Нужна помощь в установлении безопасного ftp-соединения от linux к FTPS-серверу z / OS

Мне нужна помощь в установке безопасного ftp-соединения от клиента linux к хосту z / OS, на котором запущен FTPS-сервер.

От администратора сервера FTPS я получил следующую информацию: IP-адрес хоста, порт, файл сертификата CA с расширением .der. Сервер FTPS поддерживает TLS v1.1 и v1.2

Я пытаюсь использовать клиент lftp на стороне Linux. (Это правильный выбор?). Не имея опыта работы с безопасными протоколами, я пытаюсь угадать на страницах руководства lftp, какие параметры я могу использовать для предоставления информации о сервере, которая у меня есть.

С максимальным уровнем отладки 9 для lftp я получаю следующее:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
gnutls_x509_crt_list_import: No certificate was found.
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

Благодарим вас за любой совет о том, что не так в приведенной выше попытке и как устранить эту проблему с подключением.

Тем временем я прочитал больше о сертификатах и ​​понял, что, вероятно, лечил .der сертификат, который я получил от админа, неверно. Следуя инструкциям о том, как добавить сертификат CA в Linux (я использую Ubuntu 16.04), делали следующие шаги:

1. Преобразованный .der свидетельство .pem

    openssl x509 -inform der -in carootcert.der -out carootcert.pem
   

2. Скопировал на /usr/local/share/ca-certificates под crt расширение

    sudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt
   

3. Бегать

    sudo update-ca-certificates
   

Теперь повторил мою попытку:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> 
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-
certificates.crt"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

Теперь у меня на одно сообщение об ошибке меньше. Нет сообщения о том, что сертификат не найден, но есть неожиданный пакет TLS ...
Есть какие-нибудь советы по дальнейшему устранению неполадок?

Только что выяснил, что можно получить больше отладочной информации, повышая уровень отладки. Надеюсь, поможет.

lftp -u us15030,******* -p 990 ftps://9.17.211.10
closed FD 5
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
lftp us15030@9.17.211.10:~> ls
FileCopy(0x2197970) enters state INITIAL
FileCopy(0x2197970) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
GNUTLS: REC[0x259e240]: Allocating epoch #0
GNUTLS: REC[0x259e240]: Allocating epoch #1
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes]
GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0
GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252
GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590
GNUTLS: Received record packet of unknown type 50
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x259e240]: Start of epoch cleanup
GNUTLS: REC[0x259e240]: End of epoch cleanup
GNUTLS: REC[0x259e240]: Epoch #0 freed
GNUTLS: REC[0x259e240]: Epoch #1 freed
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.