proftpd und SSL/TLS

# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. 
# To really apply changes reload proftpd after modifications. 
# 
# Includes DSO modules 




Include /etc/proftpd/modules.conf 
# Set off to disable IPv6 support which is annoying on IPv4 only boxes. 




UseIPv6 on 
ServerName "XXX.yourvserver.net FTP Server" 
ServerType standalone 
DeferWelcome off




MultilineRFC2228 on 
DefaultServer on 
ShowSymlinks on 




TimeoutNoTransfer 600 
TimeoutStalled 600 
TimeoutIdle 1200 




DisplayLogin welcome.msg 
DisplayChdir .message true 
ListOptions "-l" 




DenyFilter \*.*/ 




# Use this to jail all users in their homes 
DefaultRoot ~ 




# Users require a valid shell listed in /etc/shells to login. 
# Use this directive to release that constrain. 
RequireValidShell off 




# Port 21 is the standard FTP port. 
Port 21 




# In some cases you have to specify passive ports range to by-pass 
# firewall limitations. Ephemeral ports can be used for that, but 
# feel free to use a more narrow range. 
# PassivePorts 49152 65534 




# If your host was NATted, this option is useful in order to 
# allow passive tranfers to work. You have to use your public 
# address and opening the passive ports used on your firewall as well. 
# MasqueradeAddress 1.2.3.4 




# This is useful for masquerading address with dynamic IPs: 
# refresh any configured MasqueradeAddress directives every 8 hours 




# DynMasqRefresh 28800 




# To prevent DoS attacks, set the maximum number of child processes 
# to 30. If you need to allow more than 30 concurrent connections 
# at once, simply increase this value. Note that this ONLY works 
# in standalone mode, in inetd mode you should use an inetd server 
# that allows you to limit maximum number of processes per service 
# (such as xinetd) 
MaxInstances 30 




# Set the user and group that the server normally runs at. 
User proftpd 
Group nogroup 




# Umask 022 is a good standard umask to prevent new files and dirs 
# (second parm) from being group and world writable. 
Umask 022 022 
# Normally, we want files to be overwriteable. 
AllowOverwrite on 




# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: 
# PersistentPasswd off 




# This is required to use both PAM-based authentication and local passwords 
# AuthOrder mod_auth_pam.c* mod_auth_unix.c 




# Be warned: use of this directive impacts CPU average load! 
# Uncomment this if you like to see progress and transfer rate with ftpwho 
# in downloads. That is not needed for uploads rates. 
# 
# UseSendFile off 




DebugLevel 9 




TransferLog /var/log/proftpd/xferlog 
SystemLog /var/log/proftpd/proftpd.log 




LogFormat default "%h %l %u %t \"%r\" %s %b" 
ExtendedLog /var/log/proftpd/paranoid_log ALL default 




# Allow up- and downloads to be continued 
AllowRetrieveRestart On 
AllowStoreRestart On 




QuotaEngine on 
Ratios off 




# Delay engine reduces impact of the so-called Timing Attack described in 
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 
# It is on by default. 
DelayEngine off 




ControlsEngine off 
ControlsMaxClients 2 
ControlsLog /var/log/proftpd/controls.log 
ControlsInterval 5 
ControlsSocket /var/run/proftpd/proftpd.sock 




AdminControlsEngine off 
# 
# Alternative authentication frameworks 
# 
#Include /etc/proftpd/ldap.conf 
Include /etc/proftpd/sql.conf 




# 
# This is used for FTPS connections 
# 
Include /etc/proftpd/tls.conf 




DefaultRoot ~ 
IdentLookups off 
ServerIdent on "FTP Server ready."

