How to compile lftp with openssl?
Do the packaged lftp have OpenSSL support?
Regarding compilation with SSL support:
http://linux.overshoot.tv/wiki/networking/lftp#Compile_with_SSL_support
The default lftp installed with Kubuntu (Debian, ubuntu...) does not seem to be compiled with SSL support:
ldd /usr/bin/lftp
linux-vdso.so.1 => (0x00007ffff4720000)
libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007fc68cf20000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc68cd18000)
libreadline.so.6 => /lib/libreadline.so.6 (0x00007fc68cad5000)
libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007fc68c8d2000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007fc68c68e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc68c489000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fc68c273000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc68bedf000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc68d1f6000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc68bcc0000)
libtasn1.so.3 => /usr/lib/x86_64-linux-gnu/libtasn1.so.3 (0x00007fc68baaf000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc68b897000)
libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007fc68b61c000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fc68b418000)
I compiled from source using:
./configure --with-openssl=/usr/lib
and I get:
$ ldd /usr/local/bin/lftp
linux-vdso.so.1 => (0x00007fff195ff000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007f96070e9000)
libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00007f9606e96000)
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00007f9606b06000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f96068fe000)
libreadline.so.6 => /lib/libreadline.so.6 (0x00007f96066bc000)
libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f96064b8000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007f9606274000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9606070000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f9605e59000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9605ac5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9607348000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f96058a7000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f960568e000)
The second is linked against libssl while the former is not.
However, even though in my .lftprc I have set ftp:ssl-force on
, it allowed me to connect with a remote server.
So two questions:
1) Is the distro's packaged version of lftp really not compiled with SSL support? Are we obligated to re-compile from source to use lftp with SSL encryption?
2) If it is not, why did it let me connect to the remote server without SSL encryption??
Comments
#1
#2
I set debug = 5, and made a diff of the output of /usr/bin/lft (the version packaged by the distro) and /usr/local/bin/lftp (the version I compiled with SSL support) and here is what I got:
-/usr/bin/lftp bookmark
+$ /usr/local/bin/lftp bookmark
---- Resolving host address...
---- 1 address found: xxx.36.166.xxx
---- Connecting to ftp.xxx.net (xxx.36.166.xxx) port 21
@@ -10,6 +10,8 @@
---> AUTH TLS
<--- 234 AUTH TLS OK.
---> USER admin
+Certificate depth: 1; subject: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg; issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg
+Certificate depth: 0; subject: /CN=*.ocsa-data.net; issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg
<--- 331 User admin OK. Password required
---> PASS XXXX
<--- 230-User admin has group access to: clients
The only difference in output is the following which is only found in the second version:
Certificate depth: 1; subject: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg; issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg
Certificate depth: 0; subject: /CN=*.ocsa-data.net; issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supportatcacertorg
However, both have:
---> AUTH TLS
<--- 234 AUTH TLS OK.
What does it all mean?
Does it mean the connection is secured with the packaged version?
Why doesn't the ssl linkage show with ldd with it?
What is the significance of the extra output with the self-compiled version??
#3
Ok, here is my mistake:
OpenSSL is an implementation of the the SSL and TLS protocols.
http://en.wikipedia.org/wiki/OpenSSL
http://en.wikipedia.org/wiki/Transport_Layer_Security
GnuTLS is another implementation of the same protocol:
http://en.wikipedia.org/wiki/GnuTLS
For the licensing issues discussed on the OpenSSL wikipedia article, linux distros prefer to use GnuTLS instead of OpenSSL.
So, the packaged lftp versions are secure in the way that they do implement the SSL and TLS protocols.
I attach a patch showing the differences in debug output between lftp compiled with OpenSSL and one compiled with GnuTLS.
Todo: improve the documentation.
#4
hi, I found descrtiption as following at http://linux.about.com/od/commands/l/blcmdl1_lftp.htm.
ftp:ssl-force (bool)
if trus, refuse to send password in clear when server does not support SSL. Default is false. This setting is only available if lftp was compiled with openssl.
it seems "set ftp:ssl-force on" does not works.
How does lftp connect to server use ssl protocol if it is not compiled with openssl?
#5
I have installed lftp and libreadline_devel package, lftp works ok.
linux-os:~>ldd /usr/bin/lftp
linux-vdso.so.1 => (0x00007fff9932b000)
liblftp-jobs.so.0 => /usr/lib64/liblftp-jobs.so.0 (0x00007f82f50e2000)
liblftp-tasks.so.0 => /usr/lib64/liblftp-tasks.so.0 (0x00007f82f4e4d000)
libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x00007f82f4c0a000)
libc.so.6 => /lib64/libc.so.6 (0x00007f82f48ac000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f82f46a8000)
librt.so.1 => /lib64/librt.so.1 (0x00007f82f449f000)
libncurses.so.5 => /lib64/libncurses.so.5 (0x00007f82f4257000)
/lib64/ld-linux-x86-64.so.2 (0x00007f82f532b000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f82f4040000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f82f3e23000)
I want to compile lftp with openssl, and downloaded the lftp-4.3.8 src code.
but it check readline-devel package failed, as following:
linux-os:~>./configure --with-openssl=/usr/lib64
...............
checking for library containing tigetstr... no
checking for library containing tgetstr... no
configure: WARNING: No terminfo
checking for readline... configure: error: need installed readline-devel package
Can u tell me why it happend, and how to solve it.
Thanks