ლ(ಠ益ಠლ)

Debian: Lftp - Gnutls_handshake - a TLS Fatal Alert Has Been Received

The Debian 7 default lftp package (from the repository) refused to establish a secure TLS connection.

The lftp binary was not compiled with OpenSSL support in Debian 7 (likely due to licensing reasons). The tool ldd (list dynamic dependencies) is useful in this situation to confirm the shared libraries dependencies required by a specific binary.

Confirm a lack of OpenSSL support in lftp:

1
2
$ ldd $(which lftp) | grep ssl
$

No results returned–expected. Let’s compile our own instead.

We’ll need a few things to pull this off:

1
$ sudo apt-get install build-essential libreadline-dev libreadline6-dev libtinfo-dev zlib1g-dev libssl-dev libncurses5-dev

Download lftp:

1
2
3
$ wget http://lftp.yar.ru/ftp/lftp-4.6.1.tar.gz
$ tar xvfz lftp-4.6.1.tar.gz
$ cd lftp-4.6.1

Where is OpenSSL?

1
2
$ which openssl
/usr/bin/openssl

Configure:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
./configure --with-openssl=/usr/bin/openssl --prefix=/home/user/lftp
# configure: creating ./config.status
# config.status: creating Makefile
# config.status: creating src/Makefile
# config.status: creating lib/Makefile
# config.status: creating doc/Makefile
# config.status: creating po/Makefile.in
# config.status: creating m4/Makefile
# config.status: creating trio/Makefile
# config.status: creating lib/config.h
# config.status: executing depfiles commands
# config.status: executing po-directories commands
# config.status: creating po/POTFILES
# config.status: creating po/Makefile
# config.status: executing libtool commands

Next step is to issue a ‘make’:

Note, -jN determines the number of jobs to run simultaneously (can significantly speed up the make process), where “N” is an integer value. Usually you’ll want to align this value with the number of vCPUs you have available on the server in question.

Warning, do not pick an absurd integer value.

1
2
# make -jN
$ make -j2

Install to the prefix you specified earlier, during configuration:

Warning, do not proceed with a make install, unless you specified a –prefix target during the ./configure step (above).

1
$ make install

Check for OpenSSL support in the new custom lftp build (location was specified by the –prefix target):

1
2
$ ldd /home/user/lftp/bin/lftp | grep ssl
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007ffe6d27b000)

OpenSSL has been successfully added.

Configure secure options in the lftp user profile (.lftp).

Note, the last step (EOF) will require keying [Enter] to push the configuration options to /home/user/.lftp/rc:

1
2
3
4
5
6
7
8
9
10
$ mkdir -p /home/user/.lftp/
$ cd /home/user/.lftp/
$ touch rc
$ cat <<EOF >> rc
set ftp:ssl-allow true
set ftp:ssl-allow-anonymous no
set ftp:ssl-auth TLS
set ftp:ssl-force yes
set ssl:verify-certificate no
EOF

You should now be able to connect securely to the target FTP service, using the new binary:

1
$ /home/user/lftp/bin/lftp --help

Comments