我正在尝试使用 LFTP 连接到需要 TLS 的服务器。
我正在尝试这种方式,但是当我尝试使用任何命令、、等时,我收到错误sslv3ls警报。putpget
lftp
set ftp:ssl-force true
connect X.X.X.X
X.X.X.X: -> login myuser
Password:
[email protected]:-> pget filename
Fatal error: SSL_Connect: sslv3 alert illegal parameter
我怎样才能解决这个问题?提前致谢。
更新1
我已经尝试过open ftp://X.X.X.X如下,结果相同。我在open命令之前缺少一些其他命令?
$ lftp
lftp :~> open ftp://X.X.X.X
lftp X.X.X.X:~> login admin
Password:
lftp [email protected]:~> ls
`ls' at 0 [Connecting...]
`ls' at 0 [Delaying before reconnect: 16]
当我尝试使用带有选项的 Filezilla 时Use explicit FTP over TLS if available,或者Require explicit FTP over TLS它可以工作,并且在输入密码之前会出现此窗口,其中提到 TLS 1.2。
最后,当连接到服务器时显示此日志。
Status: Connecting to X.X.X.X:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful
更新2
这是我尝试使用时的日志lftp -d
$ lftp -d
lftp :~> open ftp://AAA.BBB.CCC.DDD
---- Resolving host address...
---- IPv6 is not supported or configuredress...]
---- 1 address found: AAA.BBB.CCC.DDD
lftp AAA.BBB.CCC.DDD:~> login admin
Password:
lftp [email protected]:~> ls
---- Connecting to AAA.BBB.CCC.DDD (AAA.BBB.CCC.DDD) port 21
<--- 220 ftp server ready.
---> FEAT
<--- 500 Sorry, no such command.
---> AUTH TLS
<--- 234 AUTH command ok; starting SSL connection.
---> USER admin
**** SSL_connect: sslv3 alert illegal parameter
---- Closing control socket
---- Connecting to AAA.BBB.CCC.DDD (AAA.BBB.CCC.DDD) port 21
<--- 220 ftp server ready.
---> FEAT
<--- 500 Sorry, no such command.
---> USER admin
<--- 430 Require auth before enter.
---> QUIT
<--- 221 Have a nice day!
---- Closing control socket
`ls' at 0 [Delaying before reconnect: 12]
更新3
我尝试在 Windows7 上使用 Cygwin 中的 FTP 和 LFTP(在 Windows7 中我成功运行 Filezilla)。
Cygwin 模拟器:
$ uname -a
CYGWIN_NT-6.1 user 3.1.5(0.340/5/3) 2020-06-01 08:59 x86_64 Cygwin
user@user ~
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
我尝试过从 CentOS 机器使用 FTP。
CentOS:
[root@ServerAbc ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@ServerAbc ~]#
[root@ServerAbc ~]# uname -a
Linux ServerAbc 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@ServerAbc ~]# cat /etc/*-release
CentOS release 6.7 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
我在两台机器上发送openssl或不发送时都 遇到此错误。-connect ...
user@user ~
$ openssl s_client AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
s_client: Use -help for summary.
user@user ~
$ openssl -connect s_client AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
Invalid command '-connect'; type "help" for a list.
user@user ~
$ openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md2
md4 md5 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 rc5 rc5-cbc
rc5-cfb rc5-ecb rc5-ofb seed
seed-cbc seed-cfb seed-ecb seed-ofb
zlib
在 Cygwin 终端(Windows7)上,lftp 版本如下:
$ lftp -v
LFTP | Version 4.9.1 | Copyright (c) 1996-2020 Alexander V. Lukyanov
.
.
.
Libraries used: Expat 2.2.6, idn2 2.2.0, libiconv 1.14, OpenSSL 1.1.1f 31 Mar 2020, Readline 7.0, zlib 1.2.11
更新4
来自 Cygwin
User@User ~
$ openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
CONNECTED(00000004)
34359738384:error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:ssl/record/rec_layer_s3.c:1543:SSL alert number 47
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 77 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
来自 CentOS
[root@ServerC ~]# openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
CONNECTED(00000003)
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=ZZ/O=Xyz/OU=some text/ZZ=5900283817720ZZ000123.xyz.net
i:/C=ZZ/O=Xyz/OU=some text/ZZ=Xyz Wireless Network Product CA
---
Server certificate
-----BEGIN CERTIFICATE-----
..
