Solved

Using lftp with IIS 7.x FTPs

Posted on 2014-09-15
10
288 Views
Last Modified: 2015-01-25
I have an IIS 7.x FTPs server set up on port 990 with a Certificate signed by a major certificate provider (i.e. not self-signed).
It works fine with Filezilla but when I try with lftp this is what happens:

lftp
set ftp:ssl-force true
connect "IP ADDRESS"
login "username"
Password: "Password"
ls
ls: "login Failed: ftp:ssl-force is set and serever does not support or allow ssl"

Above is a slightly condensed version but there is clearly a problem.
On the FTP server all I see is a an anonymous connection, which is not allowed.

If I can't get lftp work (should be able too!), then can someone recommend another ftps client for unix/linux?
0
Comment
Question by:ajmcqueen
  • 6
  • 4
10 Comments
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40326264
If you are able to access your FTP server using filezilla over an SSL connection, but can not with lftp, I would suggest the issue is with lftp and not with the server.
You have your FTP setup on port 990 but in your connect directive, it is not made clear that you are connecting to the special port such that the connection attempt might be attempted to port 21 or another .

Check the FTP logs on the IIS side to see whether it sees your connection attempt and reports errors.

Open to terminal windows on the client side, and use tcpdump to capture packets to make sure you are seeing outgoing/returning traffic going and coming from port 990.

Try using the -p 990 -u username when starting the process.
0
 

Author Comment

by:ajmcqueen
ID: 40329989
Thanks. That was my thought about lftp so what I did was build a new copy of the latest Ubuntu linux 14.04 and tried to connect in from a remote location using lftp.
To cut a long story short, this script eventually gave me what I wanted:

set ftp:ssl-force true
set ftp:ssl-protect-data true
debug 4
open –u 'username','password' ftps://'url of ftp site'
ls
mget *.txt

I saved the file and then executed it:   lftp -f 'filename'

The 'url of ftp site' is the same as the Certificate of course.
However, I have a 3rd party trying to connect in who cannot get past the 'ls' command, using the same script on a unix box. He also seems to get debug messages suggesting the Certificate is not recognised/trusted. Their firewall chap said that they only needed to enable outbound port 990 to our site, not any data ports. I don't know if that is true or if something else is causing their data connection to hang. When I look at active connections in IIS, all I see is anonymous connection from the 3rd party. Anonymous connections are blocked.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40330552
One, it is difficult to see what the error is.
One thing to check is whether the certificate you loaded includes the certificate chain, i.e. you have the server certificate and need to include the chain of certificates from the CA who signed it. This deals with apps that do not have the CA certificate on their own as trusted. i.e. the CA signer of your certificate is not known to lftp. not sure whether lftp has an option to ignore the validity of the certificate.
0
 

Author Comment

by:ajmcqueen
ID: 40334659
OK. I would be surprised if that was the case but it's definitely worth checking. Thanks!
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40334905
lftp has an option ssl:ca-path either pointing to a file with trusted CA certificates or a directory with individual files that contain ca certificates.
Either way you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue.

Openssl s_client -connect is a tool that can be used to see what certicate/s are transmitted for the ssl connection.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:ajmcqueen
ID: 40336391
Arnold,

Just to be clear....
we definitely have the Intermediate and Global Certs required for connection on the host FTP server. The signing authority is GeoTrust and the cert path looks good to me.
And of course I was able to connect via lftp and FileZilla from linux and Windows PCs respectively so I can't think there is a problem with the server-side SSL setup. Another 3rd party is also abel to connect without problems.

However, this 3rd party is trying to connect via a Unix box that may be older and less-frequently maintained with respect to certs. Do you think it is possible they are missing the required cert(s) or have an expired one? Would they need both or just the Global Cert and could I send them ours by exporting from the Windows Computer Cert store? I think that is what you are referring to here: "you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue".
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40337250
You could send them only the public certificate via export (do not include the private key included just to be clear)

There is a way that IIS can be configured to transmit not only your certificate i.e. www.yourdomain.com
but to include the chain geotrust global and geotrust singning this often deals with applications/systems that might not have all the root certificates. Double check your CA certificate store to make sure you do not also have expired certificates. Different vendors include tools to test the certificate.  

It is very likely that this particular third party does not have or has an outdated/expired certificate of the signing certificate authority

You can provide them the public CA certificates from  Geotrust that signs your certificate.

Alternatively, you could direct the third party to http://www.geotrust.com/resources/root-certificates/index.html to download and add all the goetrust root CAs into their trusted certificate file/directory and see if that resolves the issue.
0
 

Author Comment

by:ajmcqueen
ID: 40338464
The certificates were only installed a year ago. If I follow the chain up from the IIS cert I find that the root cert is valid until 2022 and the intermediate until 2020. The actual cert has an expiry of Feb 2015.
The config for IIS to present the full chain of certs to clients would be useful. I'll have a look at that. In the meantime I'll send them the link to Geotrust to get their own certs.

Thanks! Will let you know how it goes.
0
 

Author Comment

by:ajmcqueen
ID: 40568974
It turns out the 3rd party trying to connect to our server had not set up rules in their firewall to access our server!
0
 

Author Closing Comment

by:ajmcqueen
ID: 40568975
Whilst the 3rd party was at fault, all the comments from Arnold were good so I would like to award him the points
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now