0

I'm trying to implement mutual authentication on a ftps connection using ftplib module.

Here is my code:

Context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
Context.load_verify_locations(cafile=trusted.txt,capath=path)

Context.load_cert_chain(certfile=mycert.txt,keyfile=mikey.txt,password=xxxx)

Context.verify_mode=True

Ftp = ftplib.FTP_TLS(Context=Context)

Ftp.connect(host, port)

Ftp.auth()

Ftp.prot_p()

Ftp.set_pasv(True)

Ftp.cwd(dest_dir)

Ftp.storlines(xx,xx)

Ftp.close()

However above works fine only with client authentication set as no on ftps server side. When we try with client Auth yes

Error code is as below.

Ssl.SSLError: [SSL:SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:777)

I have the servers cert chain on ca file defined. I have my trusted on servers side defined. Still connection doesn't work well. And it works well if client Auth is disabled on server side.

Any suggestions on what could be wrong. Could it be ciphers? I tried setting up ciphers but don't know how exchange happens in realtime. Or could this be that ftplib does not support fully mutually authentication at all??

Peaceful James
  • 1,807
  • 1
  • 7
  • 16
Sy-py
  • 11
  • 2

1 Answers1

0

Ssl.SSLError: [SSL:SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:777)

If you get this error in the client then the server failed to validate the client certificate, i.e. your mycert.txt and mikey.txt.

Since validation of the client certificate is done by the server you have to look at the server configuration and logs for more information of why your client certificate was not accepted. Typical problems are that the client certificate is a self-signed certificate, that the CA which issued the client certificate is not trusted in the server or that intermediate certificates are required to verify the certificate but the client is not sending these.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks Steffen, I checked server config which suggests client certificate is not trusted. While the trusted are present on the server. – Sy-py Jul 26 '20 at 18:51
  • be because of ciphers not matching? Is there a way to get more debugging logs on client side or anything that i can do to figure it out? Can I include priv key and cert both on mycert and try? Could this be because of the key format? Because it works with one of the self sign cert. This self sign cert does look to have a different format for the key ie there is no new line character after** BEGINNING CERT and END CERTIFICATE. – Sy-py Jul 26 '20 at 18:58
  • @Sy-py: Certificate validation has nothing to do with the ciphers. It has also nothing to do with the format of the certificate - which only is relevant if the client can use the certificate in the first place (which it can) or not (which would result in other errors). Make sure that the server trusts the CA which issued the client certificate and that all necessary intermediate certificates are sent by the client. – Steffen Ullrich Jul 26 '20 at 19:15