curl / Mailing Lists / curl-library / Single Mail


Re: FTPS: "SSL certificate problem: Invalid certificate chain" error

From: Patrick Monnerat <>
Date: Mon, 10 Apr 2017 10:56:11 +0100

On 04/10/2017 08:07 AM, Leo wrote:
> This code is in a tool that's been working for years by now. I
> especially disabled EPSV because it caused connection issues with many
> FTP servers. With EPSV off, there were no problems so far.
Because so far, you were'nt in a NAT+SSL+PASV condition...
> But support for FTPS is relatively recent.
Not really; libcurl supports it for more than 8 years, AFAICR !
> So I wonder if you could shed some light on this - or point me to
> sources... Is there a way to determine that server requires EPSV
> instead of PASV?
libcurl tries EPSV first (if not disabled); if it fails, it then reverts
to PASV, thus it is generally safe to leave EPSV enabled.

A server itself will never require EPSV: it might support it or not.
What makes it required is the NAT+SSL condition.

This is not a rule of thumb, but most FTP servers tell you whether they
support EPSV upon receiving the "HELP" command. The HELP reply format is
unfortunately not structured and may differ from one server to another.

The difference is: PASV reply tells the client the port number and the
IP address to use for a data connection, while EPSV only tells the port
number and the client should use the same IP address as for the control

For FTP protocol details, you can have a look at and for the EPSV extension,

Code issuing the PASV or EPSV command in libcurl is in function
ftp_state_use_pasv(), while EPSV failure is handled in function

Received on 2017-04-10