windows FTP connection with ssl certificate in command line

Question

It may sound very simple but I can't get it to work. I want to connect to an ftp with ssl certificate on windows with command line. So I generate my certificate with IIS, I export it to "cer" format and after a lot of try I end with this command line :

curl -3 -v --cacert "XX\XX\test_certif.cer" --disable-epsv --ftp-skip-pasv-ip --ftp-ssl ftp://XXXXXXX --user XXXX

and after entering my password, i have this error :

Enter host password for user 'XXXXXX':
* Rebuilt URL to: ftp://XXXX/
*   Trying XX::XX:XX:XX...
* TCP_NODELAY set
* Connected to XXXXX (XX::XX:XX:XX:XX) port 21 (#0)
< 220 Microsoft FTP Service
> AUTH SSL
< 234 AUTH command ok. Expecting TLS Negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: XX\XX\test_certif.cer
CApath: none
* SSLv3 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to XXX:21
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to XXX:21

And i out of idea to make it work. To go a little further my ftp work when i change ssl parameter of the ftp from "Needed ssl connexion" to "allowed ssl connexion" so the matter is not this way. And Windows firewall is disable.

update i still work on it and i have now this command line :

curl -v --cacert "XX\XX\test_certif.cer" --ftp-ssl ftp://XXX --user XXX

with this output

Enter host password for user 'XXX':
* Rebuilt URL to: ftp://XXX
*   Trying XX::XX:XX:XX:XX...
* TCP_NODELAY set
* Connected to XXX (XX::XX:XX:XX:XX) port 21 (#0)
< 220 Microsoft FTP Service
> AUTH SSL
< 234 AUTH command ok. Expecting TLS Negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: XX\XX\test_certif.cer
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option. 
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

got any idea? Feel free to ask more info if needed ill update the question. Thx by advance

Answer 1

I solve my issue. The matter was with the certificat générate by IIS not working with curl.

So i use OpenSSl to générate a key :

openssl genrsa -des3 -out key.pem -passout pass:password 1024

Then still use OpenSSL to générate a certificat with the key :

req -x509 -new -key key.pem -passin pass:password -days 3650 -out certificat.cer -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"

-config is not necessary needed and is located on the folder of your openssl install

Now still with OpenSSL, convert key+certificat to pfx

pkcs12 -inkey key.pem -in certificat.cer -export -out iis_certificate.pfx

Now you can import the pfx certificate to IIS and use it to configure your FTP connection.

Create a pem file and copy past the content of certificat.cer inside him or just convert the file to pem. Lets name it "cacer.pem"

Now use curl to connect :

curl -v ftp://"IP or server name" --user « username » --ftp-ssl --cacert « Path of cacer.pem file »

Here is a little bonus, the command line to upload a file and set passord in the command line :

curl -upload-file “Path of file to transfert”  ftp://"IP or server name" --user « user »: « password » --ftp-ssl --cacert " Path of cacer.pem file "