[Bug 1199383] New: [Tumbleweed][lftp][Build_20220423] Connetion via lftp failed due with self signed certificate

https://bugzilla.suse.com/show_bug.cgi?id=1199383 Bug ID: 1199383 Summary: [Tumbleweed][lftp][Build_20220423] Connetion via lftp failed due with self signed certificate Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: weixuan.hao@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ## Summary This test is to test lftp with ssl enabled ## Observation After setting up vsftpd server and lftp, using lftp to login to ftp server and try to download/upload files, connection will fail with self signed certificate ## Environment # uname -m x86_64 # cat /etc/*release NAME="openSUSE Tumbleweed" # VERSION="20220423" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20220423" PRETTY_NAME="openSUSE Tumbleweed" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:tumbleweed:20220423" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed" LOGO="distributor-logo-Tumbleweed" ## Reproducible Follow steps from https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769978 to set up vsftpd server and https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769945 for lftp testing ## Error # lftp -d -u ftpuser -e 'set ftp:ssl-force true' localhost Password: ---- Resolving host address... ---- 2 addresses found: ::1, 127.0.0.1 lftp ftpuser@localhost:~> ls ---- Connecting to localhost (::1) port 21 **** Socket error (Connection refused) - reconnecting ---- Closing control socket ---- Connecting to localhost (127.0.0.1) port 21 <--- 220 Welcome to SUSE FTP service. ---> FEAT <--- 211-Features: <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- UTF8 <--- 211 End ---> AUTH TLS <--- 234 Proceed with negotiation. ---> OPTS UTF8 ON Certificate depth: 0; subject: /C=CN/ST=Beijing/L=Beijing/O=SUSE/OU=QA/CN=shawn/emailAddress=weixuan.hao@suse.com; issuer: /C=CN/ST=Beijing/L=Beijing/O=SUSE/OU=QA/CN=shawn/emailAddress=weixuan.hao@suse.com ERROR: Certificate verification: self signed certificate (31:7B:F2:C5:B6:A1:21:90:A6:61:A3:11:26:42:F7:E3:CE:0E:53:4C) **** Certificate verification: self signed certificate (31:7B:F2:C5:B6:A1:21:90:A6:61:A3:11:26:42:F7:E3:CE:0E:53:4C) ---- Closing control socket ls: Fatal error: Certificate verification: self signed certificate (31:7B:F2:C5:B6:A1:21:90:A6:61:A3:11:26:42:F7:E3:CE:0E:53:4C) lftp ftpuser@localhost:~> exit -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 https://bugzilla.suse.com/show_bug.cgi?id=1199383#c1 --- Comment #1 from Weixuan Hao <weixuan.hao@suse.com> --- Same issue was observed on sle15-sp4 fips mode as well -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 Ben Chou <bchou@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bchou@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |pmonrealgonzalez@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 https://bugzilla.suse.com/show_bug.cgi?id=1199383#c2 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmonrealgonzalez@suse.com Assignee|pmonrealgonzalez@suse.com |otto.hollmann@suse.com --- Comment #2 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- The lftp package is linked against openssl and built with the --without-gnutls flag, I'm assigning the bug to the OpenSSL maintainer. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 https://bugzilla.suse.com/show_bug.cgi?id=1199383#c3 Otto Hollmann <otto.hollmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |weixuan.hao@suse.com Flags| |needinfo?(weixuan.hao@suse. | |com) --- Comment #3 from Otto Hollmann <otto.hollmann@suse.com> --- I'm unable to reproduce reported issue with latest Tumbleweed nor SLE15 SP4. Can you please try on machine where you are using lftp client following command:
openssl verify <your_vstpd_cert.pem>
You should receive something like this:
cert.pem: OK
But I guess you will receive following error:
error 18 at 0 depth lookup: self signed certificate error cert.pem: verification failed
This means you need to install your certificate into trust storage. Simply copy your certificate into:
/usr/share/pki/trust/anchors/ and run update-ca-certificates Then openssl verification should return "OK" and also lftp command should no longer complain.
Anyway, I see your Tumbleweed is quite outdated, I recommend to update your system before reporting issue. Especially in OpenSSL there was a big change - we changed default version from 1.1 to 3.0 and all Tumbleweed packages are build against this new version. Please let me know it your problem is resolved. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1199383 https://bugzilla.suse.com/show_bug.cgi?id=1199383#c4 Otto Hollmann <otto.hollmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #4 from Otto Hollmann <otto.hollmann@suse.com> --- Closing this bug as WORKSFORME because I'm unable to reproduce it/I described potential root cause. If the explanation in above comment doesn't resolve your issue, feel free to reopen this bug. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com