Thursday, October 9, 2014

Using lftp client to test an ftps connection with ftp servers

FTPS is secure ftp


Few facts


  • This is not FTP over SSL and not FTP over SSH [1] 
  • FTPS use X.509 ( SSL/TLS protocol under FTP)  certificate and validate certificate chain while SFTP use ssh keys.
  • FTP servers exclusively need to be configured for TLS/SSL support. Not all ftp servers support ftps

Does a ftp server support ftps ?


Below command will tell if ftp servers support ftps. You will get warning if ftp server is using self sign certificate or certificate or certificate presented by ftp server cannot be verified by client . In this case last line will be - return code :1 ( though certificate can not be verified, data exchange will still be encypted)

$ openssl s_client -connect dropbox.redhat.com:21 -starttls ftp
CONNECTED(00000003)
---
Certificate chain
 0 s:/2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100 Eas
t Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100
East Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4571 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 5B2D03F4E9682534FA8C83E51FF0D742481B017DC27A90007CD1E3C7DA0FCA9C
    Session-ID-ctx:
    Master-Key: A6E9F2D2F06DDB651C311A6B0C2200CD89DC5EB4D70B75E97C962415F52DF9D67E2069FEC6E21A62680EE7C16706F033
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1412838506
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Test a ftpa connection


Assuming you have an ID ftp_user_id and password is xxxxxx. I am using lftp client . Use lftp-3.7.11-7 or newer version . Older client has Bug

$ cd /tmp
$ cal >test_file_to_upload.txt
$ lftp
debug 9
set ftps:initial-prot ""
set ftp:ssl-allow true
set ftp:ssl-force true
set ssl:verify-certificate no
set ftp:ssl-protect-data true
set ftp:ssl-auth TLS
set ftp:passive-mode true
set ftp:ssl-data-use-keys yes
open dropbox.redhat.com:21
user ftp_user_id  xxxxxx
ls
put test_file_to_upload.txt
ls

---- Resolving host address...
user anonymous  test@something.com
---- 1 address found: 209.132.183.100
lftp dropbox.redhat.com:~> user anonymous  test@something.com
lftp anonymous@dropbox.redhat.com:~> ls
---- Connecting to dropbox.redhat.com (209.132.183.100) port 21

<--- 220="" font="">
---> FEAT
<--- 211-features:="" font="">
<--- font="" nbsp="" ssl="">
<--- font="" nbsp="" tls="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="" stream="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- 211="" end="" font="">
---> AUTH TLS
<--- 234="" font="" negotiation.="" proceed="" with="">
---> OPTS UTF8 ON
Certificate:
 Issued by:        C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
 Checking against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
WARNING: Certificate verification: Not trusted
Certificate: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
 Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
WARNING: Certificate verification: Not trusted
<--- 200="" always="" font="" in="" mode.="" utf8="">
---> USER anonymous
<--- 331="" font="" password.="" please="" specify="" the="">
---> PASS test@something.com
<--- 230="" font="" login="" successful.="">
---> PWD
<--- 257="" font="">
---> PBSZ 0
<--- 0.="" 200="" font="" pbsz="" set="" to="">
---> PROT P
<--- 200="" font="" now="" private.="" prot="">
---> PROT P
<--- 200="" font="" now="" private.="" prot="">
---> PASV
<--- 227="" entering="" font="" mode="" passive="">
---- Address returned by PASV seemed to be incorrect and has been fixed
---- Connecting data socket to (209.132.183.100) port 6338
---- Data connection established
---> LIST
<--- 550="" denied.="" font="" permission="">
---- Closing data socket
ls: Access failed: 550 Permission denied. ( it is fine - this website do not allow listing)


Few Issues


Error : gnutls_handshake: Insufficient credentials for that request.
Solution : Use 'set ftp:ssl-data-use-keys yes' and use latest lftp rpm version

Error : gnutls_handshake: A record packet with illegal version was received - while using open ftps://ftp.something.com:21
Solution : Remove ftps:// - just use 'open ftp.something.com:21'


[1] https://www.eldos.com/security/articles/4672.php?page=all
[2] s_cleint documentation 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)