Solved

Using lftp with IIS 7.x FTPs

Posted on 2014-09-15
10
373 Views
Last Modified: 2015-01-25
I have an IIS 7.x FTPs server set up on port 990 with a Certificate signed by a major certificate provider (i.e. not self-signed).
It works fine with Filezilla but when I try with lftp this is what happens:

lftp
set ftp:ssl-force true
connect "IP ADDRESS"
login "username"
Password: "Password"
ls
ls: "login Failed: ftp:ssl-force is set and serever does not support or allow ssl"

Above is a slightly condensed version but there is clearly a problem.
On the FTP server all I see is a an anonymous connection, which is not allowed.

If I can't get lftp work (should be able too!), then can someone recommend another ftps client for unix/linux?
0
Comment
Question by:ajmcqueen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 78

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40326264
If you are able to access your FTP server using filezilla over an SSL connection, but can not with lftp, I would suggest the issue is with lftp and not with the server.
You have your FTP setup on port 990 but in your connect directive, it is not made clear that you are connecting to the special port such that the connection attempt might be attempted to port 21 or another .

Check the FTP logs on the IIS side to see whether it sees your connection attempt and reports errors.

Open to terminal windows on the client side, and use tcpdump to capture packets to make sure you are seeing outgoing/returning traffic going and coming from port 990.

Try using the -p 990 -u username when starting the process.
0
 

Author Comment

by:ajmcqueen
ID: 40329989
Thanks. That was my thought about lftp so what I did was build a new copy of the latest Ubuntu linux 14.04 and tried to connect in from a remote location using lftp.
To cut a long story short, this script eventually gave me what I wanted:

set ftp:ssl-force true
set ftp:ssl-protect-data true
debug 4
open –u 'username','password' ftps://'url of ftp site'
ls
mget *.txt

I saved the file and then executed it:   lftp -f 'filename'

The 'url of ftp site' is the same as the Certificate of course.
However, I have a 3rd party trying to connect in who cannot get past the 'ls' command, using the same script on a unix box. He also seems to get debug messages suggesting the Certificate is not recognised/trusted. Their firewall chap said that they only needed to enable outbound port 990 to our site, not any data ports. I don't know if that is true or if something else is causing their data connection to hang. When I look at active connections in IIS, all I see is anonymous connection from the 3rd party. Anonymous connections are blocked.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40330552
One, it is difficult to see what the error is.
One thing to check is whether the certificate you loaded includes the certificate chain, i.e. you have the server certificate and need to include the chain of certificates from the CA who signed it. This deals with apps that do not have the CA certificate on their own as trusted. i.e. the CA signer of your certificate is not known to lftp. not sure whether lftp has an option to ignore the validity of the certificate.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:ajmcqueen
ID: 40334659
OK. I would be surprised if that was the case but it's definitely worth checking. Thanks!
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40334905
lftp has an option ssl:ca-path either pointing to a file with trusted CA certificates or a directory with individual files that contain ca certificates.
Either way you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue.

Openssl s_client -connect is a tool that can be used to see what certicate/s are transmitted for the ssl connection.
0
 

Author Comment

by:ajmcqueen
ID: 40336391
Arnold,

Just to be clear....
we definitely have the Intermediate and Global Certs required for connection on the host FTP server. The signing authority is GeoTrust and the cert path looks good to me.
And of course I was able to connect via lftp and FileZilla from linux and Windows PCs respectively so I can't think there is a problem with the server-side SSL setup. Another 3rd party is also abel to connect without problems.

However, this 3rd party is trying to connect via a Unix box that may be older and less-frequently maintained with respect to certs. Do you think it is possible they are missing the required cert(s) or have an expired one? Would they need both or just the Global Cert and could I send them ours by exporting from the Windows Computer Cert store? I think that is what you are referring to here: "you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue".
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 40337250
You could send them only the public certificate via export (do not include the private key included just to be clear)

There is a way that IIS can be configured to transmit not only your certificate i.e. www.yourdomain.com
but to include the chain geotrust global and geotrust singning this often deals with applications/systems that might not have all the root certificates. Double check your CA certificate store to make sure you do not also have expired certificates. Different vendors include tools to test the certificate.  

It is very likely that this particular third party does not have or has an outdated/expired certificate of the signing certificate authority

You can provide them the public CA certificates from  Geotrust that signs your certificate.

Alternatively, you could direct the third party to http://www.geotrust.com/resources/root-certificates/index.html to download and add all the goetrust root CAs into their trusted certificate file/directory and see if that resolves the issue.
0
 

Author Comment

by:ajmcqueen
ID: 40338464
The certificates were only installed a year ago. If I follow the chain up from the IIS cert I find that the root cert is valid until 2022 and the intermediate until 2020. The actual cert has an expiry of Feb 2015.
The config for IIS to present the full chain of certs to clients would be useful. I'll have a look at that. In the meantime I'll send them the link to Geotrust to get their own certs.

Thanks! Will let you know how it goes.
0
 

Author Comment

by:ajmcqueen
ID: 40568974
It turns out the 3rd party trying to connect to our server had not set up rules in their firewall to access our server!
0
 

Author Closing Comment

by:ajmcqueen
ID: 40568975
Whilst the 3rd party was at fault, all the comments from Arnold were good so I would like to award him the points
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question