Tips on Using LFTP as FTPS Client

Uncategorized / By /

LFTP is a sophisticated client for various protocols (FTP, FTPS, HTTP, …, and even BitTorrent).

Tip 1 – Basic usage

Installation

On Scientific Linux 6, you can easily install it from SL repo.

yum install lftp

Connection

Connect to FTPS with specific port, username and password.

lftp -p PORT -u USERNAME,PASSWORD ftps://FTP.ADDRESS

Or start lftp first, then connect.

lftp
open -p PORT -u USERNAME,PASSWORD ftps://FTP.ADDRESS

Note that it won’t actually connect until you use other commands such as ls.

Transfer

get blah-blah.file

Here is a handy cheat sheet.

Tip 2 – Solutions for cert refusal

On some OS, lftp is pre-installed and configured with strengthened safety. Then self-signed certs may be rejected with following prompt:

Fatal error: Certificate verification: Not trusted

Solution (1) – Disable cert verification

Use any of follows:

  • For current process:
    set ssl:verify-certificate no
  • For current user: Append the above command to ~/.lftp/rc. If it doesn’t exist, create it.
  • For all users: Append the above command to /etc/lftp.conf.

Solution (2) – Use a CA-signed cert

If you’re the owner of FTP server, you can configure on server-side.

  • Get a publicly authenticated cert (e.g. StartSSL), with Common Name field as your FTP domain/IP.
  • Put cert, cert-bundle and key in one file.
    cat YOUR-DOMAIN.crt > /etc/pki/tls/private/YOUR-DOMAIN.pem
cat YOUR-CA-BUNDLE.crt >> /etc/pki/tls/private/YOUR-DOMAIN.pem
cat YOUR-DOMAIN.key >> /etc/pki/tls/private/YOUR-DOMAIN.pem
  • Configure your FTP server to use this cert. For example, vsftpd:
    vim /etc/vsftpd/vsftpd.conf
    Append following line:
    rsa_cert_file=/etc/pki/tls/private/YOUR-DOMAIN.pem
  • Restart your FTP server.

Tip 3 – Solutions for slow resolving

lftp tries to use IPv6 first by default. So if you connect using domain name (w/ AAAA record) but actually don’t support ipv6 (e.g. ftp not listening IPv6, or client doesn’t have IPv6 network), it will wait till timeout before connect through IPv4.

Solution (1) – Bind IPv4 address in /etc/hosts.

Solution (2) – Modify LFTP settings

Append following line to /etc/lftp or ~/.lftp/rc.

set dns:order "inet inet6"

You can verify it with in lftp:

lftp :~> set -a|grep dns:order
set dns:order "inet inet6"

Read lftp man page for more info.

Leave a Comment

Your email address will not be published. Required fields are marked *