NEED HELP WITH SSL AND PROFTPD!!

88 views
Skip to first unread message

yO ..

unread,
Mar 27, 2004, 9:01:40 PM3/27/04
to
Ok simple quesiton(s).
What exactly do I need for ssl to work..
What I know...
I first have to create a private key on my server. (Should I use an RSA or
DSA key?)
Then I have to create a certificate using that private key. (For test
purposes)
Should I use a passphrase for what Im trying to do?
Do I have to produce a public key? if so .. how?

Do I have to place any of this manually within my ftp/ssl client (Im using
wsftp pro win)
Asking this becuase within wsftp pro there is a section I can make
certificates import and everything.
Why do these options exist if the server passes everything back and forth
between the ftp client.

Question concenring proftpd..
Below is what I placed in my proftpdconf

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd_ssl.log
TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off

# Server's certificate
TLSRSACertificateFile /etc/ssl/certs/cacert.pem <-- My cert
TLSRSACertificateKeyFile /etc/ssl/private/privkey.pem <--- My Private

# CA the server trusts
TLSCACertificateFile /etc/ftpd/root.cert.pem <-- What should I target
here?


# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>

For all I know the above mod_tls setting I have above is completly wrong.
As we speak the client gets disconected immediatly.
Maybe there is something else I have to do to have the ssl connection
accept?

Ive read soo much shit online and find it stupidly hard to figure this out
for the first time..
Maybe somone can answer my questions ..
Or atleast point towards a website .. anything..

Thanks in Advance...
Menno will probably respond to this .. I hope.

Menno Duursma

unread,
Mar 28, 2004, 7:47:51 AM3/28/04
to
On Sat, 27 Mar 2004 21:01:40 -0500, yO .. wrote:

> Ok simple quesiton(s).
> What exactly do I need for ssl to work..

OpenSSL installed, and configured. A ftpd with support enabled.

> What I know...
> I first have to create a private key on my server. (Should I use an RSA or
> DSA key?)

I'd go with RSA, as it is more widely supported. And i have no idee if
ProFTPd would work with DSA even.

> Then I have to create a certificate using that private key. (For test
> purposes)

Yes.

> Should I use a passphrase for what Im trying to do?

Dunno, i didn't set any though.

> Do I have to produce a public key?

Yes.

> if so .. how?

Well, here is what i did:

mkdir /etc/proftpd; cd /etc/proftpd
openssl genrsa 1024 >host.key
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key >host.cert
cat host.cert host.key > host.pem
chmod 0400 host.key host.pem

> Do I have to place any of this manually within my ftp/ssl client (Im using
> wsftp pro win)

No.

> Asking this becuase within wsftp pro there is a section I can make
> certificates import and everything.

That is /probably/ for mutual autentication (so the server would be able
to verify the client as well), and/or so you don't realy need a CA. As you
can import the server's public cert onto the client.

> Why do these options exist if the server passes everything back and forth
> between the ftp client.

Not sure, but i think you can send the server's public cert, to your
users, via e-mail (or some such). They'd import that, and would get an
error, should certs not match upon connect?

> Question concenring proftpd..
> Below is what I placed in my proftpdconf

[ Snip. the relevent parts. ]
Here is what i have, working (with "lftp", at least):

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd_ssl.log
TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off

# Server's certificate
TLSRSACertificateFile /etc/proftpd/host.cert

# Key to the server certificate
TLSRSACertificateKeyFile /etc/proftpd/host.key

# CA the server trusts

TLSCACertificateFile /etc/proftpd/host.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>

> For all I know the above mod_tls setting I have above is completly wrong.

Try the above.

> As we speak the client gets disconected immediatly.

Well, increase the debug-level, and have a look at the logs maybe...
Here is what my /etc/inetd.conf line looks like:

ftp stream tcp nowait root /usr/sbin/tcpd proftpd -d9

What normally do, is seperate log dir's per service, like so:

mkdir /var/log/proftpd; cd /var/log/proftpd
touch xferlog proftpd.log proftpd_ssl.log

And modify /etc/proftpd.conf to log there, ie:

SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlog

> Maybe there is something else I have to do to have the ssl connection
> accept?

