Can you use `openssl s_client` to validate the certificate chains in each scenario?
openssl s_client -connect example.com:21 -showcerts
On Thu, 10 Oct 2024 at 13:43, Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Wed, 2024-10-09 at 15:03 +0100, Will McDonald wrote:
> If it's definitely FTPS (as opposed to SSH-based SFTP) it looks like
> that needs ports 990 and 989.
>
> https://en.wikipedia.org/wiki/FTPS
The Filezilla configuration is FTP protocol, explicit FTP over TLS.
> You've already mostly discounted tethering as a cause. So it's
> probably either firewall or potential certificate-related. Does the
> working system have anything additional configured in terms of
> Certificate Authority? Compare / contrast /etc/pki/ca-trust/ between
> the systems.
I'm still highly suspicious of the tethering (perhaps there's some
peculiar NAT in the phone), even if it does work on another PC.
At the moment I'm playing with just one PC. Either plugging it's
ethernet into a router (which does work), or disconnecting and using
USB tethering (which only partially works).
I'll have a look at the other PC on another email.
> Compare the output of `firewall-cmd --list-all` between the hosts.
>
> You haven't said what error Filezilla gives when it fails to work.
Ooops, forgot that... Bowdlerised connection addresses used below:
Firstly, a working example of normal ethernet connection on the same PC
to the remote FTP server:
Upon starting a connection, I'm immediately shown a pop-up window about
the SSL certificate, about it being unknown, to authorise it now (and
optionally forever). Since I haven't clicked the remember for the
future option, I always get prompted.
Status: Resolving address of example.com
Status: Connecting to 93.184.215.14:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 2 of 100 allowed.
Response: 220-Local time is now 22:08. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER example
Status: TLS/SSL connection established.
Response: 331 User example OK. Password required
Command: PASS **************************************
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: UTF8
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: MFMT
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: PRET
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: TVFS
Response: ESTA
Response: PASV
Response: EPSV
Response: ESTP
Response: 211 End.
Command: OPTS UTF8 ON
Response: 504 Unknown command
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Data protection level set to "private"
Status: Connected
Status: Retrieving directory listing...
Command: CWD /www
Response: 250 OK. Current directory is /public_html
Command: PWD
Response: 257 "/public_html" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (93,184,215,14,246,146)
Command: MLSD
Response: 150 Accepted data connection
Response: 226 86 matches total
Status: Directory listing successful
===================================================================
Failed example of USB tethered connection. And I get the same if I
allow ports 990 and 980 through the PC's firewall (which I suspect are
really ports that the server, the far end, needs to use). Heck knows
anything about the network configuration (beyond basic IP addresses) of
the Android phone being used for the tethering. Though I have to say
that can't think of anything else that's failed going through it
No window pops up asking me to check the certificate when I try to
connect, and this is all that Filezilla logs about it.
Status: Resolving address of example.com
Status: Connecting to 93.184.215.14:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 2 of 100 allowed.
Response: 220-Local time is now 22:06. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of
inactivity.
Command: AUTH TLS
Response: 504 Command not implemented for that parameter
Command: AUTH SSL
Response: 504 Command not implemented for that parameter
Error: Critical error
Error: Could not connect to server
That's the end of it, it's most odd that the AUTH TLS command is
rejected.
The server only allows secure connections, so I can't avoid it.
--
uname -rsvp
Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue