[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Vsftpd + ssl



Bonjour,

Je tente veinement de configurer vsftpd pour faire du ftps (il est vrai 
qu'il existe sftp mais c'est pour un autre moment).

j'ai créé un certificat avec les commandes suivantes : 

/usr/bin/openssl genrsa -des3 4096 > /etc/vsftpd/ssl.key

/usr/bin/openssl req -new -key ./ssl.key -x509 -out ./server.crt

Dans la config de vsftpd.conf

j'ai initialisé les valeurs suivantes : 

ssl_enable=YES

# Only applies if ssl_enable is activated. If enabled, this option will 
permit SSL v2 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv2=YES

# Only applies if ssl_enable is activated. If enabled, this option will 
permit SSL v3 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv3=YES

# Only applies if ssl_enable is activated. If enabled, this option will 
permit TLS v1 protocol
# connections. TLS v1 connections are preferred.
ssl_tlsv1=YES

# This option specifies the location of the RSA certificate to use for 
SSL encrypted connections.
# Default: /usr/share/ssl/certs/vsftpd.pem
#rsa_cert_file=/etc/vsftpd/server.crt
rsa_cert_file=/etc/vsftpd/ssl.key

# This option can be used to select which SSL ciphers vsftpd will allow 
for encrpyted SSL
# connections. See the ciphers man page for further details. Note that 
restricting ciphers
# can be a useful security precaution as it prevents malicious remote 
parties forcing a
# cipher which they have found problems with.
ssl_ciphers=des3

# Only applies if ssl_enable is activated. If activated, all 
non-anonymous
# logins are forced to use a secure SSL connection in order to send the 
password.
force_local_logins_ssl=NO

# Only applies if ssl_enable is activated. If activated, all 
non-anonymous
# logins are forced to use a secure SSL connection in order to send and
# receive data on data connections.
force_local_data_ssl=NO

Le résultat est le suivant quand je démarre le daemon vsftp : 

# /usr/sbin/vsftpd
500 OOPS: SSL: cannot load RSA key

résultat du strace ci-dessous :

Je n'ai point trouvé d'info sur ce genre de config. Y a-t-il quelqu'un 
qui aurais déjà fait la manip.

D'avance merci 
Martial

###############################################
résultat du strace
###############################################

stat64("/etc/vsftpd.conf", {st_mode=S_IFREG|0644, st_size=24483, ...}) = 
0
open("/etc/vsftpd.conf", O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=24483, ...}) = 0
mmap2(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x402c9000
mprotect(0x402d0000, 4096, PROT_NONE)   = 0
mprotect(0x402c9000, 4096, PROT_NONE)   = 0
read(3, "##################\n## Section Se"..., 24483) = 24483
mprotect(0x402c9000, 4096, PROT_READ)   = 0
munmap(0x402c9000, 32768)               = 0
close(3)                                = 0
getuid32()                              = 0
open("/etc/vsftpd/ssl.key", O_RDONLY)   = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3311, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x402c9000
read(3, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 3311
read(3, "", 4096)                       = 0
getpid()                                = 26731
getpid()                                = 26731
getpid()                                = 26731
getpid()                                = 26731
close(3)                                = 0
munmap(0x402c9000, 4096)                = 0
fcntl64(0, F_GETFL)                     = 0x8002 (flags O_RDWR|
O_LARGEFILE)
fcntl64(0, F_SETFL, O_RDWR|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: )              = 10
write(0, "SSL: cannot load RSA key", 24SSL: cannot load RSA key) = 24
write(0, "\r\n", 2
)                     = 2
exit_group(1)                           = ?

###############################################
résultat du ldd
###############################################

# ldd /usr/sbin/vsftpd
                libwrap.so.0 => /lib/libwrap.so.0 (0x4001b000)
        libnsl.so.1 => /lib/tls/libnsl.so.1 (0x40024000)
        libpam.so.0 => /lib/libpam.so.0 (0x4003a000)
        libdl.so.2 => /lib/tls/libdl.so.2 (0x40042000)
        libresolv.so.2 => /lib/tls/libresolv.so.2 (0x40045000)
        libutil.so.1 => /lib/tls/libutil.so.1 (0x40057000)
        libcap.so.1 => /lib/libcap.so.1 (0x4005a000)
        libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 
(0x4005e000)
        libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 
(0x40090000)
        libc.so.6 => /lib/tls/libc.so.6 (0x4018d000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

-- 
Martial Paupe
IT Department

Kudelski Group    |   Tel direct : +41 21 732 04 55
1033 Cheseaux     |   E-mail : martial.paupe<AT>nagra.com
Switzerland



Reply to: