如何使用 LFTP 连接到带有 TLS 的服务器?

如何使用 LFTP 连接到带有 TLS 的服务器?

我正在尝试使用 LFTP 连接到需要 TLS 的服务器。

我正在尝试这种方式,但是当我尝试使用任何命令、、等时,我收到错误sslv3ls警报。putpget

lftp
set ftp:ssl-force true
connect X.X.X.X
X.X.X.X: -> login myuser
Password:
[email protected]:-> pget filename
Fatal error: SSL_Connect: sslv3 alert illegal parameter

我怎样才能解决这个问题?提前致谢。

更新1

我已经尝试过open ftp://X.X.X.X如下,结果相同。我在open命令之前缺少一些其他命令?

$ lftp
lftp :~> open ftp://X.X.X.X
lftp X.X.X.X:~> login admin
Password:
lftp [email protected]:~> ls
`ls' at 0 [Connecting...]
`ls' at 0 [Delaying before reconnect: 16]

当我尝试使用带有选项的 Filezilla 时Use explicit FTP over TLS if available,或者Require explicit FTP over TLS它可以工作,并且在输入密码之前会出现此窗口,其中提到 TLS 1.2。

在此输入图像描述

最后,当连接到服务器时显示此日志。

Status: Connecting to X.X.X.X:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful

更新2

这是我尝试使用时的日志lftp -d

$ lftp -d
lftp :~> open ftp://AAA.BBB.CCC.DDD
---- Resolving host address...
---- IPv6 is not supported or configuredress...]
---- 1 address found: AAA.BBB.CCC.DDD
lftp AAA.BBB.CCC.DDD:~> login admin
Password:
lftp [email protected]:~> ls
---- Connecting to AAA.BBB.CCC.DDD (AAA.BBB.CCC.DDD) port 21
<--- 220 ftp server ready.
---> FEAT
<--- 500 Sorry, no such command.
---> AUTH TLS
<--- 234 AUTH command ok; starting SSL connection.
---> USER admin
**** SSL_connect: sslv3 alert illegal parameter
---- Closing control socket
---- Connecting to AAA.BBB.CCC.DDD (AAA.BBB.CCC.DDD) port 21
<--- 220 ftp server ready.
---> FEAT
<--- 500 Sorry, no such command.
---> USER admin
<--- 430 Require auth before enter.
---> QUIT
<--- 221 Have a nice day!
---- Closing control socket
`ls' at 0 [Delaying before reconnect: 12]

更新3

我尝试在 Windows7 上使用 Cygwin 中的 FTP 和 LFTP(在 Windows7 中我成功运行 Filezilla)。

Cygwin 模拟器:

$ uname -a
CYGWIN_NT-6.1 user 3.1.5(0.340/5/3) 2020-06-01 08:59 x86_64 Cygwin

user@user ~
$ openssl version
OpenSSL 1.1.1f  31 Mar 2020

我尝试过从 CentOS 机器使用 FTP。

CentOS:

[root@ServerAbc ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@ServerAbc ~]#
[root@ServerAbc ~]# uname -a
Linux ServerAbc 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@ServerAbc ~]# cat /etc/*-release
CentOS release 6.7 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch

我在两台机器上发送openssl或不发送时都 遇到此错误。-connect ...

user@user ~
$ openssl s_client AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
s_client: Use -help for summary.

user@user ~
$ openssl -connect s_client AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
Invalid command '-connect'; type "help" for a list.

user@user ~
$ openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md2
md4               md5               rmd160            sha1
sha224            sha256            sha3-224          sha3-256
sha3-384          sha3-512          sha384            sha512
sha512-224        sha512-256        shake128          shake256
sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            rc5               rc5-cbc
rc5-cfb           rc5-ecb           rc5-ofb           seed
seed-cbc          seed-cfb          seed-ecb          seed-ofb
zlib

在 Cygwin 终端(Windows7)上,lftp 版本如下:

$ lftp -v
LFTP | Version 4.9.1 | Copyright (c) 1996-2020 Alexander V. Lukyanov
.
.
.
Libraries used: Expat 2.2.6, idn2 2.2.0, libiconv 1.14, OpenSSL 1.1.1f  31 Mar 2020, Readline 7.0, zlib 1.2.11

更新4

来自 Cygwin

User@User ~
$ openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
CONNECTED(00000004)
34359738384:error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:ssl/record/rec_layer_s3.c:1543:SSL alert number 47
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 77 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

来自 CentOS

[root@ServerC ~]# openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null
CONNECTED(00000003)
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = ZZ, O = Xyz, OU = some text, ZZ = 5900283817720ZZ000123.xyz.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=ZZ/O=Xyz/OU=some text/ZZ=5900283817720ZZ000123.xyz.net
i:/C=ZZ/O=Xyz/OU=some text/ZZ=Xyz Wireless Network Product CA
---
Server certificate
-----BEGIN CERTIFICATE-----
..
..
gTsopEBALpl89bP3EfsakjncRTT
..
..

