我需要帮助建立从 Linux 客户端到运行 FTPS 服务器的 z/OS 主机的安全 ftp 连接。
我从 FTPS 服务器管理员处获得了以下信息:主机 IP 地址、端口、扩展名为 .der 的 CA 证书文件。FTPS 服务器支持 TLS v1.1 和 v1.2
我正在尝试在 Linux 端使用 lftp 客户端。(这是正确的选择吗?)。由于没有安全协议方面的经验,我试图从 lftp 手册页中猜测我可以使用哪些参数来提供我拥有的服务器信息。
当 lftp 的最大调试级别为 9 时,我得到以下信息:
lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp [email protected]:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der"
lftp [email protected]:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
gnutls_x509_crt_list_import: No certificate was found.
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp [email protected]:~> quit
对于上述尝试中出了什么问题以及如何解决此连接问题,非常感谢您的建议。
同时,我阅读了更多有关证书的信息,并意识到我可能.der没有正确处理从管理员那里获得的证书。按照有关如何在 Linux 上添加 CA 证书的说明(我使用 Ubuntu 16.04)执行以下步骤:
证书转换
.der为.pemopenssl x509 -inform der -in carootcert.der -out carootcert.pem将其复制到扩展
/usr/local/share/ca-certificates名下crtsudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt跑步
sudo update-ca-certificates
现在重复我的尝试:
lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp [email protected]:~>
lftp [email protected]:~> set ssl:ca-file "/etc/ssl/certs/ca-
certificates.crt"
lftp [email protected]:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp [email protected]:~> quit
现在我收到的错误消息少了一条。没有关于未找到证书的消息,但仍然有意外的 TLS 包...
关于如何进一步排除故障有什么建议吗?
刚刚发现,通过进一步提高调试级别,可以获得更多调试信息。希望对您有所帮助。
lftp -u us15030,******* -p 990 ftps://9.17.211.10
closed FD 5
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: 9.17.211.10
lftp [email protected]:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
lftp [email protected]:~> ls
FileCopy(0x2197970) enters state INITIAL
FileCopy(0x2197970) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
GNUTLS: REC[0x259e240]: Allocating epoch #0
GNUTLS: REC[0x259e240]: Allocating epoch #1
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes]
GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0
GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252
GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590
GNUTLS: Received record packet of unknown type 50
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x259e240]: Start of epoch cleanup
GNUTLS: REC[0x259e240]: End of epoch cleanup
GNUTLS: REC[0x259e240]: Epoch #0 freed
GNUTLS: REC[0x259e240]: Epoch #1 freed
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
答案1
我找到了答案。FTPS 服务器管理员向我更新了更多信息。该服务器已配置为显式 AT-TLS。
因此下面的命令对我来说完成了这项工作:
lftp -u us15030,********ftp://bldbmsa.boulder.ibm.com
设置 ftp:ssl-force true
设置 ftp:ssl-protect-data true
设置 ssl:ca 文件“/etc/ssl/certs/ca-certificates.crt”
获取/tmp/ttt.txt.gz
仅供参考: 注意到一件奇怪的事情。如果我使用数字 IP 地址而不是符号 IP 地址,上述脚本将不起作用。
lftp -u us15030,********ftp://9.17.211.10
证书验证失败:
致命错误:证书验证:证书通用名称与请求的主机名“9.17.211.10”不匹配