RHEL 5 lftp with FTPES (SSL/TLS) fails Certificate verification when server certificate Signature Algorithm is sha256WithRSAEncryption

Issue

• Using lftp to connect to a particular ftp site while forcing ssl (set ftp:ssl-force yes) with cert-validation (set ssl:verify-certificate yes) works in RHEL 6, but not in RHEL 5. We have confirmed that the certificate chain is intact and trusted by using openssl s_client -starttls ftp -connect FTP.EXAMPLE.COM:21. We have even tried pointing lftp directly to a simplified CA file with the set ssl:ca-file option.

• Example: the trust chain for dropbox.redhat.com is good ...

  [rhel5]$ openssl s_client -starttls ftp -connect dropbox.redhat.com:21 <<<"" | grep 'Verify return code:'
  depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
  verify return:1
  depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
  verify return:1
  depth=0 /2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100 East Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
  verify return:1
  220 
  DONE
      Verify return code: 0 (ok)
  

  However, connecting with ssl:verify-certificate enabled fails in RHEL 5:

  [rhel5]$ file=$RANDOM$RANDOM$RANDOM
  [rhel5]$ touch $file
  [rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate yes; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com
  cd: Fatal error: Certificate verification: Not trusted
  put: Fatal error: Certificate verification: Not trusted
  

  Disabling cert-verification allows it to work:

  [rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate no; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com
  cd ok, cwd=/incoming
  lftp anonymous@dropbox.redhat.com:/incoming> exit