Discussion of bugs and problems found in Altap Salamander. In your reports, please be as descriptive as possible, and report one incident per report. Do not post crash reports here, send us the generated bug report by email instead, please.
I can confirm this problem with the same error message when I enable encrytion. I compiled this URL for easier testing: ftps://w34695_test:jGJWNgQ8@34695.w95.wedos.net
This is the communication as captured with Wireshark:
* About to connect() to 34695.w95.wedos.net port 21 (#0)
* Trying 46.28.105.76... connected
< 220 (vsFTPd 2.2.2)
> AUTH SSL
< 234 Proceed with negotiation.
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Jan Rysavy wrote:Another test with SSL enabled build of CURL
cURL does not come with any trusted certificates by default (and does not use Windows cert repository). In this case, the certificate chain is WEDOS -> StartCom Class 2 Primary Intermediate Server CA -> StartCom Certification Authority. You need to supply the last two certificates to cURL. I have created the needed bundle: ftp://w34695_test:jGJWNgQ8@34695.w95.we ... bundle.crt. If you run curl with this file in curl's directory (or maybe working directory), it will work:
D:\Downloads\curl-7.28.1>curl -u w34695_test:jGJWNgQ8 --ssl-reqd ftp://34695.w95.wedos.net/textfile.txt
test text file
test text file
test text file
test text file
Or just skip certificate verification altogether using the -k option. I do not think the problem concerns verifying the certificate - if I understand correctly, the Salamander ftp plugin simply asks whether to accept an unkown certificate (like FileZilla does). It works correctly with my local FileZilla server with self-signed certificate.
Salamander FTP plugin is using Windows API to validate certificate. When certificate doesn't pass validation, confirmation is displayed.
( Address: ftp.secureftp-test.com Login: test Password: test )
server_identity_problem.png (20.56 KiB) Viewed 21061 times
You can test SSL connection to kmlinux.fjfi.cvut.cz - you should not receive any certificate confirmation.
IMO the problem is in the ClientHello and ServerHello parts of TLS negotiation, which comes before any certificate validation. When I tried passing different protocol options to openssl s_client -showcerts -connect 34695.w95.wedos.net:21 -starttls ftp -debug, it seemed that -ssl3 and -ssl2 cause the same error, while -tls1 (possibly the default) connects successfully.
Unfortunately, I don't know what API options those parameters translate into. It can probably be determined by reading the source code or debug-stepping or API hooking. I haven't had success with the latter (my openssl.exe is apparently statically linked, FileZilla too) and don't have much time at this moment to do any of the first two. If there's a tool to dissect the TLS negotiation data (see my hex dumps above), it could help, too.
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
The problem seems to be fixed. SSL 2.0 protocol has security flaws and we will disable it.
Unfortunately there is another problem with this WEDOS server:
Unable to read the whole list of files and directories from server. The list displayed in panel can be incomplete.
Server reply: 522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page