How do I get lftp to use SSL/TLS security mechanism from the command line?

后端 未结 8 2300
深忆病人
深忆病人 2021-02-15 13:11

I\'m trying to log into an ftps site. I\'ve tried giving the login creds at the command line (and putting set parameters in ~/.lftprc, the

相关标签:
8条回答
  • 2021-02-15 13:44

    What worked for me step by step with lftp:

    1. get certificate of host with openssl s_client -connect <ftp_hostname>:21 -starttls ftp, at the begining of result I got something like -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE-----
    2. copy that -----BEGIN CERTIFICATE----- MIIEQzCCAyu.....XjMO -----END CERTIFICATE----- into /etc/ssl/certs/ca-certificates.crt
    3. Into lftp configuration reference this certificate file adding to /etc/lftp.conf for systemwide set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
    4. and then do your sync or whatever with lftp, on my case it is lftp -u "${FTP_USER},${FTP_PWD}" ${FTP_HOST} -e "set net:timeout 10;mirror ${EXCLUDES} -R ${LOCAL_SOURCE_PATH} ${REMOTE_DEST_PATH} ; quit"
    0 讨论(0)
  • 2021-02-15 13:46

    It seems like lftp is not configured correctly on many systems, which makes it unable to verify server certificates (producing Fatal error: Certificate verification: Not trusted).

    The web (and answers in this post) is full of suggestions to fix this by disabling certificate verification or encryption altogether. This is unsecure as it allows man-in-the-middle attacks to pass unnoticed.

    The better solution is to configure certificate verification correctly, which is easy, fortunately. To do so, add the following line to /etc/lftp.conf (or alternatively ~/.lftp/rc, or ~/.config/lftp/rc):

    set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
    

    ca-certificates.crt is a file that contains all CA certificates of the system. The location used above is the one from Ubuntu and may vary on different systems. To generate or update the file, run update-ca-certificates:

    sudo update-ca-certificates
    

    If your system does not have this command, you can create one manually like this:

    cat /etc/ssl/certs/*.pem | sudo tee /etc/ssl/certs/ca-certificates.crt > /dev/null
    
    0 讨论(0)
  • 2021-02-15 13:52

    You might also need to

    set ssl:verify-certificate no
    
    0 讨论(0)
  • 2021-02-15 13:52

    This worked for me for a FTPS server connection (with port 990, but not necessary to specify) using lftp

    code: lftp ftps://USER:PASSWORD@server.com -c "set ssl:verify-certificate false;"

    then: do stuff

    more info at: how-to-avoid-lftp-certificate-verification-error

    0 讨论(0)
  • 2021-02-15 13:54

    lftp :~> set ssl-allow false

    You've explicitly set ssl-allow to false. But this must be true if lftp should attempt to use SSL.

    0 讨论(0)
  • 2021-02-15 13:59

    Setting ftp:ssl-allow true didn't work for me.

    By typing set:

    lftp :~> set
    

    I noticed this:

    set ftp:ssl-allow true
    set ftp:ssl-allow/XXX.XXX.XXX.XXX no
    

    with XXX.XXX.XXX.XXX being the server, I was logging into.

    So the final set of commands I needed was:

    lftp :~> set ftp:ssl-allow true
    lftp :~> set ftp:ssl-allow/XXX.XXX.XXX.XXX true
    lftp :~> set ssl:verify-certificate no
    
    0 讨论(0)
提交回复
热议问题