Resolved pleskbackup command - SSL_verify_mode

[devlin]

Hello,
I have a question... I'm using pleskbackup command for backing up data to the remote ftps server and this is what I get when I issue backup:

*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************

How can I configure verification of the remote ftps server's SSL certificate? I don't want to accept every certificate...

I'm using Plesk Onyx Version 17.5.3 Update #25 on CenOS

Thank you!!!

 

[UFHH01]

Hi devlin,

unfortunately, you don't provide YOUR current operating system ( CentOS version ??? )

Pls. consider as well to post the output of:

rpm -q perl

 

[IgorG]

Make sure that perl-IO-Socket-SSL package is correctly installed on your server.

 

[devlin]

Thank you for your responses. I have:

CentOS Linux release 7.4.1708
perl-5.16.3-292.el7.x86_64

And I have perl-IO-Socket-SSL-1.94-6.el7.noarch installed...

 

[UFHH01]

Hi devlin,

at the very first moment, the CentOS 7 standarts are different to the ones on Debian/Ubuntu. Pls. note the following at "SSL.pm" ( /usr/share/perl5/vendor_perl/IO/Socket ) of your version "perl-IO-Socket-SSL-1.94-6.el7.noarch"

=item SSL_verify_mode

This option sets the verification mode for the peer certificate.
You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT
(fail verification if no peer certificate exists; ignored for clients),
SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients).
See OpenSSL man page for SSL_CTX_set_verify for more information.

The default is SSL_VERIFY_NONE for server (e.g. no check for client
certificate).
For historical reasons the default for client is currently also SSL_VERIFY_NONE,
but this will change to SSL_VERIFY_PEER in the near future. To aid transition a
warning is issued if the client is used with the default SSL_VERIFY_NONE, unless
SSL_verify_mode was explicitly set by the application.

... which leaves you with the current settings:

# global defaults
my %DEFAULT_SSL_ARGS = (
    SSL_check_crl => 0,
    SSL_version => '',
    SSL_verify_callback => undef,
    SSL_verifycn_scheme => undef,  # don't verify cn
    SSL_verifycn_name => undef,    # use from PeerAddr/PeerHost
    SSL_npn_protocols => undef,    # meaning depends whether on server or client side
    SSL_honor_cipher_order => 0,   # client order gets preference
    SSL_cipher_list => undef,

    # default for SSL_verify_mode should be SSL_VERIFY_PEER for client
    # for now we keep the default of SSL_VERIFY_NONE but complain, if
    # somebody uses this implicit default
    # SSL_verify_mode => undef,  # set to undef to enable secure default
    SSL_verify_mode => SSL_VERIFY_NONE,
);

This is actually strange in my opion, as ( for your information! ) on Debian/Ubuntu ( package: libio-socket-ssl-perl - version "2.024-1 ") based systems, the standart settings for "DEFAULT_SSL_CLIENT_ARGS" are:

my %DEFAULT_SSL_CLIENT_ARGS = (
    %DEFAULT_SSL_ARGS,
    SSL_verify_mode => SSL_VERIFY_PEER,

You have two choices here:

• You could ignore the "not useful" warning on CentOS 7 based systems, as they plan to change the default settings for their package "perl-IO-Socket-SSL".
• You could manually change it ( as already suggested in the depending documentation ).

 

[devlin]

Great, thanks! The warning has disappeared...

Could I ask you for an advice how to specify certificate of the FTPS server? I don't want to accept every certificate... Thank you.