0

Very hpux11.31 specific question. As a ftps client on a hpux computer, I need to connect to a ftps server using intrinsic SSL/TLS. People may say to use filezilla or curl. I am not looking for that. I am looking for the steps and openssl commands a person would run to setup the client connection from hp.

I have seen lots and lots of pages that talk about loading software and running specific commands. But I cannot find one site that spells it out.

I will now guess poorly and you can tell how wrong it is. I make a CA certificate. I somehow get the remote ftp site's certficate. I do some magic with their certificate. sign it? trust it? convert to pem format? I make some rsa keys. I run ftps -z with lots of variables filled in. I would magically get a log in prompt. But for me? I get "WARNING! SSL/TLS initialization failed."

clonea
  • 1
  • 3

2 Answers2

1

Client certificates or just a server certificate? I think CAfile also works for the server CA although the documentation does not make that explicit.

If upping the debug levels on the client does not help, also consider doing a packet capture of the session. Analysis of this will show any TLS conversation.

A full example in documented in the article HP-UX - FTPS: How to Setup FTPS on a FTP Client, part of which follows.

The full reference for ftp cited from that is WU-FTPD 2.6.1 release notes, HP-UX 11i v1, HP-UX 11i v2, HP-UX 11i v3. Good luck deciphering the server CA from it, it seems mixed up in the examples providing client certs.

Connect using the command line:

# ftp -z CAfile=/etc/ftp/security/cacert.pem <server> 

# ftp -z CAfile=/etc/ftp/security/cacert.pem \ 
-z cert=/home/user1/client-cert.pem \ 
-z key=/home/user1/client-key.pem <server>

Connect using a Configuration File: 

# vi /home/user1/.tls.conf 
CAfile=/etc/ftp/security/cacert.pem 
rsacert=/home/user1/certs/client-cert.pem 
rsakey=/home/user1/certs/client-key.pem 
# ftp -z config=/home/user1/.tls.conf <server>

Connect using Environment Variables: The following is the minimum required variables for a basic FTPS connection. Be sure to add the additional appropriate variables if the client certificate for authentication is needed. See the WU_FTPD Release Notes for details. It is important to use the to source in a file of environment variables to keep them in the existing shell.

# vi /home/user1/.ftps_envar.sh 
\#The following are the minimum options for ftps: 
export FTP_USESSL=1 
export FTP_SSL_CA_FILE=/etc/ftp/security/cacert.pem #CACert 

# cd /home/user1/ 
# . /home/user1/.ftps_envar.sh 
# ftp <server>

FTPS session:

# ftp -z CAfile=/etc/ftp/security/cacert.pem MyFTPServerHostName.hp.com 

Connected to MyFTPServerHostName.hp.com. 
220 MyFTPServerHostName.hp.com FTP server (Revision 1.1 Version wuftpd-2.6.1(PHNE_38578) Fri Sep 5 12:10:54 GMT 2008) ready. 
234 AUTH TLS OK. ? TLS/SSL Authentication passed 
[TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA, 256 bits] 
Name (0:root): 
331 Password required for root. 
Password: 
230 User root logged in. 
Remote system type is UNIX. 
Using binary mode to transfer files. 

ftp>status 
… 
TLS/SSL protection of control connection: on. 
TLS/SSL protection of data connections: off.

FTPS troubleshooting

Verify the OS, WU-FTPD and SSL versions. Review the ftpd and ftp CLI options. Review the configuration files and/or environment variables contents. Review the certificate file paths and file permissions. Review the server syslog file. Review the certificates files themselves: 

ftpd-rsa-ca.pem/cacert.pem #CAPubKey 
ftpd-rsa-cert.pem/newcert.pem #CAPubKey 
ftpd-rsa-key.pem/newkey.pem #SvrPriKey 
# openssl x509 -text -noout -in /etc/ftpd/security/cacert.pem |more

Debug with: 

# ftpd -v -l -z debug=2 -z logalldata 
# ftp -z debug=2 -z secure -z logfile=/tmp/ssl.log -z
John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • The CAfile option is supposed to point to the certificate authority of the ftps client computer. But, the HP documentation says to grab the CAfile provided by the server instead of the CAfile created on the client? This makes no sense. I bet I have to do some openssl to tell my client trusted database (buried somewhere in hpux) that this remote ftp server's certificate is A.O.K. Too bad I don't know that command or have confirmation of my theory. (ok guess). – clonea May 09 '17 at 11:31
  • Maybe, I don't have an HP-UX box in my lab. Added the wu-ftpd reference cited by the article. But I was not able to extract for sure from documentation how to use a server CA, or how to use system wide trusted root certificates. If the network traffic is not the proper TLS, try another option, or switch to different software. – John Mahowald May 09 '17 at 12:06
  • I got on support with hp about this. I might be that I just have busted versions of the software. I have verified I can hook to the ftps site from my pc by hand via filezilla. But filezilla's process is filling in some blanks and clicking go. It is not explaining anything. I hope to fill in the gaps when i get this solved. – clonea May 09 '17 at 23:21
  • So far I have carefully, methodically gotten nowhere. I run lots of commands to set up ftps client. I put in new software. I run the setup via release notes. I can ftps into anything. I have to assume that ftps for hp is legitimate. Or the title of the software would not be called ftps. – clonea May 11 '17 at 12:42
  • I see I cannot edit my comment. I can NOT ftps into ANYTHING from HPUX. FLAT OUT. – clonea May 11 '17 at 12:51
0

You say you are not after curl, but you haven't had luck with ftp, and there indeed are curl builds for HP-UX. Could build your own, but I suggest an existing repository like HP-UX Porting and Archive Centre.

Why reconsider a different tool like curl? It is a fully featured client with documentation. Forcing a given CA certificate with TLS is straightforward with explicit options:

 curl --cacert ca.pem --ssl-reqd --dump-header ftp-log.txt  ftp://ftp.example.org/file.txt

Regarding assumptions: try not to assume things work as advertised, test them against other tools. Unfortunately, even enterprise software is prone to bugs or poor user interfaces. This applies to sysadmin sometimes just as much as to quality assurance.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • I did consider Curl. I have gone to the HP Software and Porting Archive before. I was shocked at the massive dependencies required for it to run. So I stopped. In the meantime I found my problem: FTPS with instrinsic ssl is not supported by HP. Their solution what you said, namely, get Curl. [link](http://h20562.www2.hpe.com/hpsc/doc/public/display?docId=emr na-c01757887&lang=en-us&cc=us) We used wireshark and compared the network streams for hp's ftps command to doing the same thing via pc filezilla with EXTRINSIC ftps. We found the ftp client was waiting for server's welcome. – clonea May 15 '17 at 16:59