HPE Community
Operating System - HP-UX
1751940 Members
4637 Online
108783 Solutions
New Discussion юеВ

Re: FTP from UNIX client (C-Kermit) to Gene6 w/SSL

 
SOLVED
Go to solution
Andre Stewart
Frequent Advisor

тАО02-26-2007 05:46 AM

тАО02-26-2007 05:46 AM

Re: FTP from UNIX client (C-Kermit) to Gene6 w/SSL

No, I don't have the -- BEGIN RSA CERTIFICAT - part. Maybe the .der file isn't what I really need.

I'm still not clear on how to evaluate the .der file to dtermine what it really is and if I need to re-request it with specific qalities.

The one thing I do know is that my combined .pem file seems to be x509, at least, openssl doesn't give me an error with that query. It actually gives me the contents of the .pem file.

The contents are similar to this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: L=REMOTE LOCATION, ST=XX, C=US, CN=HOST.FOOBAR.NET/emailAddress=ISSUER@FOOBAR.NET, O=BIG A CORPORATION, OU=Montana Operations
Validity
Not Before: Jan 24 15:02:54 2007 GMT
Not After : Jan 24 15:02:54 2017 GMT
Subject: L=REMOTE LOCATION, ST=XX, C=US, CN=HOST.FOOBAR.NET/emailAddress=patriciaISSUER@FOOBAR.NET, O=BIG A CORPORATION, OU=Montana Operations
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00
Exponent: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00

-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
0 Kudos
Michael Stringer
New Member

тАО03-15-2007 01:38 AM

тАО03-15-2007 01:38 AM

Solution

Re: FTP from UNIX client (C-Kermit) to Gene6 w/SSL

I with with Andre, and here's how we fixed the issue...

C-Kermit will act as a SSL/TLS client when compiled with OpenSSL installed. The caveat to compiling is making sure you have curses installed - Kermit has a special file transfer status window that needs those libraries.

Once compiled, here are the commands to make a SSL/TLS connection to an FTP server:

# ./kermit
C-Kermit 8.0.211, 10 Apr 2004, for HP-UX 11.00
Copyright (C) 1985, 2004,
Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/root/) C-Kermit> set ftp authtype tls
(/root/) C-Kermit> ftp

At this point, Kermit will attempt the SSL connection, and if the SSL certificate provided by the server is self signed, out-of-date, or has some other issue, you will get the details of the cert and a prompt to continue. There's a command to turn that off:

(/root/) C-Kermit> set authentication tls verify no

..this allows Kermit to just "trust" the certificate handed to it - requiring a high level of trust in the connection to the SFTP site.

From there, Kermit will give you details on the SSL cert's encryption, and show that the connection is secured.

Then it's a login prompt.

while not as secure as SSH, it's very usable when you do not have control of the ftp server and Security is breathing down your neck to not send passwords in the clear.
0 Kudos
Andre Stewart
Frequent Advisor

тАО03-15-2007 02:48 AM

тАО03-15-2007 02:48 AM

Re: FTP from UNIX client (C-Kermit) to Gene6 w/SSL

Yes, Michael is correct. As a matter of fact, he should be fully credited with the solution.

To give more detail:

I somehow got misdirected early on with the idea that I needed to have a certificate local to the client in order to connect to the Gene6 server. I was beating my head against the wall trying to get my C-Kermit/OpenSSL implementation to recognize the certificate in the form of an actual file. Although, that may ultimately be possible, it was unnecessary.

Michael properly understood that, upon connecting to the Gene6 server, the server would send the C-Kermit FTP client a public certificate which, upon acceptance by the client, would be used to encrypt the FTP session from that point forward.

Now that he's figured that out, I've been able to used the robust scripting features of Kermit to finish my project.
0 Kudos
Andre Stewart
Frequent Advisor

тАО03-30-2009 11:42 AM

тАО03-30-2009 11:42 AM

Re: FTP from UNIX client (C-Kermit) to Gene6 w/SSL

See post just pevious to this one.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.