Menu
▾
▴
[Proftpd-user] Antwort: Re: Problem with FTPES - Recent Clients
|
From: <sim...@be...> - 2010-01-26 14:56:54
|
Hello Jonathan, I've tried it with your suggestion but all recent clients still couldn't connect to the server. For your information: SSLv23 is an official option for TLSProtocol http://www.castaglia.org/proftpd/modules/mod_tls.html#TLSProtocol Simon Externe Mail : Jonathan Kaufman <jka...@fo...> 26.01.2010 13:48 An: pro...@li... Betreff: Re: [Proftpd-user] Problem with FTPES - Recent Clients While my proftpd (1.3.2a) and (Openssl (0.9.8k) and OS (Aix) are not the same as yours, I am using FTPES and it does work with recent clients. I have no great insight into this, but I do wonder about your TLSProtocol selection. I had problems using SSLv23, and switched my config to what it is now, have you tried something similiar? Here is my config: #Configuration Section for mod_TLS (FTP over SSL) <IfModule mod_tls.c > #TLS Configuration TLSEngine on TLSProtocol SSLv3 TLSv1 TLSLog /logs/system/proftpdTLS/tls.log # Are clients required to use FTP over TLS when talking to this server? #TLSRequired auth+data #Would require auth (but not control) encrypt TLSRequired on #My Certificates TLSRSACertificateFile /sftw/proftpd/etc/server.pem TLSRSACertificateKeyFile /sftw/proftpd/etc/server.key # CA the server trusts TLSCACertificateFile /usr/local/certs/windows_ca_public.cer # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. TLSRenegotiate required off #End TLS Configuration </IfModule> Jonathan Kaufman |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |sim...@be... | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |pro...@li... | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |01/26/2010 04:36 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [Proftpd-user] Problem with FTPES - Recent Clients | >--------------------------------------------------------------------------------------------------------------------------------------------------| Hello, first of all sorry for the doubled post (I did not realize that the old post had already got through, I thought I did some mistake) The version of openssl which I am using was already posted (openssl 0.9.8g-15+lenny6). I do not think is a problem of CA missing because: 1) with older clients (filezilla 3.0.9.3) it works ... 2) we have exactly the same configuration on a productive host which has a truly signed certificate (a "real" CA) TLSRSACertificateFile /path/server.pem TLSRSACertificateKeyFile /path/server.key TLSCACertificateFile /path/pr_TC_Class_3_L1_CA_V.pem but we have exactly the same problem: with old clients (filezilla) FTPES does work, with new clients (all of them) FTPES does not work. 3) anyway .. I have tried your suggestion on the test host I am playing with ..... I have followed http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28 and now my TLS conf part looks like: TLSRSACertificateFile /proftp_pkg/conf/testhost.pem TLSRSACertificateKeyFile /proftp_pkg/conf/testhost.key TLSCACertificateFile /proftp_pkg/conf/ca.crt unfortunatelly still I have the same problem: old clients OK, new clients NOT OK You are asking something else: >> How long has this been occurring? What had changed when these explicit >> SSL/TLS issues appeared? The clients have changed ... on the server side nothing has changed! The productive host has not been touched at all since long time. Out of the blue we have realized that there were problems with new filezilla clients. Then we have seen that there were posts about this topic on the net saying that for the proftp version we were running on the prod host ( 1.3.0-19etch2): SSL/TLS session shutdowns on data connections. So we have thought: ok it is only a filezilla problem, we will solve it by upgrading proftp. Now we are preparing such upgrade ... that's why we are playing with it around, and we have realized that even with the new proftp (1.3.3rc3) "new filezilla" has the same problem as before, and that even ALL other new clients have the same problem on both the test host (with new proftp) and the productive host (with the old proftp). What's wrong? Can you help? Simon ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ ProFTPD Users List <pro...@pr...> Unsubscribe problems? http://www.proftpd.org/list-unsub.html Visit us on-line at footlocker.com. The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ ProFTPD Users List <pro...@pr...> Unsubscribe problems? http://www.proftpd.org/list-unsub.html |
