Situation: a client with an AIX machine can't connect properly to a Windows 2003 Server running FTP server Serv-U FTP Server v10.2. Plain FTP works. SFTP is not working.
It's not clear where the error is, whether this is an issue on the FTP client or server side. They are connecting with an ftp binary that has a -s
flag option.
Here's what they see on their side:
$ ftp -s -D 900 ftp.example.com
Connected to XX.XXX.XX.XXX.
220 Serv-U FTP Server v10.2 ready...
234 AUTH command OK. Initializing SSL connection.
TLS Auth Entered.
ERROR Error during the hand shake for the control connection
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.
Using a FreeBSD machine, I was trying to see if I could evaluate what might be happening, so what I tried was running curl as below, and also using curl inside PHP, and I get a sense that it's possible there's an issue with SSL certificates on the Windows server. But then other folks have been able to connect from other machines using SFTP without issue, so it's hard to say where the problem is.
Here's a curl
command and the output error I get from a FreeBSD machine outside the network:
curl --ftp-ssl ftp://ftp.example.com
The result is:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
What can I do to see where the fault might be? Any guidance on how to debug this and maybe see the certs that are being passed back and forth? Or maybe guidance on what to tell the client to do to give us something more diagnostic than "unable to authenticate." Again, when we open vanilla FTP to them, everything works fine, so it's definitely in the security of the connection.
As far as I know, none of the AIX versions up to 7.1 ship with a SSL capable FTP client (and there's no -s switch as you show in your example), so it sounds like they're using a non-standard client, which could be anything really.
Maybe ask them to switch to LFTP, or Curl from IBM's RPM packages, both have FTP over SSL support
We have faced a similar problem in our enterprise setup; it was caused by following line in configuration of the Cisco ASA on the way between the involved machines:
Removal of the
strict
did the trick.