RHEL 5 lftp with FTPES (SSL/TLS) fails Certificate verification when server certificate Signature Algorithm is sha256WithRSAEncryption
Issue
-
Using
lftp
to connect to a particular ftp site while forcing ssl (set ftp:ssl-force yes
) with cert-validation (set ssl:verify-certificate yes
) works in RHEL 6, but not in RHEL 5. We have confirmed that the certificate chain is intact and trusted by usingopenssl s_client -starttls ftp -connect FTP.EXAMPLE.COM:21
. We have even tried pointinglftp
directly to a simplified CA file with theset ssl:ca-file
option. -
Example: the trust chain for dropbox.redhat.com is good ...
[rhel5]$ openssl s_client -starttls ftp -connect dropbox.redhat.com:21 <<<"" | grep 'Verify return code:' depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA verify return:1 depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA verify return:1 depth=0 /2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100 East Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com verify return:1 220 DONE Verify return code: 0 (ok)
However, connecting with
ssl:verify-certificate
enabled fails in RHEL 5:[rhel5]$ file=$RANDOM$RANDOM$RANDOM [rhel5]$ touch $file [rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate yes; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com cd: Fatal error: Certificate verification: Not trusted put: Fatal error: Certificate verification: Not trusted
Disabling cert-verification allows it to work:
[rhel5]$ lftp -e "set ftp:ssl-force yes; set ssl:verify-certificate no; cd incoming; put $file" anonymous:ftp@dropbox.redhat.com cd ok, cwd=/incoming lftp anonymous@dropbox.redhat.com:/incoming> exit
Environment
-
FTP client
- Red Hat Enterprise Linux 5
- lftp (compiled against gnutls)
- with
ftp:ssl-force
andssl:verify-certificate
enabled
- with
-
FTP server
- SSL certificate where Signature Algorithm is
sha256WithRSAEncryption
- SSL certificate where Signature Algorithm is
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.