On Thu, Oct 10, 2024 at 7:49 PM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On Thu, 2024-10-10 at 14:05 +0100, Will McDonald wrote: > > Can you use `openssl s_client` to validate the certificate chains in > > each scenario? > > On the one PC, only the timestamps differ... > > ================ using working ethernet: ================= > > [tim@rocky ~]$ openssl s_client -connect ftp.cameratim.com:21 -showcerts > CONNECTED(00000003) > 139771870414736:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 289 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1728603772 > Timeout : 300 (sec) > Verify return code: 0 (ok) > > ==================== using problematic tethering ================= > > [tim@rocky ~]$ openssl s_client -connect ftp.cameratim.com:21 -showcerts > CONNECTED(00000003) > 140657668994960:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 289 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1728603847 > Timeout : 300 (sec) > Verify return code: 0 (ok) That's not going to work in either case. You have to start the TLS session once the FTP session is started. I believe you need to also use the -starttls option as described at <https://docs.openssl.org/master/man1/openssl-s_client>, but you have to issues interactive commands (like USER and PASS) in between the initial connection and the STARTSSL command. I would not go down the rabbit hole. Instead, I would look to sftp, which is ftp over SSH. If you want to debug this further, capture the session under Wireshark. It will parse and display the protocol messages until the TLS session is setup. But that is enough to understand what is going on since the preamble will be plaintext. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
