需要帮助建立从linux到z/OS FTPS服务器的安全ftp连接。

Question

我需要帮助建立从linux客户端到运行FTPS服务器的z/OS主机的安全ftp连接。

从FTPS服务器管理员获得以下信息:主机IP地址、端口、带有.der扩展名的CA证书文件。FTPS服务器支持TLS v1.1和v1.2

我试图在Linux端使用lftp客户端。(这是个正确的选择吗？)没有安全协议方面的经验，我试图从lftp手册页猜测哪些参数可以用来提供我所拥有的服务器信息。

对于lftp，最大调试级别为9，我得到如下结果：

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/home/leonid/CERT/carootcert.der"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
gnutls_x509_crt_list_import: No certificate was found.
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

感谢任何关于上述尝试中的错误以及如何排除此连接问题的建议。

同时，我阅读了更多关于证书的内容，并意识到我可能不正确地对待我从管理员那里获得的.der证书。按照关于如何在Linux上添加CA证书(我使用Ubuntu16.04)的指导，执行了以下步骤：

1. 将.der证书转换为.pem openssl x509 -inform der -in carootcert.der -out carootcert.pem
2. 在/usr/local/share/ca-certificates/carootcert.crt扩展sudo cp carootcert.pem下将其复制到/usr/local/share/ca-certificates
3. 运行sudo更新-ca-证书

现在，我重复了我的尝试：

lftp -u us15030,******** -p 990 ftps://9.17.211.10
---- Resolving host address...
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> 
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-
certificates.crt"
lftp us15030@9.17.211.10:~> ls
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
**** gnutls_handshake: An unexpected TLS packet was received.
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.
lftp us15030@9.17.211.10:~> quit

现在我已经少了一条错误信息。没有关于没有找到证书的消息，但仍然有意外的TLS包.关于如何进一步排除故障有什么建议吗？

刚刚发现，通过进一步提高调试级别，可以获得更多的调试信息。希望能帮上忙。

lftp -u us15030,******* -p 990 ftps://9.17.211.10
closed FD 5
---- Resolving host address...
buffer: EOF on FD 5
---- 1 address found: 9.17.211.10
lftp us15030@9.17.211.10:~> set ssl:ca-file "/etc/ssl/certs/ca-certificates.crt"
lftp us15030@9.17.211.10:~> ls
FileCopy(0x2197970) enters state INITIAL
FileCopy(0x2197970) enters state DO_COPY
---- dns cache hit
---- attempt number 1 (max_retries=1000)
---- Connecting to 9.17.211.10 (9.17.211.10) port 990
GNUTLS: REC[0x259e240]: Allocating epoch #0
GNUTLS: REC[0x259e240]: Allocating epoch #1
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
GNUTLS: HSK[0x259e240]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
GNUTLS: EXT[0x259e240]: Sending extension EXT MASTER SECRET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension ENCRYPT THEN MAC (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension STATUS REQUEST (5 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SERVER NAME (16 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SAFE RENEGOTIATION (1 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SESSION TICKET (0 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC (12 bytes)
GNUTLS: EXT[0x259e240]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes)
GNUTLS: EXT[0x259e240]: sent signature algo (4.1) RSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (4.3) ECDSA-SHA256
GNUTLS: EXT[0x259e240]: sent signature algo (5.1) RSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (5.3) ECDSA-SHA384
GNUTLS: EXT[0x259e240]: sent signature algo (6.1) RSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (6.3) ECDSA-SHA512
GNUTLS: EXT[0x259e240]: sent signature algo (3.1) RSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (3.3) ECDSA-SHA224
GNUTLS: EXT[0x259e240]: sent signature algo (2.1) RSA-SHA1
GNUTLS: EXT[0x259e240]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x259e240]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x259e240]: CLIENT HELLO was queued [247 bytes]
GNUTLS: REC[0x259e240]: Preparing Packet Handshake(22) with length: 247 and min pad: 0
GNUTLS: REC[0x259e240]: Sent Packet[1] Handshake(22) in epoch 0 and length: 252
GNUTLS: REC[0x259e240]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11590
GNUTLS: Received record packet of unknown type 50
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x259e240]: Start of epoch cleanup
GNUTLS: REC[0x259e240]: End of epoch cleanup
GNUTLS: REC[0x259e240]: Epoch #0 freed
GNUTLS: REC[0x259e240]: Epoch #1 freed
---- Closing control socket
ls: Fatal error: gnutls_handshake: An unexpected TLS packet was received.

Answer 1

我找到了答案。FTPS服务器管理员更新了我的附加信息。服务器配置为显式AT-TLS。

因此，下面的命令为我完成了这一任务：

lftp -u us15030，* ftp://bldbmsa.boulder.ibm.com

设置ftp:ssl-强制为真

设置ftp:ssl-保护-数据真

设置ssl:ca-file“/etc/ssl/certs/ca-证书.certs”

获取/tmp/ttt.txt.gz

Just FYI:注意到了一件奇怪的事情。如果我使用数字ip地址而不是符号，上面的脚本就不能工作。

lftp -u us15030，* ftp://9.17.211.10

证书验证失败：

致命错误:证书验证:证书公共名称与请求的主机名“9.17.211.10”不匹配