| | 1 | == Configure VSFTPD For FTP/SSL == |
| | 2 | |
| | 3 | NOTES: |
| | 4 | |
| | 5 | * Intermediate certificates were incorporated in VSFTPD vers. 2.0.5 |
| | 6 | |
| | 7 | http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=307498 |
| | 8 | |
| | 9 | * Version 2.0.7 solved TLS disconnect problems experienced by !FileZilla users |
| | 10 | |
| | 11 | http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688 \\ http://forum.filezilla-project.org/viewtopic.php?t=7580&f=2 \\ http://forums.proftpd.org/smf/index.php?topic=3501.0 |
| | 12 | |
| | 13 | * VSFTPD 2.2.x requires OpenSSL 0.9.8 |
| | 14 | |
| | 15 | === Configure FTP/SSL server === |
| | 16 | |
| | 17 | 1. Update default configuration. |
| | 18 | |
| | 19 | {{{ |
| | 20 | # rpm -q vsftpd openssl |
| | 21 | vsftpd-2.2.2-8.el4 |
| | 22 | openssl-0.9.8n-1.el4 |
| | 23 | # |
| | 24 | # cd /etc/vsftpd |
| | 25 | # cp -a vsftpd.conf vsftpd.conf.orig |
| | 26 | # vi vsftpd.conf |
| | 27 | # |
| | 28 | # diff vsftpd.conf.orig vsftpd.conf |
| | 29 | 110a111,120 |
| | 30 | > |
| | 31 | > ssl_enable=YES |
| | 32 | > ssl_sslv2=NO |
| | 33 | > ssl_sslv3=YES |
| | 34 | > ssl_tlsv1=YES |
| | 35 | > ssl_ciphers=HIGH:!MD5:!ADH |
| | 36 | > rsa_cert_file=/etc/vsftpd/server.pem |
| | 37 | > force_local_logins_ssl=YES |
| | 38 | > force_local_data_ssl=YES |
| | 39 | > require_ssl_reuse=NO |
| | 40 | # |
| | 41 | }}} |
| | 42 | |
| | 43 | 2. Combine private key and public SSL certificate, that were created for Apache web server, into a PEM file. |
| | 44 | |
| | 45 | {{{ |
| | 46 | # ls -lg /etc/httpd/conf/ssl.???/server.??? |
| | 47 | -rw-r--r-- 1 root 1151 Oct 16 2009 /etc/httpd/conf/ssl.crt/server.crt |
| | 48 | -rw------- 1 root 887 Oct 16 2009 /etc/httpd/conf/ssl.key/server.key |
| | 49 | # |
| | 50 | # cat /etc/httpd/conf/ssl.key/server.key \ |
| | 51 | /etc/httpd/conf/ssl.crt/server.crt > /etc/vsftpd/server.pem |
| | 52 | # chmod 400 /etc/vsftpd/server.pem |
| | 53 | # ls -lg /etc/vsftpd/server.pem |
| | 54 | -r-------- 1 root 2038 Jun 10 2010 /etc/vsftpd/server.pem |
| | 55 | # |
| | 56 | # |
| | 57 | }}} |
| | 58 | |
| | 59 | NOTE: |
| | 60 | |
| | 61 | * If intermediate (chain) certificate is involved, it should be added to the {{{server.pem}}} file as well. |
| | 62 | |
| | 63 | 3. Start the service. |
| | 64 | |
| | 65 | {{{ |
| | 66 | # chkconfig vsftpd on |
| | 67 | # service vsftpd start |
| | 68 | Starting vsftpd for vsftpd: [ OK ] |
| | 69 | # |
| | 70 | }}} |
| | 71 | |
| | 72 | === Test from a client === |
| | 73 | |
| | 74 | {{{ |
| | 75 | $ openssl s_client -connect punkts.org:ftp -starttls ftp -showcerts |
| | 76 | CONNECTED(00000003) |
| | 77 | depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority |
| | 78 | verify return:1 |
| | 79 | depth=0 /C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org |
| | 80 | verify return:1 |
| | 81 | --- |
| | 82 | Certificate chain |
| | 83 | 0 s:/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org |
| | 84 | i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority |
| | 85 | -----BEGIN CERTIFICATE----- |
| | 86 | MIIDJjCCAo+gAwIBAgIDDW7zMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT |
| | 87 | MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 |
| | 88 | aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMDE2MDczMzMxWhcNMTAxMDE3MTgyNDQ3 |
| | 89 | WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCnB1bmt0cy5vcmcxEzARBgNVBAsT |
| | 90 | CkdUOTY1NzkwODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291 |
| | 91 | cmNlcy9jcHMgKGMpMDkxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRl |
| | 92 | ZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDEwpwdW5rdHMub3JnMIGfMA0GCSqGSIb3 |
| | 93 | DQEBAQUAA4GNADCBiQKBgQDVTLBP4XpLQWbKhSr/7m4IgQNf9EdYYMvTtwGHIoGA |
| | 94 | I76H71PbQJJTXTvcgJS4ypVQJdfsU7dIEr9vgHn11KxFP7qzxeEiGmcKZWLoaDEm |
| | 95 | 3orhFT3+bVgL8XEH4/6shPqB2+fhK12jrqxVwZL4dGzoi2c7qyiVzvEMRNM5+1tp |
| | 96 | 8wIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUn0DBj7z9DbuM |
| | 97 | Z5whzEVPLqg9bTMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVz |
| | 98 | dC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj |
| | 99 | IBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3 |
| | 100 | DQEBBQUAA4GBAKxpvZglrhYCYWasqWLKdYmb2Ir7Vtt4HQCGAa7Vv57QRY+PpuDj |
| | 101 | iI62ld9KBz31P7jxVoKwwU+6BfbVEpQdLQkWmHgHkk/4EhhQSdk/CtnIdwI3HeYH |
| | 102 | NScmKfiFZFRnesnzCXCpcJE28riv2QqtO4acPPZF75YYHvW5iYhmLx93 |
| | 103 | -----END CERTIFICATE----- |
| | 104 | --- |
| | 105 | Server certificate |
| | 106 | subject=/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org |
| | 107 | issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority |
| | 108 | --- |
| | 109 | No client certificate CA names sent |
| | 110 | --- |
| | 111 | SSL handshake has read 1039 bytes and written 341 bytes |
| | 112 | --- |
| | 113 | New, TLSv1/SSLv3, Cipher is AES256-SHA |
| | 114 | Server public key is 1024 bit |
| | 115 | Secure Renegotiation IS supported |
| | 116 | Compression: NONE |
| | 117 | Expansion: NONE |
| | 118 | SSL-Session: |
| | 119 | Protocol : TLSv1 |
| | 120 | Cipher : AES256-SHA |
| | 121 | Session-ID: 6C9C5C8D9C8339C4AE44E59F9B10AE977858F9D02B87C6C9E9F9F425B33C1CFB |
| | 122 | Session-ID-ctx: |
| | 123 | Master-Key: ADEF2203EC51D84E6F023AF7C958C17F4D0953109618BB9D2970F9CC26452AE5A581324A63106DE481D811DBF7EA497A |
| | 124 | Key-Arg : None |
| | 125 | Krb5 Principal: None |
| | 126 | Start Time: 1276197181 |
| | 127 | Timeout : 300 (sec) |
| | 128 | Verify return code: 0 (ok) |
| | 129 | --- |
| | 130 | 220 (vsFTPd 2.2.2) |
| | 131 | QUIT |
| | 132 | DONE |
| | 133 | $ |
| | 134 | }}} |
