Discussion:
Having problems with explicit SSL ftps...
Gary D Walborn
2012-07-24 19:45:01 UTC
Permalink
We have a vendor who requires us to upload data via FTPS (NOT SFTP) using
passive mode and explicit SSL. This seems to work fine using WinSCP, but I
have not been able to get the same results via lftp. I was hoping someone
might be able to spot what I am doing wrong. Here is a transcript of my
session with debugging set to 13 (and our password x'ed out):

------------------------------------------BEGIN
SESSION---------------------------------
lftp :~> set ftp:ssl-protect-data true
lftp :~> set ftp:ssl-force true
lftp :~> set ftp:ssl-auth SSL
lftp :~> open -uVendorQOH,xxxxxxxx -p990 ftp://fastedi.fastenal.com
lftp ***@fastedi.fastenal.com:~> ls
ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.
lftp ***@fastedi.fastenal.com:~> put PMSC2012-07-24.XML
Interrupt
lftp ***@fastedi.fastenal.com:~> set ftp:auto-passive-mode yes
lftp ***@fastedi.fastenal.com:~> put PMSC2012-07-24.XML
Interrupt
lftp ***@fastedi.fastenal.com:~> set ftp:passive-mode on
lftp ***@fastedi.fastenal.com:~> put PMSC2012-07-24.XML
Interrupt
lftp ***@fastedi.fastenal.com:~> debug 5
lftp ***@fastedi.fastenal.com:~> put PMSC2012-07-24.XML
---- Connecting to fastedi.fastenal.com (205.243.112.67) port 990
<--- 220 Welcome to Fastenal FTP Production
---> FEAT
<--- 530 Not logged in.
---> AUTH SSL
<--- 234 Security data exchange complete.
---> USER VendorQOH
**** gnutls_handshake: A TLS packet with unexpected length was received.
Interrupt
lftp ***@fastedi.fastenal.com:~> debug 13
lftp ***@fastedi.fastenal.com:~> put PMSC2012-07-24.XML
FileCopy(0x8d1fa48) enters state INITIAL
FileCopy(0x8d1fa48) enters state DO_COPY
---- dns cache hit
---- Connecting to fastedi.fastenal.com (205.243.112.67) port 990
<--- 220 Welcome to Fastenal FTP Production
---> FEAT
<--- 530 Not logged in.
---> AUTH SSL
<--- 234 Security data exchange complete.
---> USER VendorQOH
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
GNUTLS: HSK[0x8d25ae8]: Keeping ciphersuite: RSA_ARCFOUR_MD5
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
GNUTLS: HSK[0x8d25ae8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
GNUTLS: EXT[0x8d25ae8]: Sending extension CERT_TYPE
GNUTLS: HSK[0x8d25ae8]: CLIENT HELLO was send [88 bytes]
GNUTLS: REC[0x8d25ae8]: Sending Packet[0] Handshake(22) with length: 88
GNUTLS: REC[0x8d25ae8]: Sent Packet[1] Handshake(22) with length: 93
**** gnutls_handshake: A TLS packet with unexpected length was received.
---- Closing control socket
Interrupt
lftp ***@fastedi.fastenal.com:~>
-------------------------------------------END
SESSION-----------------------------------

Any ideas?

Thanks,
--
Gary D. Walborn
***@gmail.com
Alexander V. Lukyanov
2012-07-25 05:36:54 UTC
Permalink
Post by Gary D Walborn
We have a vendor who requires us to upload data via FTPS (NOT SFTP) using
passive mode and explicit SSL. This seems to work fine using WinSCP, but I
have not been able to get the same results via lftp. I was hoping someone
might be able to spot what I am doing wrong. Here is a transcript of my
Probably this is a GnuTLS problem. Try to compile lftp with openssl, send the
report to GnuTLS maintainers if openssl works but not gnutls.
--
Alexander.
Gary D Walborn
2012-07-25 13:12:44 UTC
Permalink
Alexander (et al),

Well, I recompiled lftp with openSSL support instead of GnuTLS support.
Some things have gotten better, but I am still unable to transfer files as
a new message has cropped up. A transcript of my session follows:

