lftp 4.8.4 拒绝与 z/OS ftps 主机进行 TLS1.2 通信

lftp 4.8.4 拒绝与 z/OS ftps 主机进行 TLS1.2 通信

对于以下问题,欢迎提出任何建议:

当我选择 TLS1.2 协议时,连接 z/OS FTPS 服务器时遇到问题:

leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp [email protected]:~> set ftp:ssl-allow true
lftp [email protected]:~> set ftp:ssl-force true
lftp [email protected]:~> set ftp:ssl-protect-data true
lftp [email protected]:~> set ftp:ssl-protect-list true
lftp [email protected]:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp [email protected]:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp [email protected]:~> ls
**ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.**
lftp [email protected]:~> quit

虽然它与 TLS 1.1 配合良好

leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp [email protected]:~> set ftp:ssl-allow true
lftp [email protected]:~> set ftp:ssl-force true
lftp [email protected]:~> set ftp:ssl-protect-data true
lftp [email protected]:~> set ftp:ssl-protect-list true
lftp [email protected]:~> set ssl:priority NORMAL:+VERS-TLS1.1
lftp [email protected]:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp [email protected]:~> ls
Volume Unit    Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated                                                BMSB.SPFTEMP0.CNTL
Migrated                                                BMSB.SPFTEMP1.CNTL
PRR3Q4 3390   2019/01/17  1    1  FB      80  8000  PO  CISF.JCL
PRR3P4 3390   2019/01/17  1    2  FB      80  8000  PO  CISF.PROC
PRR612 3390   2019/01/22  122500  VB    1000 10000  PS  CISF.TEST.CSV
PRR3S0 3390   2019/01/22  1    2  FB      80  8000  PO  CISF.UTIL
Migrated                                                CSSLIB

我正在使用来自 SuSe linux 主机的 4.8.4 lftp 版本:

uname -a
Linux zdsdeveng03 3.0.101-108.84-default #1 SMP Fri Nov 30 15:57:27 UTC 2018 (7a72692) s390x s390x s390x GNU/Linux

看起来不是 FTPS 主机端的问题,因为 curl 使用 TLS 1.2 可以很好地处理它:

curl --ftp-ssl --tlsv1.2 --cacert /etc/ssl/private/vsftpd.pem --use-ascii -v -T unzip1.jcl ftp://us15030:********@bldbmsa.boulder.ibm.com//tmp/                     
* Hostname was NOT found in DNS cache
*   Trying 9.17.211.10...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
< 220-FTPDA1 IBM FTP CS V2R2 at BLDBMSA.BOULDER.IBM.COM, 15:02:51 on 2019-01-23.
< 220 Connection will close if idle for more than 5 minutes.
> AUTH SSL
< 234 Security environment established - ready for negotiation
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/private/vsftpd.pem
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
*      subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; [email protected]
*      start date: 2017-01-27 05:00:00 GMT
*      expire date: 2020-01-27 04:59:59 GMT
*      common name: bldbmsa.boulder.ibm.com (matched)
*      issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
*      SSL certificate verify ok.
> USER us15030
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< 331 Send password please.
> PASS ********
< 230 US15030 is logged on.  Working directory is "US15030.".
> PBSZ 0
< 200 Protection buffer size accepted
> PROT P
< 200 Data connection protection set to private
> PWD
< 257 "'US15030.'" is working directory.
> SYST
* Entry path is ''US15030.''
< 215 MVS is the operating system of this server. FTP Server is running on z/OS.
> CWD /
* ftp_perform ends with SECONDARY: 0
< 250 HFS directory / is the current working directory
> CWD tmp
< 250 HFS directory /tmp is the current working directory
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||35858|)
* Hostname was NOT found in DNS cache
*   Trying 9.17.211.10...
* Connecting to 9.17.211.10 (9.17.211.10) port 35858
* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
> TYPE A
< 200 Representation type is Ascii NonPrint
> STOR unzip1.jcl
< 125 Storing data set /tmp/unzip1.jcl
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/private/vsftpd.pem
  CApath: /etc/ssl/certs/
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
*      subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; [email protected]
*      start date: 2017-01-27 05:00:00 GMT
*      expire date: 2020-01-27 04:59:59 GMT
*      common name: bldbmsa.boulder.ibm.com (matched)
*      issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
*      SSL certificate verify ok.
} [data not shown]
* We are completely uploaded and fine
* Remembering we are in dir "/tmp/"
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
< 250 Transfer completed successfully.
101  1245    0     0  101  1264      0   3721 --:--:-- --:--:-- --:--:--  3739
* Connection #0 to host bldbmsa.boulder.ibm.com left intact

答案1

根据 Alexander Lukyanov 的建议,我使用最新的 gnutls 编译了 lftp,现在它可以在我的主文件夹中与 TLS 1.2 一起正常运行:

leonidt> ~/local/bin/lftp -v 
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LFTP.  If not, see <http://www.gnu.org/licenses/>.

Send bug reports and questions to the mailing list <[email protected]>.

**Libraries used: GnuTLS 3.6.6, Readline 5.2, zlib 1.2.7**


leonidt>~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp [email protected]:~> set ftp:ssl-allow true
lftp [email protected]:~> set ftp:ssl-force true
lftp [email protected]:~> set ftp:ssl-protect-data true
lftp [email protected]:~> set ftp:ssl-protect-list true
lftp [email protected]:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp [email protected]:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp [email protected]:~> ls
Volume Unit Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated BMSB.SPFTEMP0.CNTL
Migrated BMSB.SPFTEMP1.CNTL
PRR3Q4 3390 2019/01/17 1 1 FB 80 8000 PO CISF.JCL
PRR3P4 3390 2019/01/17 1 2 FB 80 8000 PO CISF.PROC
Migrated CISF.TEST.CSV

相关内容