Can you use `openssl s_client` to validate the certificate chains in each scenario?
openssl s_client -connect example.com:21 -showcerts On Thu, 10 Oct 2024 at 13:43, Tim via users <users@lists.fedoraproject.org> wrote: > On Wed, 2024-10-09 at 15:03 +0100, Will McDonald wrote: > > If it's definitely FTPS (as opposed to SSH-based SFTP) it looks like > > that needs ports 990 and 989. > > > > https://en.wikipedia.org/wiki/FTPS > > The Filezilla configuration is FTP protocol, explicit FTP over TLS. > > > You've already mostly discounted tethering as a cause. So it's > > probably either firewall or potential certificate-related. Does the > > working system have anything additional configured in terms of > > Certificate Authority? Compare / contrast /etc/pki/ca-trust/ between > > the systems. > > I'm still highly suspicious of the tethering (perhaps there's some > peculiar NAT in the phone), even if it does work on another PC. > > At the moment I'm playing with just one PC. Either plugging it's > ethernet into a router (which does work), or disconnecting and using > USB tethering (which only partially works). > > I'll have a look at the other PC on another email. > > > Compare the output of `firewall-cmd --list-all` between the hosts. > > > > You haven't said what error Filezilla gives when it fails to work. > > Ooops, forgot that... Bowdlerised connection addresses used below: > > Firstly, a working example of normal ethernet connection on the same PC > to the remote FTP server: > > Upon starting a connection, I'm immediately shown a pop-up window about > the SSL certificate, about it being unknown, to authorise it now (and > optionally forever). Since I haven't clicked the remember for the > future option, I always get prompted. > > Status: Resolving address of example.com > Status: Connecting to 93.184.215.14:21... > Status: Connection established, waiting for welcome message... > Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] > ---------- > Response: 220-You are user number 2 of 100 allowed. > Response: 220-Local time is now 22:08. Server port: 21. > Response: 220-This is a private system - No anonymous login > Response: 220-IPv6 connections are also welcome on this server. > Response: 220 You will be disconnected after 15 minutes of > inactivity. > Command: AUTH TLS > Response: 234 AUTH TLS OK. > Status: Initializing TLS... > Status: Verifying certificate... > Command: USER example > Status: TLS/SSL connection established. > Response: 331 User example OK. Password required > Command: PASS ************************************** > Response: 230 OK. Current restricted directory is / > Command: SYST > Response: 215 UNIX Type: L8 > Command: FEAT > Response: 211-Extensions supported: > Response: UTF8 > Response: EPRT > Response: IDLE > Response: MDTM > Response: SIZE > Response: MFMT > Response: REST STREAM > Response: MLST > type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; > Response: MLSD > Response: PRET > Response: AUTH TLS > Response: PBSZ > Response: PROT > Response: TVFS > Response: ESTA > Response: PASV > Response: EPSV > Response: ESTP > Response: 211 End. > Command: OPTS UTF8 ON > Response: 504 Unknown command > Command: PBSZ 0 > Response: 200 PBSZ=0 > Command: PROT P > Response: 200 Data protection level set to "private" > Status: Connected > Status: Retrieving directory listing... > Command: CWD /www > Response: 250 OK. Current directory is /public_html > Command: PWD > Response: 257 "/public_html" is your current location > Command: TYPE I > Response: 200 TYPE is now 8-bit binary > Command: PASV > Response: 227 Entering Passive Mode (93,184,215,14,246,146) > Command: MLSD > Response: 150 Accepted data connection > Response: 226 86 matches total > Status: Directory listing successful > > > =================================================================== > > > Failed example of USB tethered connection. And I get the same if I > allow ports 990 and 980 through the PC's firewall (which I suspect are > really ports that the server, the far end, needs to use). Heck knows > anything about the network configuration (beyond basic IP addresses) of > the Android phone being used for the tethering. Though I have to say > that can't think of anything else that's failed going through it > > No window pops up asking me to check the certificate when I try to > connect, and this is all that Filezilla logs about it. > > > Status: Resolving address of example.com > Status: Connecting to 93.184.215.14:21... > Status: Connection established, waiting for welcome message... > Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] > ---------- > Response: 220-You are user number 2 of 100 allowed. > Response: 220-Local time is now 22:06. Server port: 21. > Response: 220-This is a private system - No anonymous login > Response: 220-IPv6 connections are also welcome on this server. > Response: 220 You will be disconnected after 15 minutes of > inactivity. > Command: AUTH TLS > Response: 504 Command not implemented for that parameter > Command: AUTH SSL > Response: 504 Command not implemented for that parameter > Error: Critical error > Error: Could not connect to server > > > That's the end of it, it's most odd that the AUTH TLS command is > rejected. > > The server only allows secure connections, so I can't avoid it. > > -- > > uname -rsvp > Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 > x86_64 > > Boilerplate: All unexpected mail to my mailbox is automatically deleted. > I will only get to see the messages that are posted to the mailing list. > > > -- > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
