doesn't match requested host name ‘9.17.211.10’

Leonid Tepliakov
  • 51
  • 1
  • 8
  • There is nothing curious about it. The certificate contains SAN (subject alternate name) entries for the domains it is valid for. As long as the IP address is not among them it is not valid for that IP address, even if a valid domain points to it. That's normal and expected behavior. – Gerald Schneider Jan 16 '19 at 08:12
  • I am facing similar issues for EMR which uses Amazon Linux 1 in background and did not worked above. – Santosh Garole Jun 24 '20 at 14:08