openssl s_client -connect 127.0.0.1:21 -starttls ftp
CONNECTED(00000003)
depth=0 /C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
   i:/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEEjCCA3ugAwIBAgIJANsCSmOHHkrhMA0GCSqGSIb3DQEBBQUAMIG3MQswCQYD
VQQGEwJERTEfMB0GA1UECBMWTWVja2xlbmJ1cmctVm9ycG9tbWVybjESMBAGA1UE
BxMJU3RyYWxzdW5kMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
KjAoBgNVBAMTIXYyMjAxMjA0MTIyMTE3OTIxLnlvdXJ2c2VydmVyLm5ldDEkMCIG
CSqGSIb3DQEJARYVZnJhbmsuc2NobGljaHRAZ214LmRlMCAXDTEyMDQxNjA4NTA1
MVoYDzIxMTIwMzIzMDg1MDUxWjCBtzELMAkGA1UEBhMCREUxHzAdBgNVBAgTFk1l
Y2tsZW5idXJnLVZvcnBvbW1lcm4xEjAQBgNVBAcTCVN0cmFsc3VuZDEhMB8GA1UE
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSowKAYDVQQDEyF2MjIwMTIwNDEy
MjExNzkyMS55b3VydnNlcnZlci5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyYW5rLnNj
aGxpY2h0QGdteC5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw/0OwUxL
eTKyTC8kbEZR7ctptGjnHf6FOSVpLWmoD61AQWLvs0NBIgGTwd+uKK6lsArFC96p
MEJ/WRc947Sr/Rlnb2ZpOxHwzTJYG1m/WamJGeg6gOxc9pY+vQvOmhVNd+t6rlRs
DoI26no9hMXgGCsAzWoXxbVq61BcTQPii6kCAwEAAaOCASAwggEcMB0GA1UdDgQW
BBSXm6YIvS1ehmhlDWcJ/6TzpdjvhTCB7AYDVR0jBIHkMIHhgBSXm6YIvS1ehmhl
DWcJ/6TzpdjvhaGBvaSBujCBtzELMAkGA1UEBhMCREUxHzAdBgNVBAgTFk1lY2ts
ZW5idXJnLVZvcnBvbW1lcm4xEjAQBgNVBAcTCVN0cmFsc3VuZDEhMB8GA1UEChMY
SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSowKAYDVQQDEyF2MjIwMTIwNDEyMjEx
NzkyMS55b3VydnNlcnZlci5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyYW5rLnNjaGxp
Y2h0QGdteC5kZYIJANsCSmOHHkrhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAnxGmYyOrMXWWn6OPkv0PaThWl1jeNAekrkRzK7BVODufJ+My+yxC8RSt
yoWmFWNeXaYOMaESa+ZGK5T6oCX7hB43FUM8B6IVRVuZstjfJqr4x5/8uvMcJ8cR
sdGjMF3pyIhA8Um/vXFVw1+LHOzi96mi3zXOVwsQiJnsA4xhrj0=
-----END CERTIFICATE-----
subject=/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
issuer=/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
---
No client certificate CA names sent
---
SSL handshake has read 1665 bytes and written 329 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D5E8DAAB610574D4508A5AC479C293BD2D1CF908E6E0784EEF3F20D98BFE5CA2
    Session-ID-ctx: 
    Master-Key: 66C03B7F288C7E0BF723BC999AAE8C81C15BE859DF89B35925CAF3D47FC00D5C08EF7CAFBEC136E21507BB6493F52DE4
    Key-Arg   : None
    Start Time: 1334571205
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 FTP Server ready.
quit
221 Goodbye.
read:errno=0

2:00:17 Status:	Verbinde mit usr004.XXX.yourvserver.net...
12:00:17 Trace:	Going to execute /Applications/FileZilla.app/Contents/MacOS/fzsftp
12:00:17 Antwort:	fzSftp started
12:00:17 Trace:	CSftpControlSocket::ConnectParseResponse(fzSftp started)
12:00:17 Trace:	CSftpControlSocket::SendNextCommand()
12:00:17 Trace:	CSftpControlSocket::ConnectSend()
12:00:17 Befehl:	open "usr004@usr004.XXX.yourvserver.net" 22
12:00:17 Trace:	Server version: SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
12:00:17 Trace:	Using SSH protocol version 2
12:00:17 Trace:	We claim version: SSH-2.0-PuTTY_Local:_Jan__8_2012_14:35:51
12:00:17 Trace:	Doing Diffie-Hellman group exchange
12:00:17 Trace:	Doing Diffie-Hellman key exchange with hash SHA-256
12:00:17 Befehl:	Neuem Serverschlüssel vertrauen: Einmal
12:00:17 Trace:	Host key fingerprint is:
12:00:17 Trace:	ssh-rsa 2048 e5:6a:4c:5d:54:93:e0:68:8f:d5:fd:9a:da:5b:02:2c
12:00:17 Trace:	Initialised AES-256 SDCTR client->server encryption
12:00:17 Trace:	Initialised HMAC-SHA1 client->server MAC algorithm
12:00:17 Trace:	Initialised AES-256 SDCTR server->client encryption
12:00:17 Trace:	Initialised HMAC-SHA1 server->client MAC algorithm
12:00:17 Trace:	Pageant is running. Requesting keys.
12:00:17 Trace:	Pageant has 1 SSH-2 keys
12:00:17 Trace:	Trying Pageant key #0
12:00:18 Trace:	Server refused public key
12:00:18 Befehl:	Pass: ********
12:00:18 Trace:	Sent password
12:00:18 Trace:	Access granted
12:00:18 Trace:	Opened channel for session
12:00:18 Trace:	Started a shell/command
12:00:18 Status:	Connected to usr004.XXX.yourvserver.net
12:00:18 Trace:	Server sent command exit status 1
12:00:18 Fehler:	Connection closed by server with exitcode 1
12:00:18 Trace:	CControlSocket::DoClose(64)
12:00:18 Trace:	CSftpControlSocket::ResetOperation(66)
12:00:18 Trace:	CControlSocket::ResetOperation(66)
12:00:18 Fehler:	Herstellen der Verbindung zum Server fehlgeschlagen
12:00:18 Trace:	CFileZillaEnginePrivate::ResetOperation(66)

