Changes between Initial Version and Version 1 of FTPSConfigVSFTPD


Ignore:
Timestamp:
06/16/10 22:09:15 (9 years ago)
Author:
iva
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FTPSConfigVSFTPD

    v1 v1  
     1== Configure VSFTPD For FTP/SSL == 
     2 
     3NOTES: 
     4 
     5* Intermediate certificates were incorporated in VSFTPD vers. 2.0.5 
     6 
     7  http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=307498 
     8 
     9* Version 2.0.7 solved TLS disconnect problems experienced by !FileZilla users 
     10 
     11  http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688 \\ http://forum.filezilla-project.org/viewtopic.php?t=7580&f=2 \\ http://forums.proftpd.org/smf/index.php?topic=3501.0 
     12 
     13* VSFTPD 2.2.x requires OpenSSL 0.9.8 
     14 
     15=== Configure FTP/SSL server === 
     16 
     171. Update default configuration. 
     18 
     19{{{ 
     20# rpm -q vsftpd openssl 
     21vsftpd-2.2.2-8.el4 
     22openssl-0.9.8n-1.el4 
     23# 
     24# cd /etc/vsftpd 
     25# cp -a vsftpd.conf vsftpd.conf.orig 
     26# vi vsftpd.conf 
     27# 
     28# diff vsftpd.conf.orig vsftpd.conf 
     29110a111,120 
     30>  
     31> ssl_enable=YES 
     32> ssl_sslv2=NO 
     33> ssl_sslv3=YES 
     34> ssl_tlsv1=YES 
     35> ssl_ciphers=HIGH:!MD5:!ADH 
     36> rsa_cert_file=/etc/vsftpd/server.pem 
     37> force_local_logins_ssl=YES 
     38> force_local_data_ssl=YES 
     39> require_ssl_reuse=NO 
     40# 
     41}}} 
     42 
     432. Combine private key and public SSL certificate, that were created for Apache web server, into a PEM file. 
     44 
     45{{{ 
     46# ls -lg /etc/httpd/conf/ssl.???/server.??? 
     47-rw-r--r--  1 root 1151 Oct 16  2009 /etc/httpd/conf/ssl.crt/server.crt 
     48-rw-------  1 root  887 Oct 16  2009 /etc/httpd/conf/ssl.key/server.key 
     49# 
     50# cat /etc/httpd/conf/ssl.key/server.key \ 
     51      /etc/httpd/conf/ssl.crt/server.crt > /etc/vsftpd/server.pem 
     52# chmod 400 /etc/vsftpd/server.pem 
     53# ls -lg /etc/vsftpd/server.pem 
     54-r--------  1 root 2038 Jun 10  2010 /etc/vsftpd/server.pem 
     55# 
     56# 
     57}}} 
     58 
     59NOTE: 
     60 
     61* If intermediate (chain) certificate is involved, it should be added to the {{{server.pem}}} file as well. 
     62 
     633. Start the service. 
     64 
     65{{{ 
     66# chkconfig vsftpd on 
     67# service vsftpd start 
     68Starting vsftpd for vsftpd:                                [  OK  ] 
     69# 
     70}}} 
     71 
     72=== Test from a client === 
     73 
     74{{{ 
     75$ openssl s_client -connect punkts.org:ftp -starttls ftp -showcerts 
     76CONNECTED(00000003) 
     77depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
     78verify return:1 
     79depth=0 /C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org 
     80verify return:1 
     81--- 
     82Certificate chain 
     83 0 s:/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org 
     84   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
     85-----BEGIN CERTIFICATE----- 
     86MIIDJjCCAo+gAwIBAgIDDW7zMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT 
     87MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 
     88aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMDE2MDczMzMxWhcNMTAxMDE3MTgyNDQ3 
     89WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCnB1bmt0cy5vcmcxEzARBgNVBAsT 
     90CkdUOTY1NzkwODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291 
     91cmNlcy9jcHMgKGMpMDkxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRl 
     92ZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDEwpwdW5rdHMub3JnMIGfMA0GCSqGSIb3 
     93DQEBAQUAA4GNADCBiQKBgQDVTLBP4XpLQWbKhSr/7m4IgQNf9EdYYMvTtwGHIoGA 
     94I76H71PbQJJTXTvcgJS4ypVQJdfsU7dIEr9vgHn11KxFP7qzxeEiGmcKZWLoaDEm 
     953orhFT3+bVgL8XEH4/6shPqB2+fhK12jrqxVwZL4dGzoi2c7qyiVzvEMRNM5+1tp 
     968wIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUn0DBj7z9DbuM 
     97Z5whzEVPLqg9bTMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVz 
     98dC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj 
     99IBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3 
     100DQEBBQUAA4GBAKxpvZglrhYCYWasqWLKdYmb2Ir7Vtt4HQCGAa7Vv57QRY+PpuDj 
     101iI62ld9KBz31P7jxVoKwwU+6BfbVEpQdLQkWmHgHkk/4EhhQSdk/CtnIdwI3HeYH 
     102NScmKfiFZFRnesnzCXCpcJE28riv2QqtO4acPPZF75YYHvW5iYhmLx93 
     103-----END CERTIFICATE----- 
     104--- 
     105Server certificate 
     106subject=/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org 
     107issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
     108--- 
     109No client certificate CA names sent 
     110--- 
     111SSL handshake has read 1039 bytes and written 341 bytes 
     112--- 
     113New, TLSv1/SSLv3, Cipher is AES256-SHA 
     114Server public key is 1024 bit 
     115Secure Renegotiation IS supported 
     116Compression: NONE 
     117Expansion: NONE 
     118SSL-Session: 
     119    Protocol  : TLSv1 
     120    Cipher    : AES256-SHA 
     121    Session-ID: 6C9C5C8D9C8339C4AE44E59F9B10AE977858F9D02B87C6C9E9F9F425B33C1CFB 
     122    Session-ID-ctx:  
     123    Master-Key: ADEF2203EC51D84E6F023AF7C958C17F4D0953109618BB9D2970F9CC26452AE5A581324A63106DE481D811DBF7EA497A 
     124    Key-Arg   : None 
     125    Krb5 Principal: None 
     126    Start Time: 1276197181 
     127    Timeout   : 300 (sec) 
     128    Verify return code: 0 (ok) 
     129--- 
     130220 (vsFTPd 2.2.2) 
     131QUIT 
     132DONE 
     133$ 
     134}}}