Hey guys,
I currently have ProFTPD configured for TLS, however I can't seem to get it working properly. I have tried with multiple clients, and they can connect and authenticate but the FTP server drops the connection immediately after when the LIST command is sent. In one FTP client I had the option of disabling TLS on the data channel, which actually worked. So my question is, what am I doing wrong? I've spent two days on this with no success.
I've tried just about every TLS related setting in various permutations with little to no success.
Thanks!
DA Version: 1.34.5
CentOS 5.4 64 bit
ProFTPD 1.3.2c
ProFTPD Config:
ServerName "ProFTPd"
ServerType standalone
Port 21
PassivePorts 35000 35999
UseReverseDNS off
TimesGMT off
TimeoutLogin 120
TimeoutIdle 600
TimeoutNoTransfer 900
TimeoutStalled 3600
ScoreboardFile /var/run/proftpd/proftpd.pid
TransferLog /var/log/proftpd/xferlog.legacy
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
#DON'T modify this log format. Its used by DirectAdmin to determine user usage
LogFormat userlog "%u %b %m"
ExtendedLog /var/log/proftpd/67.43.168.87.bytes WRITE,READ userlog
AuthUserFile /etc/proftpd.passwd
DefaultServer on
AuthOrder mod_auth_file.c
#AuthPAM off
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd.tls.log
TLSProtocol SSLv23
TLSVerifyClient off
TLSRequired off
#Certificates
#TLSRSACertificateFile /etc/exim.cert
#TLSRSACertificateKeyFile /etc/exim.key
TLSRSACertificateFile /usr/local/directadmin/conf/cacert.pem
TLSRSACertificateKeyFile /usr/local/directadmin/conf/cakey.pem
#TLSCACertificateFile /etc/ftpd/root.cert.pem
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>
<Global>
PassivePorts 35000 35999
DeferWelcome on
RequireValidShell no
DefaultRoot ~
DirFakeUser on ftp
DirFakeGroup on ftp
User ftp
Group ftp
#UserAlias anonymous ftp
AllowStoreRestart on
AllowRetrieveRestart on
ListOptions -a
Umask 022
DisplayLogin welcome.msg
DisplayChdir readme
AllowOverwrite yes
IdentLookups off
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
# Paranoia logging level....
#
#ExtendedLog /var/log/proftpd/paranoid.log ALL default
</Global>
Include /etc/proftpd.vhosts.conf
proftpd.tls.log snippet:
Feb 03 15:44:51 mod_tls/2.2.2[25972]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Feb 03 15:44:55 mod_tls/2.2.2[25972]: TLS/TLS-C requested, starting TLS handshake
Feb 03 15:44:55 mod_tls/2.2.2[25972]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
Feb 03 23:44:55 mod_tls/2.2.2[25972]: Protection set to Private
Feb 03 23:44:58 mod_tls/2.2.2[25972]: starting TLS negotiation on data connection
Feb 03 23:44:58 mod_tls/2.2.2[25972]: warning: client-initiated session renegotiation detected, aborting connection
I currently have ProFTPD configured for TLS, however I can't seem to get it working properly. I have tried with multiple clients, and they can connect and authenticate but the FTP server drops the connection immediately after when the LIST command is sent. In one FTP client I had the option of disabling TLS on the data channel, which actually worked. So my question is, what am I doing wrong? I've spent two days on this with no success.
I've tried just about every TLS related setting in various permutations with little to no success.
Thanks!
DA Version: 1.34.5
CentOS 5.4 64 bit
ProFTPD 1.3.2c
ProFTPD Config:
ServerName "ProFTPd"
ServerType standalone
Port 21
PassivePorts 35000 35999
UseReverseDNS off
TimesGMT off
TimeoutLogin 120
TimeoutIdle 600
TimeoutNoTransfer 900
TimeoutStalled 3600
ScoreboardFile /var/run/proftpd/proftpd.pid
TransferLog /var/log/proftpd/xferlog.legacy
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
#DON'T modify this log format. Its used by DirectAdmin to determine user usage
LogFormat userlog "%u %b %m"
ExtendedLog /var/log/proftpd/67.43.168.87.bytes WRITE,READ userlog
AuthUserFile /etc/proftpd.passwd
DefaultServer on
AuthOrder mod_auth_file.c
#AuthPAM off
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd.tls.log
TLSProtocol SSLv23
TLSVerifyClient off
TLSRequired off
#Certificates
#TLSRSACertificateFile /etc/exim.cert
#TLSRSACertificateKeyFile /etc/exim.key
TLSRSACertificateFile /usr/local/directadmin/conf/cacert.pem
TLSRSACertificateKeyFile /usr/local/directadmin/conf/cakey.pem
#TLSCACertificateFile /etc/ftpd/root.cert.pem
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>
<Global>
PassivePorts 35000 35999
DeferWelcome on
RequireValidShell no
DefaultRoot ~
DirFakeUser on ftp
DirFakeGroup on ftp
User ftp
Group ftp
#UserAlias anonymous ftp
AllowStoreRestart on
AllowRetrieveRestart on
ListOptions -a
Umask 022
DisplayLogin welcome.msg
DisplayChdir readme
AllowOverwrite yes
IdentLookups off
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
ExtendedLog /var/log/proftpd/auth.log AUTH auth
#
# Paranoia logging level....
#
#ExtendedLog /var/log/proftpd/paranoid.log ALL default
</Global>
Include /etc/proftpd.vhosts.conf
proftpd.tls.log snippet:
Feb 03 15:44:51 mod_tls/2.2.2[25972]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Feb 03 15:44:55 mod_tls/2.2.2[25972]: TLS/TLS-C requested, starting TLS handshake
Feb 03 15:44:55 mod_tls/2.2.2[25972]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
Feb 03 23:44:55 mod_tls/2.2.2[25972]: Protection set to Private
Feb 03 23:44:58 mod_tls/2.2.2[25972]: starting TLS negotiation on data connection
Feb 03 23:44:58 mod_tls/2.2.2[25972]: warning: client-initiated session renegotiation detected, aborting connection
