cURL / Mailing Lists / curl-users / Single Mail


ftps and certs

From: Maury Markowitz <>
Date: Mon, 3 Dec 2007 11:29:12 -0500

Ok well after the initial confusion over sftp vs ftps, I have managed
to log into the server in question and retrieve files. But looking
over my command line, it's obvious I'm doing this without any
security. I'd like to try to address this.

To start with, I was given a file by the remote site that starts off like:

RSA Commercial CA / Verisign - exp. Jan 7, 2010

Several other listings follow, for Thwate, RSA, different Verisign
versions, etc.

Is this the sort of file that is being referred to in the
documentation? The reason I ask is that when I use this command

curl --ftp-ssl -E o:\trusted.crt -u foo:bar

I get...

curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

I have no idea what the "key" or "pass phrase" are, and neither of
these terms appear in the documentation that I read (the term "key"
appears once, but it's for OpenSSL and appears to be unrelated).

When I simply remove the -E from the command line, changing the
command line to...

curl --ftp-ssl -u foo:bar

I get...

curl: (60) SSL certificate problem, verify that the CA cert is OK.

Reading over "Details on Server SSL Certificates - Peer SSL
Certificate", it appears that I need to have a "CA cert bundle", but I
have no idea what that is, and as I didn't use make install I don't
know if I have one. I'm assuming I don't, and that's what's causing
the problem.

But when I read option (2) in the same document, I see something that
appears to be what I am trying to do - I think. But this uses the
--cacert switch instead of -E, which is contrary to all of the
examples in the manual (not man page). Regardless, when I try this...

curl --ftp-ssl -cacert o:\trusted.crt -u foo:bar

I get the same (60) error. Reading between the lines in the same
document, it seems that ssl can be set up without a cert at all, at
the risk of the remote site being an impostor. That sounds fine, so I

curl --ftp-ssl --insecure -u foo:bar

and that ran without any errors - but nothing was downloaded either.
This might not be an issue, there may no longer be any files in the
directory. To test this I used...

curl -u foo:bar

and that returned the extremely confusing...

Total number of batches listed: 0

... which as far as I can see using Google, doesn't appear in the
documentation anywhere. However I recall that using...

curl -u foo:bar*.*

... did return the "hello world" file on Friday, but now it returns...

curl: (19) RETR response: 550

Confusing, but I'm thinking this really means "no such file".

Try as I might this security stuff is simply over my head. Can an
expert on this give me a hand here?

1) is the file that I was given what the documentation is referring
to? if so, is this a PEM file? How can I find out?

2) do I even need this? I was under the (likely mistaken) impression
that ssl was something that was set up entirely between the client and
the server with keys that were generated on the fly. Is this correct?
If so, am I correct in thinking that --insecure is still using ssl?

3) should I just give up? I mean it seemed to be working with plain
FTP, but the files are semi-sensitive...

Received on 2007-12-03