Оцените любой совет по проблеме ниже:
У меня проблема с подключением к FTPS-серверу z / OS при выборе протокола TLS1.2:
leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
**ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.**
lftp us15030@bldbmsa.boulder.ibm.com:~> quit
Пока нормально работает с TLS 1.1
leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.1
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
Volume Unit Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated BMSB.SPFTEMP0.CNTL
Migrated BMSB.SPFTEMP1.CNTL
PRR3Q4 3390 2019/01/17 1 1 FB 80 8000 PO CISF.JCL
PRR3P4 3390 2019/01/17 1 2 FB 80 8000 PO CISF.PROC
PRR612 3390 2019/01/22 122500 VB 1000 10000 PS CISF.TEST.CSV
PRR3S0 3390 2019/01/22 1 2 FB 80 8000 PO CISF.UTIL
Migrated CSSLIB
Я использую lftp версии 4.8.4 с хоста SuSe linux:
uname -a
Linux zdsdeveng03 3.0.101-108.84-default #1 SMP Fri Nov 30 15:57:27 UTC 2018 (7a72692) s390x s390x s390x GNU/Linux
Это не похоже на проблему со стороны хоста FTPS, потому что curl отлично работает с TLS 1.2:
curl --ftp-ssl --tlsv1.2 --cacert /etc/ssl/private/vsftpd.pem --use-ascii -v -T unzip1.jcl ftp://us15030:********@bldbmsa.boulder.ibm.com//tmp/
* Hostname was NOT found in DNS cache
* Trying 9.17.211.10...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
< 220-FTPDA1 IBM FTP CS V2R2 at BLDBMSA.BOULDER.IBM.COM, 15:02:51 on 2019-01-23.
< 220 Connection will close if idle for more than 5 minutes.
> AUTH SSL
< 234 Security environment established - ready for negotiation
* successfully set certificate verify locations:
* CAfile: /etc/ssl/private/vsftpd.pem
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
* subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; mail=marpas@br.ibm.com
* start date: 2017-01-27 05:00:00 GMT
* expire date: 2020-01-27 04:59:59 GMT
* common name: bldbmsa.boulder.ibm.com (matched)
* issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
* SSL certificate verify ok.
> USER us15030
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< 331 Send password please.
> PASS ********
< 230 US15030 is logged on. Working directory is "US15030.".
> PBSZ 0
< 200 Protection buffer size accepted
> PROT P
< 200 Data connection protection set to private
> PWD
< 257 "'US15030.'" is working directory.
> SYST
* Entry path is ''US15030.''
< 215 MVS is the operating system of this server. FTP Server is running on z/OS.
> CWD /
* ftp_perform ends with SECONDARY: 0
< 250 HFS directory / is the current working directory
> CWD tmp
< 250 HFS directory /tmp is the current working directory
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||35858|)
* Hostname was NOT found in DNS cache
* Trying 9.17.211.10...
* Connecting to 9.17.211.10 (9.17.211.10) port 35858
* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
> TYPE A
< 200 Representation type is Ascii NonPrint
> STOR unzip1.jcl
< 125 Storing data set /tmp/unzip1.jcl
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
* CAfile: /etc/ssl/private/vsftpd.pem
CApath: /etc/ssl/certs/
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
* subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; mail=marpas@br.ibm.com
* start date: 2017-01-27 05:00:00 GMT
* expire date: 2020-01-27 04:59:59 GMT
* common name: bldbmsa.boulder.ibm.com (matched)
* issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
* SSL certificate verify ok.
} [data not shown]
* We are completely uploaded and fine
* Remembering we are in dir "/tmp/"
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
< 250 Transfer completed successfully.
101 1245 0 0 101 1264 0 3721 --:--:-- --:--:-- --:--:-- 3739
* Connection #0 to host bldbmsa.boulder.ibm.com left intact
Следуя совету Александра Лукьянова, я скомпилировал lftp с последней версией gnutls, и теперь он отлично работает с TLS 1.2 в моей домашней папке:
leonidt> ~/local/bin/lftp -v
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov
LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with LFTP. If not, see <http://www.gnu.org/licenses/>.
Send bug reports and questions to the mailing list <lftp@uniyar.ac.ru>.
**Libraries used: GnuTLS 3.6.6, Readline 5.2, zlib 1.2.7**
leonidt>~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
Volume Unit Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated BMSB.SPFTEMP0.CNTL
Migrated BMSB.SPFTEMP1.CNTL
PRR3Q4 3390 2019/01/17 1 1 FB 80 8000 PO CISF.JCL
PRR3P4 3390 2019/01/17 1 2 FB 80 8000 PO CISF.PROC
Migrated CISF.TEST.CSV