需要幫助來建立從 linux 到 z/OS FTPS 伺服器的安全 ftp 連接
我需要幫助來建立從 linux 客戶端到執行 FTPS 伺服器的 z/OS 主機的安全 ftp 連接。
從 FTPS 伺服器管理員我得到以下資訊:主機 IP 地址、埠、帶有 .der 副檔名的 CA 證書文件。FTPS 伺服器支持 TLS v1.1 和 v1.2
我正在嘗試在 Linux 端使用 lftp 客戶端。(這是一個正確的選擇嗎?)。由於沒有安全協議方面的經驗,我試圖從 lftp 手冊頁中猜測我可以使用哪些參數來提供我擁有的伺服器資訊。
lftp 的最大調試級別為 9,我得到以下資訊:
lftp -u us15030,******** -p 990 ftps://9.17.211.10 ---- Resolving host address... ---- 1 address found: 9.17.211.10 lftp us15030@9.17.211.10:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der" lftp us15030@9.17.211.10:~> ls ---- Connecting to 9.17.211.10 (9.17.211.10) port 990 gnutls_x509_crt_list_import: No certificate was found. **** gnutls_handshake: An unexpected TLS packet was received. ---- Closing control socket ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received. lftp us15030@9.17.211.10:~> quit
感謝有關上述嘗試中的問題以及如何解決此連接問題的任何建議。
同時,我閱讀了有關證書的更多資訊,並意識到我可能
.der
不正確地處理了從管理員那裡獲得的證書。按照有關如何在 Linux(我使用 Ubuntu 16.04)上添加 CA 證書的說明執行以下步驟:
- 轉換
.der
證書為.pem
openssl x509 -inform der -in carootcert.der -out carootcert.pem
- 將其複製到擴展
/usr/local/share/ca-certificates
名下crt
sudo cp carootcert.pem /usr/local/share/ca-certificates/carootcert.crt
- 跑
sudo update-ca-certificates
現在重複我的嘗試:
lftp -u us15030,******** -p 990 ftps://9.17.211.10 ---- Resolving host address... ---- 1 address found: 9.17.211.10 lftp us15030@9.17.211.10:~> lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca- certificates.crt" lftp us15030@9.17.211.10:~> ls ---- Connecting to 9.17.211.10 (9.17.211.10) port 990 **** gnutls_handshake: An unexpected TLS packet was received. ---- Closing control socket ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received. lftp us15030@9.17.211.10:~> quit
現在我少了一條錯誤資訊。沒有關於未找到證書的消息,但仍有意外的 TLS 包…
關於如何進一步排除故障的任何建議?
剛剛發現可以通過進一步提高調試級別來獲得更多的調試資訊。希望能幫助到你。
lftp -u us15030,******* -p 990 ftps://9.17.211.10 closed FD 5 ---- Resolving host address... buffer: EOF on FD 5 ---- 1 address found: 9.17.211.10 lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt" lftp us15030@9.17.211.10:~> ls FileCopy(0x2197970) enters state INITIAL FileCopy(0x2197970) enters state DO_COPY ---- dns cache hit ---- attempt number 1 (max_retries=1000) ---- Connecting to 9.17.211.10 (9.17.211.10) port 990 GNUTLS: REC[0x259e240]: Allocating epoch #0 GNUTLS: REC[0x259e240]: Allocating epoch #1 GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes) GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes) GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes) GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes) GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes) GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes) GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes) GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256 GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256 GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384 GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384 GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512 GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512 GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224 GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224 GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1 GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1 GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes) GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes] GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0 GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252 GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590 GNUTLS: Received record packet of unknown type 50 **** gnutls_handshake: An unexpected TLS packet was received. GNUTLS: REC[0x259e240]: Start of epoch cleanup GNUTLS: REC[0x259e240]: End of epoch cleanup GNUTLS: REC[0x259e240]: Epoch #0 freed GNUTLS: REC[0x259e240]: Epoch #1 freed ---- Closing control socket ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
我找到了答案。FTPS 伺服器管理員更新了我的其他資訊。伺服器配置為顯式 AT-TLS。
所以下面的命令為我完成了這項工作:
lftp -u us15030,******** <ftp://bldbmsa.boulder.ibm.com>
設置 ftp:ssl-force 為真
設置 ftp:ssl-protect-data 為真
設置 ssl:ca 文件“/etc/ssl/certs/ca-certificates.crt”
獲取 /tmp/ttt.txt.gz
僅供參考: 注意到一件奇怪的事情。如果我使用數字 IP 地址而不是符號 IP 地址,則上述腳本不起作用。
lftp -u us15030,******** <ftp://9.17.211.10>
證書驗證失敗:
致命錯誤:證書驗證:證書公用名與請求的主機名“9.17.211.10”不匹配