Windows命令行中与ssl证书的FTP连接

时间:2017-06-29 12:56:20

标签: ssl curl command-line ftp

这可能听起来很简单,但我无法让它发挥作用。我想用Windows命令行连接到带有ssl证书的ftp。 所以我使用IIS生成我的证书,我将其导出为“cer”格式,经过大量尝试后,我以这个命令行结束:

curl -3 -v --cacert "XX\XX\test_certif.cer" --disable-epsv --ftp-skip-pasv-ip --ftp-ssl ftp://XXXXXXX --user XXXX

输入密码后,我有这个错误:

Enter host password for user 'XXXXXX':
* Rebuilt URL to: ftp://XXXX/
*   Trying XX::XX:XX:XX...
* TCP_NODELAY set
* Connected to XXXXX (XX::XX:XX:XX:XX) port 21 (#0)
< 220 Microsoft FTP Service
> AUTH SSL
< 234 AUTH command ok. Expecting TLS Negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: XX\XX\test_certif.cer
CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to XXX:21
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to XXX:21

我不想让它发挥作用。 当我将ftp的ssl参数从“Needed ssl connexion”更改为“允许的ssl connexion”时,为了更进一步我的ftp工作,所以问题不是这样的。 Windows防火墙已禁用。

更新我仍在使用它,我现在有这个命令行:

curl -v --cacert "XX\XX\test_certif.cer" --ftp-ssl ftp://XXX --user XXX

使用此输出

Enter host password for user 'XXX':
* Rebuilt URL to: ftp://XXX
*   Trying XX::XX:XX:XX:XX...
* TCP_NODELAY set
* Connected to XXX (XX::XX:XX:XX:XX) port 21 (#0)
< 220 Microsoft FTP Service
> AUTH SSL
< 234 AUTH command ok. Expecting TLS Negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: XX\XX\test_certif.cer
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option. 
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

有任何想法吗? 如果需要,请随时提出更多信息,以便更新问题。 Thx提前

1 个答案:

答案 0 :(得分:1)

我解决了我的问题。问题在于IIS的证书générate没有使用curl。

所以我使用OpenSSl来识别密钥:

openssl genrsa -des3 -out key.pem -passout pass:password 1024

然后仍然使用OpenSSL使用密钥输入证书:

req -x509 -new -key key.pem -passin pass:password -days 3650 -out certificat.cer -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"
不需要

-config,它位于openssl安装的文件夹中

现在仍然使用OpenSSL,将key + certificat转换为pfx

pkcs12 -inkey key.pem -in certificat.cer -export -out iis_certificate.pfx

现在,您可以将pfx证书导入IIS并使用它来配置FTP连接。

创建一个pem文件并复制过去他内部的certificat.cer内容,或者只是将文件转换为pem。让我们把它命名为“cacer.pem”

现在使用curl连接:

curl -v ftp://"IP or server name" --user « username » --ftp-ssl --cacert « Path of cacer.pem file »

这是一个小小的奖励,上传文件并在命令行中设置passord的命令行:

curl -upload-file “Path of file to transfert”  ftp://"IP or server name" --user « user »: « password » --ftp-ssl --cacert " Path of cacer.pem file "