curl-library
Re: FTPS: "SSL certificate problem: Invalid certificate chain" error
Date: Mon, 10 Apr 2017 03:07:37 -0400
On 4/9/17 5:25 AM, Patrick Monnerat wrote:
> You probably have disabled EPSV: obviously your server is behind a
> NATting firewall: its public address is 125.142.62.86, but it requires
> you to connect to its private address (192...). There is a well known
> problem with ftp when using PASV + SSL + NAT:
> - The transmitted data connection address is private, thus unreachable
> from outside the server's net,
> - NATting device deep inspection cannot translate it to the
> corresponding public address it because the connection is encrypted.
>
> The only way to overcome this caveat is to suppress the use of one of
> the PASV/SSL/NAT feature. If the target server supports it, the easier
> would be to use EPSV instead of PASV.
>
> You probably have a code line in your program such as:
> curl_easy_setopt(handle, CURLOPT_FTP_USE_EPSV, 0L);
>
> Remove it and the trick should be done :-)
Thanks for the detailed info, Patrick!
That worked indeed!
Now I wonder if there's a way to recognize that a server requires EPSV
before connecting?
This code is in a tool that's been working for years by now. I
especially disabled EPSV because it caused connection issues with many
FTP servers. With EPSV off, there were no problems so far.
But support for FTPS is relatively recent.
So I wonder if you could shed some light on this - or point me to
sources... Is there a way to determine that server requires EPSV instead
of PASV?
Thanks,
Leo
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-04-10