Idunno. I'm not using WS_FTP as a client, and don't feel like testing that
out ATM (but it _is_ reported to run in Wine, so i might). With "lftp" you
either need either one of the following:

set ftp:ssl-allow yes
set ftp:ssl-force yes
set ftp:ssl-auth TLS

[ ... ]

> Menno will probably respond to this .. I hope.

I guess so... In your last query Sybren made a good point though. Try
looking at the trafic with a sniffer (such as SSLdump):
http://www.rtfm.com/ssldump/

But maybe Ethereal, gathers info enough. Also, make sure you're not
firewalling anything, while testing...

Have fun.

[ Oh, and BTW, what are the capital-letters and ``!'' marks in subject-
line all about? It's weekend dude, chill out... ]

--
-Menno.

yO ..

unread,
Mar 28, 2004, 2:14:03 PM3/28/04
to
"Menno Duursma" <me...@desktop.lan> wrote in message
news:pan.2004.03.28....@desktop.lan...

> On Sat, 27 Mar 2004 21:01:40 -0500, yO .. wrote:
>
> > Ok simple quesiton(s).
> > What exactly do I need for ssl to work..
>
> OpenSSL installed, and configured. A ftpd with support enabled.

Im sure OpenSSL is installed .. but I have not modified the conf.
Should I be modifying it to target my new /etc/proftpd/ directory?

> mkdir /etc/proftpd; cd /etc/proftpd
> openssl genrsa 1024 >host.key
> openssl req -new -x509 -nodes -sha1 -days 365 -key host.key >host.cert
> cat host.cert host.key > host.pem
> chmod 0400 host.key host.pem

Ive done the above .. now have 3 new files.
host.cert
host.key
host.pem (which is a combination of .cert and key)

Stupid question .. which of these would be considerd the public key?

Im using your example below. Which I just dumped into my /etc/proftpd.conf
I noticed even with failures a proftpd_ssl.log is not even created.

> <IfModule mod_tls.c>
> TLSEngine on
> TLSLog /var/log/proftpd_ssl.log


> TLSProtocol TLSv1
>
> # Are clients required to use FTP over TLS when talking to this
server?
> TLSRequired off
>
> # Server's certificate
> TLSRSACertificateFile /etc/proftpd/host.cert
>
> # Key to the server certificate
> TLSRSACertificateKeyFile /etc/proftpd/host.key
>
> # CA the server trusts
> TLSCACertificateFile /etc/proftpd/host.pem
>
> # Authenticate clients that want to use FTP over TLS?
> TLSVerifyClient off
> </IfModule>

> Well, increase the debug-level, and have a look at the logs maybe...


> Here is what my /etc/inetd.conf line looks like:

debug level .. hmm .. and I do that how.
I did notice the following errors withing my syslog.log and daemon.log

Mar 28 14:56:41 cheetah proftpd[1307]: connect from 21x.19x.14x.x <---
my IP was stated properly minus the x's
Mar 28 14:56:41 cheetah proftpd[1307]: No certificate files found!
Mar 28 14:56:41 cheetah proftpd[1307]: Fatal: unknown configuration
directive '<IfModule>' on line 33 of '/etc/proftpd.conf'.

This above error is probably going to make you laugh, since Im probably
missing something huge

> ftp stream tcp nowait root /usr/sbin/tcpd proftpd -d9

I have the same minus the -d9 .. whats that switch do?

> [ Oh, and BTW, what are the capital-letters and ``!'' marks in subject-
> line all about? It's weekend dude, chill out... ]

Sorry . .I know its pathetic.

Thanks again Menno .. youve answerd alot more questions then me surfing for
hours.

Menno Duursma

unread,
Mar 29, 2004, 6:50:50 AM3/29/04
to
On Sun, 28 Mar 2004 14:14:03 -0500, yO .. wrote:
> "Menno Duursma" <me...@desktop.lan> wrote:
>> On Sat, 27 Mar 2004 21:01:40 -0500, yO .. wrote:
>>
>> > Ok simple quesiton(s).
>> > What exactly do I need for ssl to work..
>>
>> OpenSSL installed, and configured. A ftpd with support enabled.
>
> Im sure OpenSSL is installed .. but I have not modified the conf.

Neither did i. However, i use Slackware instead.

