Secure good.net FTP uploads with lftp

Good.net's new FTPES certificate (Flickr image by Tyler Oderkirk)

Here are some notes on using FTPES to send files to a good.net account.

<<Navigation: execution failed [Argument "scheme" is required] (see also the log)>>

Contents

How lftp(1) verifies a FTP server's TLS certificate
Failure to attain data encryption
1. lftp(1) failure
2. ftp-ssl(1) failure
Odd examples of trust/mistrust
Misc
See also

How lftp(1) verifies a FTP server's TLS certificate

User installs ca-certificates package.
User (apt post-install-hook?) runs update-ca-certificates(1) which reads /etc/ca-certificates.conf. Based on this config file, certain certificates are copied from /usr/share/ca-certificates to /etc/ssl/certs/ca-certificates.crt.
The user runs lftp(1) which (via GNU TLS [pronounced "Gu-Noodles" haha]) verifies the FTP server's certificate by looking in (among other places) /etc/ssl/certs/ca-certificates.crt and finding e.g. the ValiCert_Class_1_VA root certificate.

Failure to attain data encryption

Password encryption worked but data (i.e. "file content") encryption didn't. According to this 4yr-old message, good.net's PureFTPd server doesn't support data encryption: "PureFTPD can not encrypt the data connections" -- #815 (can't use FileZilla with pure-ftpd in TLS/SSL mode) – FileZilla – Trac

In retrospect, this isn't so bad. After all, I'm uploading files to a public server.

lftp(1) failure

tcpdump(1) and strings(1) indicate that the password is encrypted over the wire, but the transferred file is not.
- sudo tcpdump -i eth2 -s 9999 -w /tmp/lftp_goodnet4.cap 'host ftp.good.net'

% lftp -e 'put ~/tmp/date.txt;quit' -u 'foo@bar.com' ftp://ftp.good.net
Password: 
---- Resolving host address...       
---- 1 address found: 69.16.155.157              
---- Connecting to ftp.good.net (69.16.155.157) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 1 of 1200 allowed.
<--- 220-Local time is now 17:53. Server port: 21.
<--- 220 You will be disconnected after 15 minutes of inactivity.
---> FEAT
<--- 211-Extensions supported:                           
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  TVFS
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTA
<---  AUTH TLS
<---  PBSZ
<---  PROT
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.                                   
---> OPTS MLST type;size;modify;UNIX.mode;UNIX.uid;UNIX.gid;
Certificate: O=avondale.good.net,CN=avondale.good.net,OU=Domain Control Validated
 Issued by:        C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
 Checking against: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
  Trusted
Certificate: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
 Issued by:        C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
 Checking against: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
  Trusted
Certificate: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
 Issued by:        L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
 Checking against: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
  Trusted
Certificate: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
 Issued by: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
  Trusted
<--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
---> USER foo@bar.com
<--- 331 User foo@bar.com OK. Password required
---> PASS XXXX
<--- 230-Your bandwidth usage is restricted              
<--- 230-User foo@bar.com has group access to:  goodnet 
<--- 230-OK. Current restricted directory is /
<--- 230 0 Kbytes used (0%) - authorized: 10485760 Kb
---> PWD
<--- 257 "/" is your current location                    
---> PBSZ 0
<--- 200 PBSZ=0                                              
---> TYPE I
<--- 200 TYPE is now 8-bit binary                            
---> PASV
<--- 227 Entering Passive Mode (69,16,155,157,210,61)        
---- Connecting data socket to (69.16.155.157) port 53821
---- Data connection established                               
---> ALLO 29
<--- 200 Zzz...                                              
---> STOR date.txt
<--- 150 Accepted data connection                            
---- Closing data socket
<--- 226-0 Kbytes used (0%) - authorized: 10485760 Kb                    
<--- 226-File successfully transferred
<--- 226 0.355 seconds (measured here), 81.64 bytes per second
---> SITE UTIME 20090226230428 date.txt
<--- 500 UTC Only                                                        
---> SITE UTIME date.txt 20090226230428 20090226230428 20090226230428 UTC
<--- 250 UTIME OK                                                        
29 bytes transferred in 5 seconds (6b/s)
---> QUIT
---- Closing control socket

ftp-ssl(1) failure

% ftp-ssl -v -z secure ftp.good.net
Connected to ftp.good.net.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 1200 allowed.
220-Local time is now 18:54. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
Name (ftp.good.net:tz): foo@bar.cc
500 This security scheme is not implemented
234 AUTH TLS OK.
[SSL Cipher AES256-SHA]
200 PBSZ=0
534 Fallback to [C]
Data connection security level refused.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

Fw: -PATCH- AUTH TLS support for debian package ftp-ssl

Odd examples of trust/mistrust

Judging by the pathnames of the Valicert and GoDaddy certs, lftp(1) appears to trust the root certs intended for Mozilla software (esp. Firefox).
FileZilla doesn't trust the above certs.

Misc

'Good.net uses the following SSL Certificates:' - Good.net Forums • View topic - How do I know that my connection to Good.net is secure?
"Response: 550 Premium account status required to download files via FTP." >:]
30KB/s sustained up via filezilla at h-town lib wireless 2010-03-23
30KB/s sustained up via filezilla (ftpes?) at q-pac lib wired 2010-03-24
1.5MB/s sustained up via filezilla (ftp) at q-pac lib wired 2010-03-25
- per connection?
800KB/s sustained up via filezilla 2009-03-16 wired @ rit lib
An alternative: stashbox
I found that FileZilla 3.1.2 is able to resume downloads
ftps with lftp some questions similar to mine
Backup FTP Server: Offsite Backups that You Control - RimuHosting Some notes on transport encryption w/ lftp(1)
"My browser states that your certificate is not from a trusted authority." -- eDecree::FAQ Transcription Some notes on cert signing