curl-library
Re: FTPS: "SSL certificate problem: Invalid certificate chain" error
Date: Sat, 8 Apr 2017 14:08:06 -0400
On 4/7/2017 7:09 PM, Leo wrote:
> macOS Sierra
> libcurl/7.51.0
>
> Here's the details of the problem:
>
> -I'm trying to connect to an FTPS server
> -CURLOPT_FTP_SSL, CURLFTPSSL_ALL
> -CURLOPT_SSL_VERIFYHOST: false
> -CURLOPT_SSL_VERIFYPEER: false
> -I'm getting generic error (Server denied you to change to the given
> directory)
> -If I set CURLOPT_VERIFYPEER to true, I get this error: "SSL
> certificate problem: Invalid certificate chain"
>
> -When I use Cyberduck and FileZilla, I get an "invalid certificate"
> warning which lets me either view certificate OR connect ignoring
> certificate
>
> I don't have issues connecting to other FTPS servers with curl.
>
> What am I missing?
>
> How can I connect to this server with an option to bypass the
> certificate warning?
Those things don't have anything to do with one another. What is the
full curl_version()? You can set CURLOPT_VERBOSE to 1L to figure out
what's happening:
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
The verbose output should show the PWD after login. Either make your
path relative to that or if it's an absolute path add another / before
the path like ftps://host//foo/bar.
To disable the certificate warning you set both the verify options to 0L:
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
Disabling verification makes the transfer insecure, and it opens you up
to MITM attacks. The safe thing to do is obtain the certificate from the
server, verify the CA signer through other means and then pass that to
libcurl using CURLOPT_CAINFO [1] so that it can verify the certificate
is what you expect.
[1]: https://curl.haxx.se/libcurl/c/CURLOPT_CAINFO.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-08