> Should I be modifying it to target my new /etc/proftpd/ directory?

Nope. Only the hostname, domainname, and contact info, if anything.

>> mkdir /etc/proftpd; cd /etc/proftpd
>> openssl genrsa 1024 >host.key
>> openssl req -new -x509 -nodes -sha1 -days 365 -key host.key >host.cert
>> cat host.cert host.key > host.pem
>> chmod 0400 host.key host.pem
>
> Ive done the above .. now have 3 new files.
> host.cert
> host.key
> host.pem (which is a combination of .cert and key)
>
> Stupid question .. which of these would be considerd the public key?

None of them (or the host.cert depending on who you ask) if you need an
_actual_ public "key" for anything, try:

openssl rsa -in host.key -pubout -out pub.pem

> Im using your example below. Which I just dumped into my /etc/proftpd.conf

Well, that worksforme.

> I noticed even with failures a proftpd_ssl.log is not even created.

I wouldn't know if that was to be expected or not, as i created it like:

mkdir /var/log/proftpd
touch /var/log/proftpd/proftpd_ssl.log

...

>> <IfModule mod_tls.c>
>> TLSEngine on
>> TLSLog /var/log/proftpd_ssl.log

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is not the stuff, i posted. If you're looking for: proftpd_ssl.log
With /this/ config, look in /var/log ...

[ Snip, rest of config. ]

>> Well, increase the debug-level, and have a look at the logs maybe...
>> Here is what my /etc/inetd.conf line looks like:
>
> debug level .. hmm .. and I do that how.

Feed "proftpd" either "-d" or "--debug" with an integer between 0 and 8

man proftpd

> I did notice the following errors withing my syslog.log and daemon.log
>
> Mar 28 14:56:41 cheetah proftpd[1307]: connect from 21x.19x.14x.x <---
> my IP was stated properly minus the x's

Ok, so it connects.

> Mar 28 14:56:41 cheetah proftpd[1307]: No certificate files found!

How can this be?
Did you "chmod" to 0400?
Specify the correct path?

> Mar 28 14:56:41 cheetah proftpd[1307]: Fatal: unknown configuration
> directive '<IfModule>' on line 33 of '/etc/proftpd.conf'.
>
> This above error is probably going to make you laugh, since Im probably
> missing something huge

Well, it looks like your ProFTPd either laks SSL/TLS support, or you made
a syntax-error in: /etc/proftpd.conf

The latter you can test for useing: proftpd -t
Maybe you specifyed the "<IfModule>" twice, or some such?

>> ftp stream tcp nowait root /usr/sbin/tcpd proftpd -d9
>
> I have the same minus the -d9 .. whats that switch do?

Uuh, it cranks up the DEBUG level, maybe?
Again, read "man proftpd" please!

> youve answerd alot more questions then me surfing for hours.

Well, if you (after this) still have a hard time getting it to work, you
may want to try posting to the proftpd mailing list. The adress of which
is to be found in the manpage...

FWIW, i _am_ quite sure it can be made to work with Debian/ProFTPd-TLS
server and MS-Windows/WS_FTP-SSL client. As i know an installation being
used as such (the admin of which would have complained to me, should it
have been much of a pain configuring). Although they where/are familiar
with SSLified HTTP, ie: "https".

--
-Menno.

Menno Duursma

unread,
Mar 29, 2004, 8:11:18 AM3/29/04
to
On Mon, 29 Mar 2004 11:50:50 +0000, Menno Duursma wrote:
> On Sun, 28 Mar 2004 14:14:03 -0500, yO .. wrote:

[ Big o' SNIP'n time. ]

>> Mar 28 14:56:41 cheetah proftpd[1307]: Fatal: unknown configuration
>> directive '<IfModule>' on line 33 of '/etc/proftpd.conf'.
>>
>> This above error is probably going to make you laugh, since Im probably
>> missing something huge
>
> Well, it looks like your ProFTPd either laks SSL/TLS support, or you made
> a syntax-error in: /etc/proftpd.conf
>
> The latter you can test for useing: proftpd -t

If directly editing the proftpd.conf file is giving you a hard time, have
a look at the "gproftpd" wizard/frontend for it:
http://mange.dynup.net/linux.html

Now, you might think, what do i need an X on some HTTP/FTP box for?
Well, you don't. Just start an X-server on your desktop machine -
ssh -X -C -l root ftp.server.com - and fireup "gproftpd" on the server box.

