Menu
▾
▴
Re: [Proftpd-user] Problem with FTPES - Recent Clients
|
From: Jonathan K. <jka...@fo...> - 2010-01-26 14:12:51
|
While my proftpd (1.3.2a) and (Openssl (0.9.8k) and OS (Aix) are not the
same as yours, I am using FTPES and it does work with recent clients.
I have no great insight into this, but I do wonder about your TLSProtocol
selection. I had problems using SSLv23, and switched my config to what it
is now, have you tried something similiar?
Here is my config:
#Configuration Section for mod_TLS (FTP over SSL)
<IfModule mod_tls.c >
#TLS Configuration
TLSEngine on
TLSProtocol SSLv3 TLSv1
TLSLog /logs/system/proftpdTLS/tls.log
# Are clients required to use FTP over TLS when talking to this server?
#TLSRequired auth+data #Would require auth (but not control) encrypt
TLSRequired on
#My Certificates
TLSRSACertificateFile /sftw/proftpd/etc/server.pem
TLSRSACertificateKeyFile /sftw/proftpd/etc/server.key
# CA the server trusts
TLSCACertificateFile /usr/local/certs/windows_ca_public.cer
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
#End TLS Configuration
</IfModule>
Jonathan Kaufman
|------------>
| From: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|sim...@be... |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|pro...@li... |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|01/26/2010 04:36 AM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Re: [Proftpd-user] Problem with FTPES - Recent Clients |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
Hello,
first of all sorry for the doubled post (I did not realize that the old
post had already got through, I thought I did some mistake)
The version of openssl which I am using was already posted (openssl
0.9.8g-15+lenny6).
I do not think is a problem of CA missing because:
1) with older clients (filezilla 3.0.9.3) it works ...
2) we have exactly the same configuration on a productive host which has a
truly signed certificate (a "real" CA)
TLSRSACertificateFile /path/server.pem
TLSRSACertificateKeyFile /path/server.key
TLSCACertificateFile /path/pr_TC_Class_3_L1_CA_V.pem
but we have exactly the same problem: with old clients (filezilla) FTPES
does work, with new clients (all of them) FTPES does not work.
3) anyway .. I have tried your suggestion on the test host I am playing
with .....
I have followed http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
and now my TLS conf part looks like:
TLSRSACertificateFile /proftp_pkg/conf/testhost.pem
TLSRSACertificateKeyFile /proftp_pkg/conf/testhost.key
TLSCACertificateFile /proftp_pkg/conf/ca.crt
unfortunatelly still I have the same problem: old clients OK, new clients
NOT OK
You are asking something else:
>> How long has this been occurring? What had changed when these explicit
>> SSL/TLS issues appeared?
The clients have changed ... on the server side nothing has changed!
The productive host has not been touched at all since long time. Out of
the blue we have realized that there were problems with new filezilla
clients. Then we have seen that there were posts about this topic on the
net saying that for the proftp version we were running on the prod host (
1.3.0-19etch2): SSL/TLS session shutdowns on data connections. So we have
thought: ok it is only a filezilla problem, we will solve it by upgrading
proftp.
Now we are preparing such upgrade ... that's why we are playing with it
around, and we have realized that even with the new proftp (1.3.3rc3) "new
filezilla" has the same problem as before, and that even ALL other new
clients have the same problem on both the test host (with new proftp) and
the productive host (with the old proftp).
What's wrong? Can you help?
Simon
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
ProFTPD Users List <pro...@pr...>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Visit us on-line at footlocker.com.
The information in this e-mail, and any attachment therein, is confidential
and for use by the addressee only. If you are not the intended recipient,
please return the e-mail to the sender and delete it from your computer.
Although the Company attempts to sweep e-mail and attachments for viruses,
it does not guarantee that either are virus-free and accepts no liability
for any damage sustained as a result of viruses.
|
