cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Common name check error during SSL FTP

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Wed, 24 Aug 2005 08:06:39 +0200 (CEST)

On Tue, 23 Aug 2005, ankur marwah wrote:

> I have been trying to do SSL FTP using cURL to one of my SSL servers using
> the following command line:

Hm, this isn't curl 7.14.0, is it?

> curl -v -P ce1 --ftp-ssl --sslv3 -k --disable-epsv
> --disable-eprt --cacert USERID1.pem --capath /sftp
> --url ftp://USERID1:USERID1@sslserver.us.com:8031

--cacert and --capath don't make much sense when -k is used too, as that will
override the other two.

> * Entry path is '/'
>> PORT 66,248,225,114,128,75
> < 200 PORT command successful.
> * Ordered connect of the data stream with PORT!
>> TYPE A
> < 200 Type set to A.
>> LIST
> < 150 Opening ASCII mode data connection.
>
> At this point it hangs....

Which is when it expects the server to connect back to it.

Does your firewall setup allow a connect from the server to you on this port
(32843) ?

> The detailed internal logs on the server side suggest that the SSL handshake
> is failing.

But the regular TCP connect works?

> I have tried a no. of command line options but all seem to give an error
> during common name checking.

Does the server complain on common name checking? I don't understand, what
common name is it checking against what?

The only common name checking I know of is the client-side checks, and you
disable them with -k.

> 1) Is it possible that common name checking is causing this SSL handshake to
> fail (common name: DEUTSCHEEXT (does not match 'sslserver.us.com') )

No, unless there's a bug of course.

> 2) Do we have any command line option to turn off the common name checking
> since it will not be possible to generate a new certificate with common name
> as sslserver.us.com

-k

> 3) If not is it possible to get some patch wherein this option is turned
> off.

-k is in the main sources

> This is a bit urgent

Isn't it always?

I would recommend you get the latest curl version, build a version with debug
symbols and you fire up your favourite debugger and start checking out what
the lower level code in libcurl thinks of the SSL handshake for the data
connection.

Do note that the CVS code has changed slightly in this aspect, so you could
try that as well and it would be nice if you used that as a base should you
consider making a patch.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html

Received on 2005-08-24

This message: [ Message body ]
Next message: Bud P. Bruegger: "Re: download of binary objects?"
Previous message: ankur marwah: "Common name check error during SSL FTP"
In reply to: ankur marwah: "Common name check error during SSL FTP"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]