If you run Windows NT on the client, you can use Putty.exe to connect via
SSH and forward port 6000 (for the X session). And WeirdX as the X-server.
Or, have a look at the Cygwin package, and use OpenSSH and XFree86.

Putty - multi terminal emulator:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

WeirdX - Java X Window System server:
http://www.jcraft.com/weirdx/

Cygwin - POSIX2 layer on win32:
http://www.cygwin.com/

HTH.

--
-Menno.

yO ..

unread,
Mar 29, 2004, 11:44:39 AM3/29/04
to
"Menno Duursma" <me...@desktop.lan> wrote in message
news:pan.2004.03.29....@desktop.lan...

> On Sun, 28 Mar 2004 14:14:03 -0500, yO .. wrote:
> > "Menno Duursma" <me...@desktop.lan> wrote:
> >> On Sat, 27 Mar 2004 21:01:40 -0500, yO .. wrote:
> > I did notice the following errors withing my syslog.log and daemon.log
> >
> > Mar 28 14:56:41 cheetah proftpd[1307]: connect from 21x.19x.14x.x
<---
> > my IP was stated properly minus the x's
>
> Ok, so it connects.
>
> > Mar 28 14:56:41 cheetah proftpd[1307]: No certificate files found!
>
> How can this be?
> Did you "chmod" to 0400?
> Specify the correct path?

A snip from my actual /etc/proftpd.conf
Maybe its where I placed the IfModule section
--------- Minus this line ----------------------------------
# Port 21 is the standard FTP port.
Port 21


<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd_ssl.log

TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off

# Server's certificate
TLSRSACertificateFile /etc/proftpd/host.cert

# Key to the server certificate
TLSRSACertificateKeyFile /etc/proftpd/host.key

# CA the server trusts
TLSCACertificateFile /etc/proftpd/host.pem

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
--------- Minus this line -------------------------------

>
> > Mar 28 14:56:41 cheetah proftpd[1307]: Fatal: unknown configuration
> > directive '<IfModule>' on line 33 of '/etc/proftpd.conf'.
> >
> > This above error is probably going to make you laugh, since Im probably
> > missing something huge
>
> Well, it looks like your ProFTPd either laks SSL/TLS support, or you made
> a syntax-error in: /etc/proftpd.conf

cheetah:/etc/proftpd# /usr/sbin/proftpd -l
Compiled-in modules:
mod_core.c
mod_auth.c
mod_xfer.c
mod_site.c
mod_ls.c
mod_unixpw.c
mod_log.c
mod_tls.c
mod_ratio.c
mod_quota.c
mod_pam.c
mod_readme.c

> The latter you can test for useing: proftpd -t
> Maybe you specifyed the "<IfModule>" twice, or some such?
>
> >> ftp stream tcp nowait root /usr/sbin/tcpd proftpd -d9
> >
> > I have the same minus the -d9 .. whats that switch do?
>
> Uuh, it cranks up the DEBUG level, maybe?
> Again, read "man proftpd" please!

After applying -d5 (5 being the higheset according to my man) I get the
following in syslog

Mar 29 12:35:53 cheetah proftpd[1579]: connect from 216.191.145.6
Mar 29 12:35:53 cheetah proftpd[1579]: No certificate files found!
Mar 29 12:35:53 cheetah proftpd[1579]: Compiling deny regex '\*.*/'.
Mar 29 12:35:53 cheetah proftpd[1579]: Allocated deny regex at location
0x808f648.
Mar 29 12:35:53 cheetah proftpd[1579]: Fatal: unknown configuration
directive '<IfModule>' on line 32 of '/etc/proftpd.conf'

>
> > youve answerd alot more questions then me surfing for hours.
>
> Well, if you (after this) still have a hard time getting it to work, you
> may want to try posting to the proftpd mailing list. The adress of which
> is to be found in the manpage...
>

Im sure this is driving you nuts also .. Your assistance was much
appreciated.
Im sure Ill figure this out eventually.

Thanks again ..

Reply all
Reply to author
Forward
0 new messages