curl / Mailing Lists / curl-library / Single Mail


Re: FTPS: "SSL certificate problem: Invalid certificate chain" error

From: Leo <>
Date: Thu, 13 Apr 2017 02:35:32 -0400

On 4/10/17 5:56 AM, Patrick Monnerat wrote:
> On 04/10/2017 08:07 AM, Leo wrote:
>> This code is in a tool that's been working for years by now. I
>> especially disabled EPSV because it caused connection issues with
>> many FTP servers. With EPSV off, there were no problems so far.
> Because so far, you were'nt in a NAT+SSL+PASV condition...
>> But support for FTPS is relatively recent.
> Not really; libcurl supports it for more than 8 years, AFAICR !
>> So I wonder if you could shed some light on this - or point me to
>> sources... Is there a way to determine that server requires EPSV
>> instead of PASV?
> libcurl tries EPSV first (if not disabled); if it fails, it then
> reverts to PASV, thus it is generally safe to leave EPSV enabled.
> A server itself will never require EPSV: it might support it or not.
> What makes it required is the NAT+SSL condition.
> This is not a rule of thumb, but most FTP servers tell you whether
> they support EPSV upon receiving the "HELP" command. The HELP reply
> format is unfortunately not structured and may differ from one server
> to another.
> Code issuing the PASV or EPSV command in libcurl is in
> function
> ftp_state_use_pasv(), while EPSV failure is handled in function
> ftp_state_pasv_resp().
> Patrick

Thanks again for the detailed info - which was very helpful.

And yeah I meant that my tool, not libcurl, only supports FTPS recently
- sorry!

Like i mentioned, I wrote a comment in the code years ago that I had to
disable EPSV as it caused issues with many FTP servers.

Now, I looked at the history of the ftp.c file you mentioned - and I
noticed there were a couple of changes in the exact area we discuss,
that is handling EPSV failure and switching to PASV. The changes were
made in 2013 - that is well after I wrote the aforementioned comment and
disabled EPSV.

So maybe things changed since then and I can now safely enable EPSV
without running into the same problems. I should give it a try.

Checking the HELP response, as you suggested, is also an option.


Received on 2017-04-13