Solved

Using lftp with IIS 7.x FTPs

Posted on 2014-09-15
10
324 Views
Last Modified: 2015-01-25
I have an IIS 7.x FTPs server set up on port 990 with a Certificate signed by a major certificate provider (i.e. not self-signed).
It works fine with Filezilla but when I try with lftp this is what happens:

lftp
set ftp:ssl-force true
connect "IP ADDRESS"
login "username"
Password: "Password"
ls
ls: "login Failed: ftp:ssl-force is set and serever does not support or allow ssl"

Above is a slightly condensed version but there is clearly a problem.
On the FTP server all I see is a an anonymous connection, which is not allowed.

If I can't get lftp work (should be able too!), then can someone recommend another ftps client for unix/linux?
0
Comment
Question by:ajmcqueen
  • 6
  • 4
10 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40326264
If you are able to access your FTP server using filezilla over an SSL connection, but can not with lftp, I would suggest the issue is with lftp and not with the server.
You have your FTP setup on port 990 but in your connect directive, it is not made clear that you are connecting to the special port such that the connection attempt might be attempted to port 21 or another .

Check the FTP logs on the IIS side to see whether it sees your connection attempt and reports errors.

Open to terminal windows on the client side, and use tcpdump to capture packets to make sure you are seeing outgoing/returning traffic going and coming from port 990.

Try using the -p 990 -u username when starting the process.
0
 

Author Comment

by:ajmcqueen
ID: 40329989
Thanks. That was my thought about lftp so what I did was build a new copy of the latest Ubuntu linux 14.04 and tried to connect in from a remote location using lftp.
To cut a long story short, this script eventually gave me what I wanted:

set ftp:ssl-force true
set ftp:ssl-protect-data true
debug 4
open –u 'username','password' ftps://'url of ftp site'
ls
mget *.txt

I saved the file and then executed it:   lftp -f 'filename'

The 'url of ftp site' is the same as the Certificate of course.
However, I have a 3rd party trying to connect in who cannot get past the 'ls' command, using the same script on a unix box. He also seems to get debug messages suggesting the Certificate is not recognised/trusted. Their firewall chap said that they only needed to enable outbound port 990 to our site, not any data ports. I don't know if that is true or if something else is causing their data connection to hang. When I look at active connections in IIS, all I see is anonymous connection from the 3rd party. Anonymous connections are blocked.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40330552
One, it is difficult to see what the error is.
One thing to check is whether the certificate you loaded includes the certificate chain, i.e. you have the server certificate and need to include the chain of certificates from the CA who signed it. This deals with apps that do not have the CA certificate on their own as trusted. i.e. the CA signer of your certificate is not known to lftp. not sure whether lftp has an option to ignore the validity of the certificate.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:ajmcqueen
ID: 40334659
OK. I would be surprised if that was the case but it's definitely worth checking. Thanks!
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40334905
lftp has an option ssl:ca-path either pointing to a file with trusted CA certificates or a directory with individual files that contain ca certificates.
Either way you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue.

Openssl s_client -connect is a tool that can be used to see what certicate/s are transmitted for the ssl connection.
0
 

Author Comment

by:ajmcqueen
ID: 40336391
Arnold,

Just to be clear....
we definitely have the Intermediate and Global Certs required for connection on the host FTP server. The signing authority is GeoTrust and the cert path looks good to me.
And of course I was able to connect via lftp and FileZilla from linux and Windows PCs respectively so I can't think there is a problem with the server-side SSL setup. Another 3rd party is also abel to connect without problems.

However, this 3rd party is trying to connect via a Unix box that may be older and less-frequently maintained with respect to certs. Do you think it is possible they are missing the required cert(s) or have an expired one? Would they need both or just the Global Cert and could I send them ours by exporting from the Windows Computer Cert store? I think that is what you are referring to here: "you would need to add the signing CA/chain that signed your certificate and see if that resolves your issue".
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 40337250
You could send them only the public certificate via export (do not include the private key included just to be clear)

There is a way that IIS can be configured to transmit not only your certificate i.e. www.yourdomain.com
but to include the chain geotrust global and geotrust singning this often deals with applications/systems that might not have all the root certificates. Double check your CA certificate store to make sure you do not also have expired certificates. Different vendors include tools to test the certificate.  

It is very likely that this particular third party does not have or has an outdated/expired certificate of the signing certificate authority

You can provide them the public CA certificates from  Geotrust that signs your certificate.

Alternatively, you could direct the third party to http://www.geotrust.com/resources/root-certificates/index.html to download and add all the goetrust root CAs into their trusted certificate file/directory and see if that resolves the issue.
0
 

Author Comment

by:ajmcqueen
ID: 40338464
The certificates were only installed a year ago. If I follow the chain up from the IIS cert I find that the root cert is valid until 2022 and the intermediate until 2020. The actual cert has an expiry of Feb 2015.
The config for IIS to present the full chain of certs to clients would be useful. I'll have a look at that. In the meantime I'll send them the link to Geotrust to get their own certs.

Thanks! Will let you know how it goes.
0
 

Author Comment

by:ajmcqueen
ID: 40568974
It turns out the 3rd party trying to connect to our server had not set up rules in their firewall to access our server!
0
 

Author Closing Comment

by:ajmcqueen
ID: 40568975
Whilst the 3rd party was at fault, all the comments from Arnold were good so I would like to award him the points
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HHTP and HTTPS redirect question 3 122
server program files 24 71
By pass website on ASA for Websense 4 85
sccm importing drivers 4 43
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question