..
gTsopEBALpl89bP3EfsakjncRTT
..
..
-----END CERTIFICATE-----
subject=/C=ZZ/O=Xyz/OU=some text/ZZ=5900283817720ZZ000123.xyz.net
issuer=/C=ZZ/O=Xyz/OU=some text/ZZ=Xyz some text CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1739 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 76BBAC123994626C01C5B8B0B31ADF6EB9EB100C5BF110BD0C90B4C9B96DFC2
Session-ID-ctx:
Master-Key: XXXX....
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1592177053
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 ftp server ready.
DONE
远程服务器设置
Transport Encrypted mode = SSL Encrypted
FTPS server command port = 21
FTPS server source data port = 20
TSL/SSL = SSL 3.0
= TSL1.0
= TSL1.1
= TSL1.2
更新5
$ openssl x509 -noout -text -in cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:00:11:22:...55:21
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ZZ, O = PPKDKD, OU = Some text, ZZ = PPKDKD Some text CA
Validity
Not Before: Dec 1 07:16:13 2017 GMT
Not After : Nov 27 07:16:13 2032 GMT
Subject: C = ZZ, O = PPKDKD, OU = Some text, ZZ = 123456789XX000216.PPKDKD.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
36:14:...:f8:d7:
.
.
.
11:22:...:78:55:
c4:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:00:11:....:F1
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: http://someurl
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://someurl/
X509v3 Subject Alternative Name:
DNS:123456789XX000216.PPKDKD.com
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Subject Key Identifier:
81:23:...23:3A
Signature Algorithm: sha256WithRSAEncryption
4c:22:... :04:57:
.
.
.
41:11:22:00
答案1
来自man页:
ftp:ssl 强制(boolean)
如果为 true,则当服务器不支持 SSL 时拒绝以明文形式发送密码。默认为 false。
所以这个选项不会对你有帮助。
您需要知道lftp您希望使用众多受支持的协议中的哪一个。当您使用命令连接时,open您以格式提供方案和主机<scheme>://<hostname>。例如:ftp://example.org。
页面开头给出了支持的方案列表man。
如果您在使用 Filezilla 时取得了成功如果可用,请使用基于 TLS 的显式 FTP选项,那么你应该使用该ftp://方案。
该ftps://方案相当于Filezilla的隐式FTP这要求服务器侦听端口 990。这是一种较旧的、已弃用的使用 TLS 的方法。
答案2
该**** SSL_connect: sslv3 alert illegal parameter消息看起来像是本地消息。
lftp的默认 SSL/TLS 设置可能包含对 SSLv3 的引用(希望禁用它!),但lftp编译使用的 SSL/TLS 库可能已经完全删除了 SSLv3 支持,因此它不再识别 SSLv3 关键字。
如果启动lftp并运行set -a,设置的当前值是多少set ssl:priority?
如果该值包含sslv3,您可能需要更改设置以使其sslv3根本不提及。
经过进一步研究,错误消息确实来自本地 SSL/TLS 库,并且 的存在ssl_connect表明有问题的库是 OpenSSL。但谷歌搜索“openssl SSL_connect 警报非法参数”仅显示对旧 OpenSSL 错误的引用,这些错误与使用客户端不支持的密码和协议版本的服务器有关。
您的 FileZilla 测试表明服务器绝对可以执行 TLS 1.2。也许问题是您lftp编译的OpenSSL 版本太旧,无法支持 TLS 1.2?
您可以尝试openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null查看该系统上的 OpenSSL 是否可以成功与 FTP 服务器协商 TLS 连接,而不受lftp.它通常会输出大量诊断信息;但如果在成功协商 SSL/TLS 连接之前失败,则表明系统上的 OpenSSL 版本太旧,无法成功连接到此 FTP/TLS 服务器。
您的操作系统的名称和版本是什么?