Hi, I am providing ftp+ssl service for my customers and one uses mercator solutions with a ftp adapter.
This customer is able to connect to other ftp+ssl sites but when tries to connect to mine the only way is to remove the CA file from mercator's ftp adapter.
I've tested using an unix ftps and windows (cute-ftp) with the same cert, key and ca file with success.
The CA file I used to create the cert is not a "valid" one, i.e it's not from thawte, verisign etc. Is this a problem ?
The cert, key and CA where generated using openssl's tools.
So far from my server's tls.log I saw a few diferences. First a success using either unix or windows client
Jun 18 10:00:05 mod_tls/2.0.6[13838]: TLS/TLS-C requested, starting TLS handshake
Jun 18 10:00:06 mod_tls/2.0.6[13838]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Jun 18 10:00:06 mod_tls/2.0.6[13838]: set RSA blinding on
Jun 18 10:00:56 mod_tls/2.0.6[13861]: TLS/TLS-C requested, starting TLS handshake
Jun 18 10:00:57 mod_tls/2.0.6[13861]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Jun 18 10:00:57 mod_tls/2.0.6[13861]: set RSA blinding on
Jun 18 10:01:06 mod_tls/2.0.6[13861]: Protection set to Private
Jun 18 10:01:14 mod_tls/2.0.6[13861]: starting TLS negotiation on data connection
Next a successful connection from mercator (without the CA file)
Jun 18 10:02:02 mod_tls/2.0.6[13880]: SSL/TLS-P requested, starting TLS handshake
Jun 18 10:02:04 mod_tls/2.0.6[13880]: TLSv1/SSLv3 connection accepted, using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
Jun 18 10:02:04 mod_tls/2.0.6[13880]: set RSA blinding on
Even tough they are using the same cert/key the cipher and "mode" (TLS-P/TLS-C) are different.
This customer is able to connect to other ftp+ssl sites but when tries to connect to mine the only way is to remove the CA file from mercator's ftp adapter.
I've tested using an unix ftps and windows (cute-ftp) with the same cert, key and ca file with success.
The CA file I used to create the cert is not a "valid" one, i.e it's not from thawte, verisign etc. Is this a problem ?
The cert, key and CA where generated using openssl's tools.
So far from my server's tls.log I saw a few diferences. First a success using either unix or windows client
Jun 18 10:00:05 mod_tls/2.0.6[13838]: TLS/TLS-C requested, starting TLS handshake
Jun 18 10:00:06 mod_tls/2.0.6[13838]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Jun 18 10:00:06 mod_tls/2.0.6[13838]: set RSA blinding on
Jun 18 10:00:56 mod_tls/2.0.6[13861]: TLS/TLS-C requested, starting TLS handshake
Jun 18 10:00:57 mod_tls/2.0.6[13861]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Jun 18 10:00:57 mod_tls/2.0.6[13861]: set RSA blinding on
Jun 18 10:01:06 mod_tls/2.0.6[13861]: Protection set to Private
Jun 18 10:01:14 mod_tls/2.0.6[13861]: starting TLS negotiation on data connection
Next a successful connection from mercator (without the CA file)
Jun 18 10:02:02 mod_tls/2.0.6[13880]: SSL/TLS-P requested, starting TLS handshake
Jun 18 10:02:04 mod_tls/2.0.6[13880]: TLSv1/SSLv3 connection accepted, using cipher EDH-RSA-DES-CBC3-SHA (168 bits)
Jun 18 10:02:04 mod_tls/2.0.6[13880]: set RSA blinding on
Even tough they are using the same cert/key the cipher and "mode" (TLS-P/TLS-C) are different.