Linux

需要幫助來建立從 linux 到 z/OS FTPS 伺服器的安全 ftp 連接

  • June 11, 2020

我需要幫助來建立從 linux 客戶端到執行 FTPS 伺服器的 z/OS 主機的安全 ftp 連接。

從 FTPS 伺服器管理員我得到以下資訊:主機 IP 地址、埠、帶有 .der 副檔名的 CA 證書文件。FTPS 伺服器支持 TLS v1.1 和 v1.2

我正在嘗試在 Linux 端使用 lftp 客戶端。(這是一個正確的選擇嗎?)。由於沒有安全協議方面的經驗,我試圖從 lftp 手冊頁中猜測我可以使用哪些參數來提供我擁有的伺服器資訊。

lftp 的最大調試級別為 9,我得到以下資訊:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
gnutls_x509_crt_list_import: No certificate was found.
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

感謝有關上述嘗試中的問題以及如何解決此連接問題的任何建議。


同時,我閱讀了有關證書的更多資訊,並意識到我可能.der不正確地處理了從管理員那裡獲得的證書。按照有關如何在 Linux(我使用 Ubuntu 16.04)上添加 CA 證書的說明執行以下步驟:

  1. 轉換.der證書為.pem
openssl x509 -inform der -in carootcert.der -out carootcert.pem
  1. 將其複製到擴展/usr/local/share/ca-certificates名下crt
sudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt
sudo update-ca-certificates

現在重複我的嘗試:

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> 
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-
certificates.crt"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

現在我少了一條錯誤資訊。沒有關於未找到證書的消息,但仍有意外的 TLS 包…

關於如何進一步排除故障的任何建議?


剛剛發現可以通過進一步提高調試級別來獲得更多的調試資訊。希望能幫助到你。

lftp -u us15030,******* -p 990 ftps://9.17.211.10
closed FD 5
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
lftp us15030@9.17.211.10:~> ls
FileCopy(0x2197970) enters state INITIAL
FileCopy(0x2197970) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
GNUTLS: REC[0x259e240]: Allocating epoch #0
GNUTLS: REC[0x259e240]: Allocating epoch #1
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes]
GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0
GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252
GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590
GNUTLS: Received record packet of unknown type 50
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x259e240]: Start of epoch cleanup
GNUTLS: REC[0x259e240]: End of epoch cleanup
GNUTLS: REC[0x259e240]: Epoch #0 freed
GNUTLS: REC[0x259e240]: Epoch #1 freed
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.

我找到了答案。FTPS 伺服器管理員更新了我的其他資訊。伺服器配置為顯式 AT-TLS。

所以下面的命令為我完成了這項工作:

lftp -u us15030,******** <ftp://bldbmsa.boulder.ibm.com>

設置 ftp:ssl-force 為真

設置 ftp:ssl-protect-data 為真

設置 ssl:ca 文件“/etc/ssl/certs/ca-certificates.crt”

獲取 /tmp/ttt.txt.gz

僅供參考: 注意到一件奇怪的事情。如果我使用數字 IP 地址而不是符號 IP 地址,則上述腳本不起作用。

lftp -u us15030,******** <ftp://9.17.211.10>

證書驗證失敗:

致命錯誤:證書驗證:證書公用名與請求的主機名“9.17.211.10”不匹配

引用自:https://serverfault.com/questions/949105