Save certificate to use with lftp

How can I save a certificate for use with lftp?

The certificate in question is not accepted by lftp when downloaded from the server. I tried

openssl s_client -connect {HOSTNAME}:21 -showcerts

from How to save a remote server SSL certificate locally as a file but this returns

CONNECTED(00000003) 3074045628:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:

no peer certificate available

I am connecting with

lftp -p 21 -u {USER} {HOSTNAME}

and receive

ls: Fatal error: Certificate verification: Not trusted

Greg C

Posted 2013-10-26T06:57:44.877

Reputation: 166

Answers

I think the problem here is that the FTP server uses plain FTP but supports explicit SSL/TLS. So to follow the protocol, the client must connect to the FTP server and invoke encryption through the AUTH command. (AUTH command is sent in plain text)

So to answer your question, I don't think it is possible to show the certificate. Unless you can somehow send the AUTH command to the FTP server.

Edit: To display certs do the following:

openssl s_client -connect x.x.x.x:21 -starttls ftp

marcwho

Posted 2013-10-26T06:57:44.877

Reputation: 227

It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates. Maybe this is the underlying cause for your problem.

The web is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc):

set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"

ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

sudo update-ca-certificates

If your system does not have this command, you can create one manually like this:

cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null

ingomueller.net

Posted 2013-10-26T06:57:44.877

Reputation: 151

Are you sure that this endpoint is correctly secured using SSL? From the error message you show it seems like the server doesn't provide ssl? Also the port 21 is mostly used for plainftp not FTPs or SFTP.

This is what I get when I run the command against a plain FTP server

openssl s_client -connect xxx.yyy.zzz.www:21 -showcerts
CONNECTED(00000003)
140165093090976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The lftp error can be due to a misconfiguration of lftp where you require ssl. You can try the following:

set ftp:ssl-force false

Anyway you can also try a connection using

set ssl:verify-certificate no

Although this is only acceptable for testing and with test accounts (in order not to leak credentials)

user35800

Posted 2013-10-26T06:57:44.877

Reputation: 21

In my case the problem was caused by the server only supporting depreciating versions of TLS that are not supported by modern distributions.

Test if you can connect with openssl:

$ openssl s_client  -starttls ftp -connect <hostname>:21

CONNECTED(00000003)
140140192228416:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1940:
---
<remaining text snipped>

This error is explained here: https://stackoverflow.com/a/53065682/1878199, tl;dr; debian now requires at least TLS 1.2.

You can check what your server supports by using nmap:

$ nmap --script ssl-enum-ciphers -p 21 <hostname>

PORT   STATE SERVICE
21/tcp open  ftp
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

So my server only accepts TLSv1.0. The correct solution would be to update the server, of course!

Possible solutions on client side:

Use SSL $ lftp -e "set ftp:ssl-auth SSL" <hostname>
Disable SSL for this connection lftp -e "set ftp:ssl-allow no" <hostname>
You can also try to enable obsoleted protocols on your client by editing /etc/ssl/openssl.cnf as described in the first link above. Not recommended.

ootwch

Posted 2013-10-26T06:57:44.877

Reputation: 101