curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: FTPS: "SSL certificate problem: Invalid certificate chain" error

From: Leo <leo.r_at_rogers.com>
Date: Sun, 9 Apr 2017 04:55:51 -0400

Hi Ray,

Thanks for the info! You nudged me in the right direction.

Now I understand that there's no issue with certificate - when I bypass
it, AUTH SSL succeeds.

The problem is the directory - and here something strange happens. Both
curl and Cyberduck report "No such file or directory."

However, Cyberduck still connects to the server after this, while curl
fails.

If I don't specify any path, Cyberduck still connects to the host, while
curl fails with "Operation timed out" error.

I included both logs below when connecting without specifying any path.

I wonder what am I missing and why I can't make curl connect to this host?

curl
===========
* Trying 125.142.62.86...
* TCP_NODELAY set
* Connected to <host> (125....) port 21 (#0)
< 220 DiskStation FTP server ready.
> AUTH SSL
< 234 AUTH SSL command successful.
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: synology.com
> USER <user>
< 331 Password required for <user>.
> PASS <user>
< 230 User <user> logged in.
> PBSZ 0
< 200 PBSZ command successful (PBSZ=0).
> PROT P
< 200 Protection level set to Private.
> PWD
< 257 "/" is current directory.
* Entry path is '/'
> CWD /
* ftp_perform ends with SECONDARY: 0
< 250 CWD command successful.
> PASV
* Connect data stream passively
< 227 Entering Passive Mode (192,.....)
* Trying 192....
* TCP_NODELAY set
* Connecting to 192..... (192.....) port 55552
* Connection failed
* connect to 192..... port 21 failed: Operation timed out
* Failed to connect to <host> port 21: Operation timed out
* Closing connection 0

Cyberduck
======
AUTH TLS
234 AUTH SSL command successful.
USER <user>
331 Password required for <user>.
PASS ********
230 User <user> logged in.
PBSZ 0
200 PBSZ command successful (PBSZ=0).
PROT P
200 Protection level set to Private.
FEAT
211- Extensions supported:
  AUTH TLS
  PBSZ
  PROT
  SIZE
  MDTM
  MFMT
  REST STREAM
  MLST type*;modify*;size*;UNIX.mode*;UNIX.owner*;UNIX.group*;
  MLSD
211 End.
SYST
215 UNIX Type: L8
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (192,...)
[Replacing site local address 192.... with 125....]
MLSD
150 Opening BINARY mode SSL data connection for 'file list'.
type=file;modify=19700101000000;size=0;UNIX.mode=0755;UNIX.owner=root;UNIX.group=users;
home
type=dir;modify=20160714022945;size=4096;UNIX.mode=0755;UNIX.owner=root;UNIX.group=users;
<name>
226 Transfer complete.

Thanks,
Leo

On 4/8/17 2:08 PM, Ray Satiro via curl-library wrote:
> On 4/7/2017 7:09 PM, Leo wrote:
>> macOS Sierra
>> libcurl/7.51.0
>>
>> Here's the details of the problem:
>>
>> -I'm trying to connect to an FTPS server
>> -CURLOPT_FTP_SSL, CURLFTPSSL_ALL
>> -CURLOPT_SSL_VERIFYHOST: false
>> -CURLOPT_SSL_VERIFYPEER: false
>> -I'm getting generic error (Server denied you to change to the given
>> directory)
>> -If I set CURLOPT_VERIFYPEER to true, I get this error: "SSL
>> certificate problem: Invalid certificate chain"
>>
>> -When I use Cyberduck and FileZilla, I get an "invalid certificate"
>> warning which lets me either view certificate OR connect ignoring
>> certificate
>>
>> I don't have issues connecting to other FTPS servers with curl.
>>
>> What am I missing?
>>
>> How can I connect to this server with an option to bypass the
>> certificate warning?
> Those things don't have anything to do with one another. What is the
> full curl_version()? You can set CURLOPT_VERBOSE to 1L to figure out
> what's happening:
>
> curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
>
> The verbose output should show the PWD after login. Either make your
> path relative to that or if it's an absolute path add another / before
> the path like ftps://host//foo/bar.
>
> To disable the certificate warning you set both the verify options to 0L:
>
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
>
> Disabling verification makes the transfer insecure, and it opens you up
> to MITM attacks. The safe thing to do is obtain the certificate from the
> server, verify the CA signer through other means and then pass that to
> libcurl using CURLOPT_CAINFO [1] so that it can verify the certificate
> is what you expect.
>
>
> [1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
>
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-09