cURL / Mailing Lists / curl-users / Single Mail

curl-users

Problem with FTPS and curl

From: Baktor Silvanti <baktor_at_hotmail.com>
Date: Mon, 26 Sep 2005 19:04:40 -0400

Hello,

   This is the first time I've had to use curl so please bare with me. I am
trying to setup a script that will grab 2 files from a remote FTPS server
and then place 2 files on the same server. When I attempt to connect, I
seem to halt on the data port SSL/TLS handshake. Any advice on how to
configure/patch/fix curl so that it can connect I would greatly appreciate
it! I am almost certain it has something to do with their server and not
the client, but as it's a bank, I doubt I can even suggest changes on their
end.

Relavent information:

HOST:
============================================================
Client OS: AIX 5.2.0.6

curl --VERSION
curl 7.14.1 (powerpc-ibm-aix5.2.0.0) libcurl/7.14.1 OpenSSL/0.9.8 zlib/1.1.4
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IPv6 Largefile NTLM SSL libz

I Received their certificate via email and converted it to pem format and
appended to a custom CA Bundle file called cacert.pem.

Attempted command line:
curl -v --trace-time --show-error --ftp-ssl -3 --data-ascii --ftp-pasv
--connect-timeout 360 --disable-epsv --cacert ./cacert.pem --capath
/usr/local/share/curl -u XXXX:XXXX
ftp://ftpst.usbank.com:20021//cf214401/cps0.genp3046.x330

Remote FTPS Server:
=============================================================
...requires login port 20021
...requires data port range: 21000-21400
...requires Passive mode transfers
...requires 128 bit SSL encryption

Copy of verbose timestamped curl output when attempting this connection:
==================================================================
18:11:43.935210 * About to connect() to ftpst.usbank.com port 20021
18:11:43.935455 * Trying 170.135.72.80... connected
18:11:43.936139 * Connected to ftpst.usbank.com (170.135.72.80) port 20021
18:11:44.424898 < 220 <<<Connect:Enterprise UNIX 2.2.00 Secure FTP>>> at
cewebb1u FTP server ready. Time = 17:11:43
18:11:44.425104 > AUTH SSL
18:11:44.494582 < 234 AUTH TLS-P/SSL OK.
18:11:44.544757 * successfully set certificate verify locations:
18:11:44.544953 * CAfile: ./cacert.pem
  CApath: /usr/local/share/curl
18:11:44.545518 * SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DES-CBC3-SHA
18:11:45.074546 * Server certificate:
18:11:45.074740 * subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S.
Bank/OU=Data Distribution Services cewebb1u/OU=Terms of use at
www.verisign.com/rpa (c)00/CN=ftpst.usbank.com
18:11:45.074928 * start date: 2005-07-20 00:00:00 GMT
18:11:45.075110 * expire date: 2006-07-20 23:59:59 GMT
18:11:45.075304 * common name: ftpst.usbank.com (matched)
18:11:45.075492 * issuer: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
18:11:45.075675 * SSL certificate verify ok.
18:11:45.075883 > USER XXXXX
18:11:45.267747 < 331 Password required for cf214400.
18:11:45.267966 > PASS XXXX
18:11:45.525231 < 230 Connect:Enterprise UNIX login ok, access restrictions
apply.
18:11:45.525439 > PBSZ 0
18:11:45.594905 < 200 PBSZ 0 OK.
18:11:45.595110 > PROT P
18:11:45.665210 < 200 PROT P OK, data channel will be secured.
18:11:45.665429 > PWD
18:11:45.737581 < 257 "/cf214400" is current directory.
18:11:45.737780 * Entry path is '/cf214400'
18:11:45.737993 > CWD /cf214401
18:11:45.807158 < 250 CWD command successful.
18:11:45.807364 > EPSV
18:11:45.807541 * Connect data stream passively
18:11:45.877752 < 500 'EPSV': command not understood.
18:11:45.877938 * disabling EPSV usage
18:11:45.878131 > PASV
18:11:45.955520 < 227 Entering Passive Mode (170,135,72,80,82,8)
18:11:45.955782 * Trying 170.135.72.80... connected
18:11:46.030316 * Connecting to 170.135.72.80 (170.135.72.80) port 21000
18:11:46.030494 * Doing the SSL/TLS handshake on the data stream
18:11:46.070338 * successfully set certificate verify locations:
18:11:46.070536 * CAfile: ./cacert.pem
  CApath: /usr/local/share/curl
18:11:46.070724 * SSL re-using session ID
18:11:46.071016 * SSLv3, TLS handshake, Client hello (1):
SSL connection timeout <----~3 minutes elapse before this
error...---->
18:17:43.933368 * Remembering we are in dir /cf214401/
18:17:43.933561 * Connection #0 to host ftpst.usbank.com left intact
18:17:43.933769 * Closing connection #0
18:17:43.934023 * SSLv3, TLS alert, Client hello (1):
=================================================================

I've tried --ftp-ssl, I've tried ftps://, I've tried both together
(redundant?) with no luck
I've tried -1, -2, -3, --anyauth to no avail

Oh, if I try just ftps:// it gives:
==================================================================
19:02:11.207810 * About to connect() to ftpst.usbank.com port 20021
19:02:11.208049 * Trying 170.135.72.80... connected
19:02:11.209036 * Connected to ftpst.usbank.com (170.135.72.80) port 20021
19:02:11.263998 * successfully set certificate verify locations:
19:02:11.264196 * CAfile: ./cacert.pem
  CApath: /usr/local/share/curl
19:02:11.268623 * SSLv2, Client hello (1):
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
19:02:11.570872 * Closing connection #0
==================================================================
Received on 2005-09-27