------------------Begin Session-------------------***@Ubuntu:~$ lftp
lftp :~> set ssl:verify-certificate off
lftp :~> set ftp:ssl-auth SSL
lftp :~> set ftp:ssl-protect-data true
lftp :~> set ftp:ssl-force true
lftp :~> set ftp:initial-prot P
lftp :~> debug 13
lftp :~> open -uVendorQOH,QOH4vendors -p990 fastedi.fastenal.com
---- Resolving host address...
---- 1 address found: 205.243.112.67
lftp ***@fastedi.fastenal.com:~> ls
FileCopy(0xa0666d8) enters state INITIAL
FileCopy(0xa0666d8) enters state DO_COPY
---- dns cache hit
---- Connecting to fastedi.fastenal.com (205.243.112.67) port 990
<--- 220 Welcome to Fastenal FTP Production
---> FEAT
<--- 530 Not logged in.
---> AUTH SSL
<--- 234 Security data exchange complete.
---> USER VendorQOH
Certificate depth: 0; subject: /C=US/ST=Minnesota/L=Winona/O=Fastenal
Company/OU=Ecommerce/OU=Terms of use at www.verisign.com/rpa (c)05/CN=
fastedi.fastenal.com; issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign
Class 3 Secure Server CA - G3
WARNING: Certificate verification: unable to get local issuer certificate
WARNING: Certificate verification: certificate not trusted
WARNING: Certificate verification: unable to verify the first certificate
Certificate verification: common name: ‘fastedi.fastenal.com’ matched
<--- 331 Password required for VendorQOH.
---> PASS QOH4vendors
<--- 230 Greetings and Thanks for successfully Logging In to Fastenal
---> FEAT
<--- 211-Extensions supported:
<--- AUTH
<--- CCC
<--- EPRT
<--- EPSV
<--- FEAT
<--- MDTM
<--- PBSZ
<--- SIZE
<--- REST STREAM
<--- MODE Z
<--- 211 End
---> PWD
<--- 257 "/" is current directory.
---> PBSZ 0
<--- 200 PBSZ command successful.
---> PASV
<--- 227 Entering Passive Mode (205,243,112,67,3,221)
---- Connecting data socket to (205.243.112.67) port 989
---- Data connection established
---> LIST
<--- 503 PROT command is required before data transfer.
---- Closing data socket
ls: Access failed: 503 PROT command is required before data transfer.
--------------------
------------------End Session -----------------------------------------

This is driving me somewhat crazier... :-)

Thanks,
--
Gary D. Walborn
***@gmail.com
Alexander V. Lukyanov
2012-07-25 14:22:37 UTC
Permalink
Post by Gary D Walborn
Well, I recompiled lftp with openSSL support instead of GnuTLS support.
Some things have gotten better, but I am still unable to transfer files as
The server requires PROT command, try to use:
set ftp:initial-prot ""
--
Alexander.
Gary D Walborn
2012-07-25 15:11:27 UTC
Permalink
Alexander,

I specified 'set ftp:initial-prot ""' as you suggested, but I am still
having the same problem.

