Hallo,
ich versuche gerade, ftp über SSL oder TLS zum Laufen zu bekommen. Irgendwie schaffe ich es nicht. Ich durchwühle seit Stunden Foren und Tutorial, um den Knackpunkt zu finden, aber gebracht hat es nichts. Vllt. kann mir ja hier einer helfen. Der Server ist ein vServer mit Debian 6.
ftp geht problemlos. Ich kann bei proftpd auch einstellen, was ich will, er loggt nie irgendwas mit.
Das auth.log sagt auch, dass der User sich eingeloggt hat.
proftpd ist wie folgt eingerichtet:
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
ServerName "XXX.yourvserver.net FTP Server"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534
# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4
# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
# DynMasqRefresh 28800
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off
# This is required to use both PAM-based authentication and local passwords
# AuthOrder mod_auth_pam.c* mod_auth_unix.c
# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off
DebugLevel 9
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
LogFormat default "%h %l %u %t \"%r\" %s %b"
ExtendedLog /var/log/proftpd/paranoid_log ALL default
# Allow up- and downloads to be continued
AllowRetrieveRestart On
AllowStoreRestart On
QuotaEngine on
Ratios off
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
DelayEngine off
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
AdminControlsEngine off
#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
Alles anzeigen
Die tls.conf sieht so aus:
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
#TLSProtocol TLSv1
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
TLSRenegotiate none
Das Zertifikat ist selbst erstellt mittels folgendem Befehl:
openssl req -new -x509 -days 36500 -nodes -out /etc/ssl/certs/proftpd.cert.pem -keyout /etc/ssl/certs/proftpd.key.pem
openssl bringt auf der Konsole
openssl s_client -connect 127.0.0.1:21 -starttls ftp
CONNECTED(00000003)
depth=0 /C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
i:/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEEjCCA3ugAwIBAgIJANsCSmOHHkrhMA0GCSqGSIb3DQEBBQUAMIG3MQswCQYD
VQQGEwJERTEfMB0GA1UECBMWTWVja2xlbmJ1cmctVm9ycG9tbWVybjESMBAGA1UE
BxMJU3RyYWxzdW5kMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
KjAoBgNVBAMTIXYyMjAxMjA0MTIyMTE3OTIxLnlvdXJ2c2VydmVyLm5ldDEkMCIG
CSqGSIb3DQEJARYVZnJhbmsuc2NobGljaHRAZ214LmRlMCAXDTEyMDQxNjA4NTA1
MVoYDzIxMTIwMzIzMDg1MDUxWjCBtzELMAkGA1UEBhMCREUxHzAdBgNVBAgTFk1l
Y2tsZW5idXJnLVZvcnBvbW1lcm4xEjAQBgNVBAcTCVN0cmFsc3VuZDEhMB8GA1UE
ChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSowKAYDVQQDEyF2MjIwMTIwNDEy
MjExNzkyMS55b3VydnNlcnZlci5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyYW5rLnNj
aGxpY2h0QGdteC5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw/0OwUxL
eTKyTC8kbEZR7ctptGjnHf6FOSVpLWmoD61AQWLvs0NBIgGTwd+uKK6lsArFC96p
MEJ/WRc947Sr/Rlnb2ZpOxHwzTJYG1m/WamJGeg6gOxc9pY+vQvOmhVNd+t6rlRs
DoI26no9hMXgGCsAzWoXxbVq61BcTQPii6kCAwEAAaOCASAwggEcMB0GA1UdDgQW
BBSXm6YIvS1ehmhlDWcJ/6TzpdjvhTCB7AYDVR0jBIHkMIHhgBSXm6YIvS1ehmhl
DWcJ/6TzpdjvhaGBvaSBujCBtzELMAkGA1UEBhMCREUxHzAdBgNVBAgTFk1lY2ts
ZW5idXJnLVZvcnBvbW1lcm4xEjAQBgNVBAcTCVN0cmFsc3VuZDEhMB8GA1UEChMY
SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSowKAYDVQQDEyF2MjIwMTIwNDEyMjEx
