== Configure VSFTPD For FTP/SSL == NOTES: * Intermediate certificates were incorporated in VSFTPD vers. 2.0.5 http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=307498 * Version 2.0.7 solved TLS disconnect problems experienced by !FileZilla users http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688 \\ http://forum.filezilla-project.org/viewtopic.php?t=7580&f=2 \\ http://forums.proftpd.org/smf/index.php?topic=3501.0 * VSFTPD 2.2.x requires OpenSSL 0.9.8 === Configure FTP/SSL server === 1. Update default configuration. {{{ # rpm -q vsftpd openssl vsftpd-2.2.2-8.el4 openssl-0.9.8n-1.el4 # # cd /etc/vsftpd # cp -a vsftpd.conf vsftpd.conf.orig # vi vsftpd.conf # # diff vsftpd.conf.orig vsftpd.conf 110a111,120 > > ssl_enable=YES > ssl_sslv2=NO > ssl_sslv3=YES > ssl_tlsv1=YES > ssl_ciphers=HIGH:!MD5:!ADH > rsa_cert_file=/etc/vsftpd/server.pem > force_local_logins_ssl=YES > force_local_data_ssl=YES > require_ssl_reuse=NO # }}} 2. Combine private key and public SSL certificate, that were created for Apache web server, into a PEM file. {{{ # ls -lg /etc/httpd/conf/ssl.???/server.??? -rw-r--r-- 1 root 1151 Oct 16 2009 /etc/httpd/conf/ssl.crt/server.crt -rw------- 1 root 887 Oct 16 2009 /etc/httpd/conf/ssl.key/server.key # # cat /etc/httpd/conf/ssl.key/server.key \ /etc/httpd/conf/ssl.crt/server.crt > /etc/vsftpd/server.pem # chmod 400 /etc/vsftpd/server.pem # ls -lg /etc/vsftpd/server.pem -r-------- 1 root 2038 Jun 10 2010 /etc/vsftpd/server.pem # # }}} NOTE: * If intermediate (chain) certificate is involved, it should be added to the {{{server.pem}}} file as well. 3. Start the service. {{{ # chkconfig vsftpd on # service vsftpd start Starting vsftpd for vsftpd: [ OK ] # }}} === Test from a client === {{{ $ openssl s_client -connect punkts.org:ftp -starttls ftp -showcerts CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org verify return:1 --- Certificate chain 0 s:/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- MIIDJjCCAo+gAwIBAgIDDW7zMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMDE2MDczMzMxWhcNMTAxMDE3MTgyNDQ3 WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCnB1bmt0cy5vcmcxEzARBgNVBAsT CkdUOTY1NzkwODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291 cmNlcy9jcHMgKGMpMDkxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRl ZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDEwpwdW5rdHMub3JnMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQDVTLBP4XpLQWbKhSr/7m4IgQNf9EdYYMvTtwGHIoGA I76H71PbQJJTXTvcgJS4ypVQJdfsU7dIEr9vgHn11KxFP7qzxeEiGmcKZWLoaDEm 3orhFT3+bVgL8XEH4/6shPqB2+fhK12jrqxVwZL4dGzoi2c7qyiVzvEMRNM5+1tp 8wIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUn0DBj7z9DbuM Z5whzEVPLqg9bTMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVz dC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj IBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3 DQEBBQUAA4GBAKxpvZglrhYCYWasqWLKdYmb2Ir7Vtt4HQCGAa7Vv57QRY+PpuDj iI62ld9KBz31P7jxVoKwwU+6BfbVEpQdLQkWmHgHkk/4EhhQSdk/CtnIdwI3HeYH NScmKfiFZFRnesnzCXCpcJE28riv2QqtO4acPPZF75YYHvW5iYhmLx93 -----END CERTIFICATE----- --- Server certificate subject=/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1039 bytes and written 341 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 6C9C5C8D9C8339C4AE44E59F9B10AE977858F9D02B87C6C9E9F9F425B33C1CFB Session-ID-ctx: Master-Key: ADEF2203EC51D84E6F023AF7C958C17F4D0953109618BB9D2970F9CC26452AE5A581324A63106DE481D811DBF7EA497A Key-Arg : None Krb5 Principal: None Start Time: 1276197181 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 (vsFTPd 2.2.2) QUIT DONE $ }}}