16:05:22 Trace:	CControlSocket::DoClose(64)
16:05:22 Trace:	CControlSocket::DoClose(64)
16:05:22 Status:	Auflösen der IP-Adresse für XXX.yourvserver.net
16:05:22 Status:	Verbinde mit 78.46.202.4:21...
16:05:22 Status:	Verbindung hergestellt, warte auf Willkommensnachricht...
16:05:22 Trace:	CFtpControlSocket::OnReceive()
16:05:22 Antwort:	220 FTP Server ready.
16:05:22 Trace:	CFtpControlSocket::SendNextCommand()
16:05:22 Befehl:	AUTH TLS
16:05:22 Trace:	CFtpControlSocket::OnReceive()
16:05:22 Antwort:	234 AUTH TLS successful
16:05:22 Status:	Initialisiere TLS...
16:05:22 Trace:	CTlsSocket::Handshake()
16:05:22 Trace:	CTlsSocket::ContinueHandshake()
16:05:22 Trace:	CTlsSocket::OnSend()

lftp -d  usr002@XXX.yourvserver.net
Password: 
lftp usr002@XXX.yourvserver.net:~> ls       
---- Connecting to XXX.yourvserver.net (127.127.127.127) port 21
<--- 220 FTP Server ready.       
---> FEAT
<--- 211-Features:
<---  MDTM
<---  MFMT
<---  TVFS
<---  AUTH TLS
<---  UTF8
<---  MFF modify;UNIX.group;UNIX.mode;
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  PBSZ
<---  PROT
<---  LANG en-US*
<---  REST STREAM
<---  SIZE
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful
---> LANG
Certificate: C=DE,ST=Mecklenburg-Vorpommern,L=Stralsund,O=Max Mustermann,CN=XXX.yourvserver.net,EMAIL=xxx@xx.de
 Issued by: C=DE,ST=Mecklenburg-Vorpommern,L=Stralsund,O=Max Mustermann,CN=XXX.yourvserver.net,EMAIL=xxx@xx.de
WARNING: Certificate verification: Not trusted
<--- 200 Using default language en_US
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER usr002
<--- 331 Password required for usr002
---> PASS XXXX
<--- 230 User usr002 logged in   
---> PWD
<--- 257 "/" is the current directory
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (78,46,202,4,78,32).
---- Connecting data socket to (127.127.127.127) port 20000
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
Certificate: C=DE,ST=Mecklenburg-Vorpommern,L=Stralsund,O=Max Mustermann,CN=XXX.yourvserver.net,EMAIL=xxx@xx.de
 Issued by: C=DE,ST=Mecklenburg-Vorpommern,L=Stralsund,O=Max Mustermann,CN=XXX.yourvserver.net,EMAIL=xxx@xx.de
WARNING: Certificate verification: Not trusted
---- Got EOF on data connection 
---- Closing data socket

lftp -d usr002@XXX.yourvserver.net
Passwort: 
lftp usr002@XXX.yourvserver.net:~> ls          
---- Verbinde mit XXX.yourvserver.net (127.127.127.127) Port 21
<--- 220 FTP Server ready.  
---> FEAT
<--- 211-Features:                        
<---  MDTM
<---  MFMT
<---  TVFS
<---  AUTH TLS
<---  UTF8
<---  MFF modify;UNIX.group;UNIX.mode;
<---  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
<---  PBSZ
<---  PROT
<---  LANG en-US*
<---  REST STREAM
<---  SIZE
<--- 211 End
---> AUTH TLS
<--- 234 AUTH TLS successful             
---> LANG
»ls« bei 0 [Logge ein...]