NzkyMS55b3VydnNlcnZlci5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyYW5rLnNjaGxp
Y2h0QGdteC5kZYIJANsCSmOHHkrhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAnxGmYyOrMXWWn6OPkv0PaThWl1jeNAekrkRzK7BVODufJ+My+yxC8RSt
yoWmFWNeXaYOMaESa+ZGK5T6oCX7hB43FUM8B6IVRVuZstjfJqr4x5/8uvMcJ8cR
sdGjMF3pyIhA8Um/vXFVw1+LHOzi96mi3zXOVwsQiJnsA4xhrj0=
-----END CERTIFICATE-----
subject=/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
issuer=/C=DE/ST=Mecklenburg-Vorpommern/L=Stralsund/O=Internet Widgits Pty Ltd/CN=XXX.yourvserver.net/emailAddress=xxx@xxx.de
---
No client certificate CA names sent
---
SSL handshake has read 1665 bytes and written 329 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: D5E8DAAB610574D4508A5AC479C293BD2D1CF908E6E0784EEF3F20D98BFE5CA2
Session-ID-ctx:
Master-Key: 66C03B7F288C7E0BF723BC999AAE8C81C15BE859DF89B35925CAF3D47FC00D5C08EF7CAFBEC136E21507BB6493F52DE4
Key-Arg : None
Start Time: 1334571205
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 FTP Server ready.
quit
221 Goodbye.
read:errno=0
Alles anzeigen
Filezilla kann aber keine Verbindung herstellen, obwohl der Nutzer offensichtlich eingeloggt ist:
2:00:17 Status: Verbinde mit usr004.XXX.yourvserver.net...
12:00:17 Trace: Going to execute /Applications/FileZilla.app/Contents/MacOS/fzsftp
12:00:17 Antwort: fzSftp started
12:00:17 Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started)
12:00:17 Trace: CSftpControlSocket::SendNextCommand()
12:00:17 Trace: CSftpControlSocket::ConnectSend()
12:00:17 Befehl: open "usr004@usr004.XXX.yourvserver.net" 22
12:00:17 Trace: Server version: SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
12:00:17 Trace: Using SSH protocol version 2
12:00:17 Trace: We claim version: SSH-2.0-PuTTY_Local:_Jan__8_2012_14:35:51
12:00:17 Trace: Doing Diffie-Hellman group exchange
12:00:17 Trace: Doing Diffie-Hellman key exchange with hash SHA-256
12:00:17 Befehl: Neuem Serverschlüssel vertrauen: Einmal
12:00:17 Trace: Host key fingerprint is:
12:00:17 Trace: ssh-rsa 2048 e5:6a:4c:5d:54:93:e0:68:8f:d5:fd:9a:da:5b:02:2c
12:00:17 Trace: Initialised AES-256 SDCTR client->server encryption
12:00:17 Trace: Initialised HMAC-SHA1 client->server MAC algorithm
12:00:17 Trace: Initialised AES-256 SDCTR server->client encryption
12:00:17 Trace: Initialised HMAC-SHA1 server->client MAC algorithm
12:00:17 Trace: Pageant is running. Requesting keys.
12:00:17 Trace: Pageant has 1 SSH-2 keys
12:00:17 Trace: Trying Pageant key #0
12:00:18 Trace: Server refused public key
12:00:18 Befehl: Pass: ********
12:00:18 Trace: Sent password
12:00:18 Trace: Access granted
12:00:18 Trace: Opened channel for session
12:00:18 Trace: Started a shell/command
12:00:18 Status: Connected to usr004.XXX.yourvserver.net
12:00:18 Trace: Server sent command exit status 1
12:00:18 Fehler: Connection closed by server with exitcode 1
12:00:18 Trace: CControlSocket::DoClose(64)
12:00:18 Trace: CSftpControlSocket::ResetOperation(66)
12:00:18 Trace: CControlSocket::ResetOperation(66)
12:00:18 Fehler: Herstellen der Verbindung zum Server fehlgeschlagen
12:00:18 Trace: CFileZillaEnginePrivate::ResetOperation(66)
Alles anzeigen
Danke für die Hilfe und Viele Grüße
Frank
