(Moved from StackOverflow) I've been asked to setup an FTPS connection, using a Client Authentication certificate. I'm the client, connecting to the server. I'm on a Windows 7 workstation, behind a firewall, although this connection will eventually be used on a dedicated CentOS VM. Some other info:
- TLS 1.2 only
- Passive mode only
- My WAN IP is whitelisted
- I'm connecting to a test URL, for now
- There is no outbound firewall (only inbound rules)
- Key should be sent in PEM format
I bought the certificate from Comodo, and generated the certificate with IE10. I exported the complete certificate from IE, with private key and extended properties, in the .pfx format.
I wrote a little batch file to extract the necessary parts from the .pfx, using OpenSSL:
::Extract the private key from the PFX
openssl pkcs12 -in comodo.pfx -nocerts -out encrypted.key
::Extract unencrypted private key
openssl rsa -in encrypted.key -out decrypted.key
::Extract the public cert in Base64 from the PFX
openssl pkcs12 -in comodo.pfx -clcerts -nokeys | openssl x509 -out comodo.cer
::Extract the chain bundle from the PFX
openssl pkcs12 -in comodo.pfx -nodes -nokeys -cacerts | openssl x509 -out comodo.crt
Using the extracted key parts, I have been trying various curl (v7.46.0) commands to connect to the FTPS server. The connection keeps failing. My latest attempt is below. The error is almost always the same.
curl -3 -k -v --ftp-ssl --tlsv1.2 --ftp-ssl-reqd --ftp-pasv --key decrypted.key --cacert comodo.crt --cert comodo.cer --user REMOVED:REMOVED ftp://ftps.REMOVED/
An example of the output is:
> curl -3 -v -k --user REMOVED:REMOVED --ftp-ssl --tlsv1.2 --ftp-ssl-reqd --ftp-skip-pasv-ip --cert comodo.cer --key priv.pem ftp://ftps.REMOVED/
* Trying REMOVED_IP.
* Connected to ftps.REMOVED (REMOVED_IP) port 21 (#0)
< 220 Service ready for new user.
> AUTH SSL
< 234 Command AUTH okay; starting SSL connection.
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to ftps.REMOVED:21
* Closing connection 0 curl: (35) Unknown SSL protocol error in connection to ftps.REMOVED:21
>pause
Press any key to continue . . .
Strangely, if I connect with FileZilla, i can seem to get past the TLS handshake, but then I get different errors when I try to upload a file. As this connection will ultimately be made with curl, I've concentrated on this approach.
I've been trying this for over a week. The server admin has bought a certificate from my provider, and can connect without issue. I'm stumped on this one. Any help would be greatly appreciated. General curl / ftps debugging tips would also be appreciated.
Best Answer
This ended-up being a non-FTP issue. The client system only allowed one CA certificate to be associated with one user, so some of our dummy users were preventing the CA key from being accepted. Thanks for everyone's help though.