-----------------Begin
Session-------------------------------------------------
lftp :~> set ssl:verify-certificate off
lftp :~> set ftp:ssl-auth SSL
lftp :~> set ftp:ssl-protect-data true
lftp :~> set ftp:ssl-force true
lftp :~> set ftp:initial-prot ""
lftp :~> debug 13
lftp :~> open -uVendorQOH,xxxxxxxxxx -p990 ftp://fastedi.fastenal.com
---- Resolving host address...
---- 1 address found: 205.243.112.67
lftp ***@fastedi.fastenal.com:~> ls
FileCopy(0x8efebf0) enters state INITIAL
FileCopy(0x8efebf0) enters state DO_COPY
---- dns cache hit
---- Connecting to fastedi.fastenal.com (205.243.112.67) port 990
<--- 220 Welcome to Fastenal FTP Production
---> FEAT
<--- 530 Not logged in.
---> AUTH SSL
<--- 234 Security data exchange complete.
---> USER VendorQOH
Certificate depth: 0; subject: /C=US/ST=Minnesota/L=Winona/O=Fastenal
Company/OU=Ecommerce/OU=Terms of use at www.verisign.com/rpa (c)05/CN=
fastedi.fastenal.com; issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign
Class 3 Secure Server CA - G3
WARNING: Certificate verification: unable to get local issuer certificate
WARNING: Certificate verification: certificate not trusted
WARNING: Certificate verification: unable to verify the first certificate
Certificate verification: common name: ‘fastedi.fastenal.com’ matched
<--- 331 Password required for VendorQOH.
---> PASS QOH4vendors
<--- 230 Greetings and Thanks for successfully Logging In to Fastenal
---> FEAT
<--- 211-Extensions supported:
<--- AUTH
<--- CCC
<--- EPRT
<--- EPSV
<--- FEAT
<--- MDTM
<--- PBSZ
<--- SIZE
<--- REST STREAM
<--- MODE Z
<--- 211 End
---> PWD
<--- 257 "/" is current directory.
---> PBSZ 0
<--- 200 PBSZ command successful.
---> PASV
<--- 227 Entering Passive Mode (205,243,112,67,3,221)
---- Connecting data socket to (205.243.112.67) port 989
---- Data connection established
---> LIST
<--- 503 PROT command is required before data transfer.
---- Closing data socket
ls: Access failed: 503 PROT command is required before data transfer.
------------------End
Session---------------------------------------------------
--
Gary D. Walborn
***@gmail.com
Alexander V. Lukyanov
2012-07-26 04:57:22 UTC
Permalink
Post by Gary D Walborn
I specified 'set ftp:initial-prot ""' as you suggested, but I am still
having the same problem.
Please try:

set ftp:ssl-auth TLS

--
Alexander.
Gary D Walborn
2012-07-26 12:10:47 UTC
Permalink
Alexander,

THAT WORKED! Thank you very much! I appreciate the help, but I'd really
like to understand this. What "tipped you off" that that was the problem?

Thanks again,

Gary
Post by Alexander V. Lukyanov
Post by Gary D Walborn
I specified 'set ftp:initial-prot ""' as you suggested, but I am still
having the same problem.
set ftp:ssl-auth TLS
--
Alexander.
--
Gary D. Walborn
***@gmail.com
Alexander V. Lukyanov
2012-07-26 12:24:38 UTC
Permalink
Post by Gary D Walborn
THAT WORKED! Thank you very much! I appreciate the help, but I'd really
like to understand this. What "tipped you off" that that was the problem?
AUTH SSL implied PROT P by default, so lftp does not send the PROT command.
In contrary, AUTH TLS implies PROT C, so lftp sends PROT P command.

And, BTW, my previous advice was not relevant, ftps:initial-prot is only for
implicit ssl ftp connections.
--
Alexander.
Gary D Walborn
2012-07-26 12:26:18 UTC
Permalink
Alexander,

I would have never thought about that! Thanks again. You're a life
saver!

Gary
Post by Gary D Walborn
Post by Gary D Walborn
THAT WORKED! Thank you very much! I appreciate the help, but I'd
really
Post by Gary D Walborn
like to understand this. What "tipped you off" that that was the
problem?
AUTH SSL implied PROT P by default, so lftp does not send the PROT command.
In contrary, AUTH TLS implies PROT C, so lftp sends PROT P command.
And, BTW, my previous advice was not relevant, ftps:initial-prot is only for
implicit ssl ftp connections.
--
Alexander.
--
Gary D. Walborn
***@gmail.com
Gary D Walborn
2012-07-26 12:27:33 UTC
Permalink
Oh, and by the way... I will be making another (somewhat larger) donation
to LFTP...

Gary
Post by Gary D Walborn
Alexander,
I would have never thought about that! Thanks again. You're a life
saver!
Gary
Post by Gary D Walborn
Post by Gary D Walborn
THAT WORKED! Thank you very much! I appreciate the help, but I'd
really
Post by Gary D Walborn
like to understand this. What "tipped you off" that that was the
problem?
AUTH SSL implied PROT P by default, so lftp does not send the PROT command.
In contrary, AUTH TLS implies PROT C, so lftp sends PROT P command.
And, BTW, my previous advice was not relevant, ftps:initial-prot is only for
implicit ssl ftp connections.
--
Alexander.
--
Gary D. Walborn
--
Gary D. Walborn
***@gmail.com
Loading...