-----END CERTIFICATE-----
subject=/C=ZZ/O=Xyz/OU=some text/ZZ=5900283817720ZZ000123.xyz.net
issuer=/C=ZZ/O=Xyz/OU=some text/ZZ=Xyz some text CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1739 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 76BBAC123994626C01C5B8B0B31ADF6EB9EB100C5BF110BD0C90B4C9B96DFC2
    Session-ID-ctx:
    Master-Key: XXXX....
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1592177053
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 ftp server ready.
DONE

远程服务器设置

Transport Encrypted mode = SSL Encrypted
FTPS server command port = 21
FTPS server source data port = 20
TSL/SSL = SSL 3.0
        = TSL1.0
        = TSL1.1
        = TSL1.2

更新5

$ openssl x509 -noout -text -in cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:00:11:22:...55:21
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ZZ, O = PPKDKD, OU = Some text, ZZ = PPKDKD Some text CA
        Validity
            Not Before: Dec  1 07:16:13 2017 GMT
            Not After : Nov 27 07:16:13 2032 GMT
        Subject: C = ZZ, O = PPKDKD, OU = Some text, ZZ = 123456789XX000216.PPKDKD.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    36:14:...:f8:d7:
                    .
                    .
                    .
                    11:22:...:78:55:
                    c4:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:00:11:....:F1

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: http://someurl

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://someurl/

            X509v3 Subject Alternative Name:
                DNS:123456789XX000216.PPKDKD.com
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Subject Key Identifier:
                81:23:...23:3A
    Signature Algorithm: sha256WithRSAEncryption
         4c:22:...                                      :04:57:
         .
         .
         .
         41:11:22:00

答案1

来自man

ftp:ssl 强制(boolean)
如果为 true,则当服务器不支持 SSL 时拒绝以明文形式发送密码。默认为 false。

所以这个选项不会对你有帮助。

您需要知道lftp您希望使用众多受支持的协议中的哪一个。当您使用命令连接时,open您以格式提供方案和主机<scheme>://<hostname>。例如:ftp://example.org

页面开头给出了支持的方案列表man

如果您在使用 Filezilla 时取得了成功如果可用,请使用基于 TLS 的显式 FTP选项,那么你应该使用该ftp://方案。

ftps://方案相当于Filezilla的隐式FTP这要求服务器侦听端口 990。这是一种较旧的、已弃用的使用 TLS 的方法。

答案2

**** SSL_connect: sslv3 alert illegal parameter消息看起来像是本地消息。

lftp的默认 SSL/TLS 设置可能包含对 SSLv3 的引用(希望禁用它!),但lftp编译使用的 SSL/TLS 库可能已经完全删除了 SSLv3 支持,因此它不再识别 SSLv3 关键字。

如果启动lftp并运行set -a,设置的当前值是多少set ssl:priority

如果该值包含sslv3,您可能需要更改设置以使其sslv3根本不提及。

经过进一步研究,错误消息确实来自本地 SSL/TLS 库,并且 的存在ssl_connect表明有问题的库是 OpenSSL。但谷歌搜索“openssl SSL_connect 警报非法参数”仅显示对旧 OpenSSL 错误的引用,这些错误与使用客户端不支持的密码和协议版本的服务器有关。

您的 FileZilla 测试表明服务器绝对可以执行 TLS 1.2。也许问题是您lftp编译的OpenSSL 版本太旧,无法支持 TLS 1.2?

您可以尝试openssl s_client -connect AAA.BBB.CCC.DDD:21 -starttls ftp </dev/null查看该系统上的 OpenSSL 是否可以成功与 FTP 服务器协商 TLS 连接,而不受lftp.它通常会输出大量诊断信息;但如果在成功协商 SSL/TLS 连接之前失败,则表明系统上的 OpenSSL 版本太旧,无法成功连接到此 FTP/TLS 服务器。

您的操作系统的名称和版本是什么?

相关内容