RHEL 5 lftp with FTPES (SSL/TLS) fails Certificate verification when server certificate Signature Algorithm is sha256WithRSAEncryption

Solution Verified - Updated -

Issue

  • Using lftp to connect to a particular ftp site while forcing ssl (set ftp:ssl-force yes) with cert-validation (set ssl:verify-certificate yes) works in RHEL 6, but not in RHEL 5. We have confirmed that the certificate chain is intact and trusted by using openssl s_client -starttls ftp -connect FTP.EXAMPLE.COM:21. We have even tried pointing lftp directly to a simplified CA file with the set ssl:ca-file option.

  • Example: the trust chain for dropbox.redhat.com is good ...

    [rhel5]$ openssl s_client -starttls ftp -connect dropbox.redhat.com:21 <<<"" | grep 'Verify return code:'
    depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    verify return:1
    depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
    verify return:1
    depth=0 /2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100 East Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
    verify return:1
    220 
    DONE
        Verify return code: 0 (ok)
    

    However, connecting with ssl:verify-certificate enabled fails in RHEL 5:

    [rhel5]$ file=$RANDOM$RANDOM$RANDOM
    [rhel5]$ touch $file
    [rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate yes; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com
    cd: Fatal error: Certificate verification: Not trusted
    put: Fatal error: Certificate verification: Not trusted
    

    Disabling cert-verification allows it to work:

    [rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate no; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com
    cd ok, cwd=/incoming
    lftp anonymous@dropbox.redhat.com:/incoming> exit
    

Environment

  • FTP client

    • Red Hat Enterprise Linux 5
    • lftp (compiled against gnutls)
      • with ftp:ssl-force and ssl:verify-certificate enabled
  • FTP server

    • SSL certificate where Signature Algorithm is sha256WithRSAEncryption

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content