Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: FTPS: "SSL certificate problem: Invalid certificate chain" error

From: Patrick Monnerat <patrick_at_monnerat.net>
Date: Sun, 9 Apr 2017 10:25:01 +0100

On 04/09/2017 09:55 AM, Leo wrote:
>
> I wonder what am I missing and why I can't make curl connect to this
> host?
>
>
> curl
> ===========
> * Trying 125.142.62.86...
> * TCP_NODELAY set
> * Connected to <host> (125....) port 21 (#0)
> < 220 DiskStation FTP server ready.
> > AUTH SSL
> < 234 AUTH SSL command successful.
> * TLS 1.2 connection using TLS_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate: synology.com
> > USER <user>
> < 331 Password required for <user>.
> > PASS <user>
> < 230 User <user> logged in.
> > PBSZ 0
> < 200 PBSZ command successful (PBSZ=0).
> > PROT P
> < 200 Protection level set to Private.
> > PWD
> < 257 "/" is current directory.
> * Entry path is '/'
> > CWD /
> * ftp_perform ends with SECONDARY: 0
> < 250 CWD command successful.
> > PASV
> * Connect data stream passively
> < 227 Entering Passive Mode (192,.....)
> * Trying 192....
> * TCP_NODELAY set
> * Connecting to 192..... (192.....) port 55552
> * Connection failed
> * connect to 192..... port 21 failed: Operation timed out
> * Failed to connect to <host> port 21: Operation timed out
> * Closing connection 0
>
You probably have disabled EPSV: obviously your server is behind a
NATting firewall: its public address is 125.142.62.86, but it requires
you to connect to its private address (192...). There is a well known
problem with ftp when using PASV + SSL + NAT:
- The transmitted data connection address is private, thus unreachable
from outside the server's net,
- NATting device deep inspection cannot translate it to the
corresponding public address it because the connection is encrypted.

The only way to overcome this caveat is to suppress the use of one of
the PASV/SSL/NAT feature. If the target server supports it, the easier
would be to use EPSV instead of PASV.

You probably have a code line in your program such as:
   curl_easy_setopt(handle, CURLOPT_FTP_USE_EPSV, 0L);

Remove it and the trick should be done :-)

Patrick
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-09