| View previous topic :: View next topic |
| Author |
Message |
Thavian
n00b
Joined: 20 Jul 2006
Posts: 13
|
 Posted: Thu Apr 19, 2007 9:49 pm Post subject: Vsftpd + ssl |
 |
|
Hey guys, I have VSFTPD up and running with local accounts and all is working correctly without any SSL. I'm now tryign to add in SSL support (it is already compiled in I'm just enabling it in the config).
| Code: | root:ldd /usr/sbin/vsftpd
linux-gate.so.1 => (0xffffe000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7f48000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7f33000)
libpam.so.0 => /lib/libpam.so.0 (0xb7f2b000)
libdl.so.2 => /lib/libdl.so.2 (0xb7f27000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7f14000)
libutil.so.1 => /lib/libutil.so.1 (0xb7f10000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7edf000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7dda000)
libc.so.6 => /lib/libc.so.6 (0xb7cbc000)
/lib/ld-linux.so.2 (0xb7f55000)
|
I have followed the howto on the gentoo-wiki http://gentoo-wiki.com/HOWTO_vsftpd#Using_SSL_to_Secure_FTP
The problem I get is when I put in the SSL config
| Code: |
#this is important
ssl_enable=YES
#choose what you like, if you accept anon-connections
# you may want to enable this
# allow_anon_ssl=NO
#choose what you like,
# it's a matter of performance i guess
# force_local_data_ssl=NO
#choose what you like
force_local_logins_ssl=YES
#you should at least enable this if you enable ssl...
ssl_tlsv1=YES
#choose what you like
ssl_sslv2=YES
#choose what you like
ssl_sslv3=YES
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
|
The init script fails to start at that point. openssl says the pem file is fine. I have tried taking out all the ssl config data and leaving only ssl_enable=YES and it still fails. I see nothing in my /var/log/vsftpd.log
Any ideas on why this might be failing or why I see nothing in the log?
Here is the config file aswell.
| Code: |
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=FTP server
chroot_local_user=YES
ls_recurse_enable=YES
chmod_enable=NO
# FAILS TO START WHEN THIS CONFIG BLOCK IS UNCOMMENTED
#ssl_enable=YES
#allow_anon_ssl=NO
## force_local_data_ssl=NO
#force_local_logins_ssl=YES
#ssl_tlsv1=YES
#ssl_sslv2=YES
#ssl_sslv3=YES
#rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
|
Thanks for any help! |
|
| Back to top |
|
 |
meka
Tux's lil' helper
Joined: 16 Dec 2003
Posts: 85
Location: Novi Sad / Vojvodina / Srbija
|
| Posted: Thu Aug 23, 2007 5:52 am Post subject: |
|
|
Same HOWTO used but different problem. Gftp says:
| Code: | | Error 18:self signed certificate |
It sounds crazy but is vsftpd supposed to work only with certificates signed by thawte and similar? |
|
| Back to top |
|
|
baeksu
l33t
Joined: 26 Sep 2004
Posts: 609
Location: Seoul, Korea
|
| Posted: Thu Aug 23, 2007 7:07 am Post subject: |
|
|
http://www.brennan.id.au/14-FTP_Server.html has a walkthrough towards the end of the page to enabling and creating an ssl certificate for vsftpd.
Since it's a self-signed certificate, connection will be iffy, as the client should support not only ssl, but also accept self-signed certificates.
According to the same page, gftp should have an option to disable "Verify SSL Peer", which would make it accept self-signed certificates.
_________________
Gnome:
1. A legendary being.
2. A never ending quest to make unix friendly to people who don't want unix and excruciating for those that do. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Thu Aug 23, 2007 7:12 am Post subject: |
|
|
| meka wrote: | Same HOWTO used but different problem. Gftp says:
| Code: | | Error 18:self signed certificate |
It sounds crazy but is vsftpd supposed to work only with certificates signed by thawte and similar? |
No it just tells you that gftp isn't able to verify the certificate of the server because it doesn't know the CA who signed it.
Import the CA certificate on your box and it should work (if gftp supports this).
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
|
Networking & Security
