curl / Mailing Lists / curl-library / Single Mail


Re: FTPS: "SSL certificate problem: Invalid certificate chain" error

From: Leo <>
Date: Mon, 10 Apr 2017 03:07:37 -0400

On 4/9/17 5:25 AM, Patrick Monnerat wrote:
> You probably have disabled EPSV: obviously your server is behind a
> NATting firewall: its public address is, but it requires
> you to connect to its private address (192...). There is a well known
> problem with ftp when using PASV + SSL + NAT:
> - The transmitted data connection address is private, thus unreachable
> from outside the server's net,
> - NATting device deep inspection cannot translate it to the
> corresponding public address it because the connection is encrypted.
> The only way to overcome this caveat is to suppress the use of one of
> the PASV/SSL/NAT feature. If the target server supports it, the easier
> would be to use EPSV instead of PASV.
> You probably have a code line in your program such as:
> curl_easy_setopt(handle, CURLOPT_FTP_USE_EPSV, 0L);
> Remove it and the trick should be done :-)

Thanks for the detailed info, Patrick!

That worked indeed!

Now I wonder if there's a way to recognize that a server requires EPSV
before connecting?

This code is in a tool that's been working for years by now. I
especially disabled EPSV because it caused connection issues with many
FTP servers. With EPSV off, there were no problems so far.

But support for FTPS is relatively recent.

So I wonder if you could shed some light on this - or point me to
sources... Is there a way to determine that server requires EPSV instead
of PASV?


Received on 2017-04-10