From: Matus U. - f. <uh...@fa...> - 2009-11-20 16:53:48
|
Hello, we have one certificate for our servers signed by DigiCert CA, which is in addition signed by Entrust CA. I istalled the certificate and key file and I'm able to connect using SSL and the certificate. DigiCertCA provided us file with certification chain (two certificates there) and we are able to use it within apache httpd and courier MTA, certification chain works there. However when I configured ProFTPD with TLSCertificateChainFile /etc/proftpd/<Chain> TLSRSACertificateFile /etc/proftpd/<cert> TLSRSACertificateKeyFile /etc/proftpd/<key> the chain file seems to be ignored, openssl s_client only reports our certificate found, not others. I have tried to reorder certificates in /etc/proftpd/<Chain> and add out certificate to them (in nearly any order). Does anyone use ProFTPD with certification chain and has this working? This is proftpd-1.3.3rc2 on intel/64bit Gentoo linux, openssl 0.9.8k. -- Matus UHLAR - fantomas, uh...@fa... ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... |
From: Matus U. - f. <uh...@fa...> - 2009-12-10 14:33:59
|
Hello, sorry for the delay, much work... > > However when I configured ProFTPD with > > > > TLSCertificateChainFile /etc/proftpd/<Chain> > > TLSRSACertificateFile /etc/proftpd/<cert> > > TLSRSACertificateKeyFile /etc/proftpd/<key> > > > > the chain file seems to be ignored, openssl s_client only reports our > > certificate found, not others. On 20.11.09 10:29, TJ Saunders wrote: > What does `openssl s_client -connect <addr:port> -starttls ftp` show? > > http://www.proftpd.org/docs/howto/TLS.html#TLSDebugging % openssl s_client -connect home5.gts.sk:21 -starttls ftp CONNECTED(00000003) depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk verify error:num=27:certificate not trusted verify return:1 depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 --- Server certificate -----BEGIN CERTIFICATE----- ... only the key in TLSRSACertificateFile is seen there. the file mentioned in TLSCertificateChainFile contains DigiCert chain. stracing proftpd showed that chainfile was not opened at all: # grep -e etc/proftpd /tmp/proftpd.debug 22750 getcwd("/etc/proftpd"..., 4096) = 13 22750 lstat("/etc/proftpd", {st_mode=S_IFDIR|S_ISGID|0750, st_size=4096, ...}) = 0 22750 open("/etc/proftpd/proftpd.conf", O_RDONLY) = 4 22750 lstat("/etc/proftpd/DigiCertCA.crt", {st_mode=S_IFREG|0644, st_size=3793, ...}) = 0 22750 lstat("/etc/proftpd/star_gts_sk.crt", {st_mode=S_IFREG|0644, st_size=2366, ...}) = 0 22750 lstat("/etc/proftpd/server-gts.pem", {st_mode=S_IFREG|0600, st_size=1675, ...}) = 0 22750 lstat("/etc/proftpd/DigiCertCA.crt", {st_mode=S_IFREG|0644, st_size=3793, ...}) = 0 22750 lstat("/etc/proftpd/star_gts_sk.crt", {st_mode=S_IFREG|0644, st_size=2366, ...}) = 0 22750 lstat("/etc/proftpd/server-gts.pem", {st_mode=S_IFREG|0600, st_size=1675, ...}) = 0 22750 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 4 22750 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 4 22750 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 4 22750 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 4 22750 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 4 22751 open("/etc/proftpd/star_gts_sk.crt", O_RDONLY) = 9 22751 open("/etc/proftpd/server-gts.pem", O_RDONLY) = 9 -- Matus UHLAR - fantomas, uh...@fa... ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. |
From: Matus U. - f. <uh...@fa...> - 2009-12-11 10:26:15
|
> > On 20.11.09 10:29, TJ Saunders wrote: > > > What does `openssl s_client -connect <addr:port> -starttls ftp` show? > > > > > > http://www.proftpd.org/docs/howto/TLS.html#TLSDebugging > > > > % openssl s_client -connect home5.gts.sk:21 -starttls ftp > > CONNECTED(00000003) > > depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > 0 s:/C=SK/ST=Slovakia/L=Bratislava/O=GTS Slovakia, a.s./CN=*.gts.sk > > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > ... > > > > only the key in TLSRSACertificateFile is seen there. > > > > the file mentioned in TLSCertificateChainFile contains DigiCert chain. > > stracing proftpd showed that chainfile was not opened at all: On 10.12.09 18:33, TJ Saunders wrote: > What does the TLSLog file show, for that login/session? Dec 10 15:29:49 mod_tls/2.4[22751]: TLS/TLS-C requested, starting TLS handshake Dec 10 15:29:49 mod_tls/2.4[22751]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits) if there was anthing useful in the log :-( -- Matus UHLAR - fantomas, uh...@fa... ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. |
From: TJ S. <tj...@ca...> - 2010-02-04 04:12:10
|
> we have one certificate for our servers signed by DigiCert CA, which is in > addition signed by Entrust CA. > > I istalled the certificate and key file and I'm able to connect using SSL > and the certificate. > > DigiCertCA provided us file with certification chain (two certificates > there) and we are able to use it within apache httpd and courier MTA, > certification chain works there. > > However when I configured ProFTPD with > > TLSCertificateChainFile /etc/proftpd/<Chain> > TLSRSACertificateFile /etc/proftpd/<cert> > TLSRSACertificateKeyFile /etc/proftpd/<key> > > the chain file seems to be ignored, openssl s_client only reports our > certificate found, not others. > > I have tried to reorder certificates in /etc/proftpd/<Chain> and add out > certificate to them (in nearly any order). > > Does anyone use ProFTPD with certification chain and has this working? For anyone else on the list interested in this issue, the causes have been determined, and described in this bug report: http://bugs.proftpd.org/show_bug.cgi?id=3365 Cheers, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ He who has never hoped can never despair. -George Bernard Shaw ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |