Vsftpd + ssl
Bonjour,
Je tente veinement de configurer vsftpd pour faire du ftps (il est vrai
qu'il existe sftp mais c'est pour un autre moment).
j'ai créé un certificat avec les commandes suivantes :
/usr/bin/openssl genrsa -des3 4096 > /etc/vsftpd/ssl.key
/usr/bin/openssl req -new -key ./ssl.key -x509 -out ./server.crt
Dans la config de vsftpd.conf
j'ai initialisé les valeurs suivantes :
ssl_enable=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit SSL v2 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv2=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit SSL v3 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv3=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit TLS v1 protocol
# connections. TLS v1 connections are preferred.
ssl_tlsv1=YES
# This option specifies the location of the RSA certificate to use for
SSL encrypted connections.
# Default: /usr/share/ssl/certs/vsftpd.pem
#rsa_cert_file=/etc/vsftpd/server.crt
rsa_cert_file=/etc/vsftpd/ssl.key
# This option can be used to select which SSL ciphers vsftpd will allow
for encrpyted SSL
# connections. See the ciphers man page for further details. Note that
restricting ciphers
# can be a useful security precaution as it prevents malicious remote
parties forcing a
# cipher which they have found problems with.
ssl_ciphers=des3
# Only applies if ssl_enable is activated. If activated, all
non-anonymous
# logins are forced to use a secure SSL connection in order to send the
password.
force_local_logins_ssl=NO
# Only applies if ssl_enable is activated. If activated, all
non-anonymous
# logins are forced to use a secure SSL connection in order to send and
# receive data on data connections.
force_local_data_ssl=NO
Le résultat est le suivant quand je démarre le daemon vsftp :
# /usr/sbin/vsftpd
500 OOPS: SSL: cannot load RSA key
résultat du strace ci-dessous :
Je n'ai point trouvé d'info sur ce genre de config. Y a-t-il quelqu'un
qui aurais déjà fait la manip.
D'avance merci
Martial
###############################################
résultat du strace
###############################################
stat64("/etc/vsftpd.conf", {st_mode=S_IFREG|0644, st_size=24483, ...}) =
0
open("/etc/vsftpd.conf", O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=24483, ...}) = 0
mmap2(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x402c9000
mprotect(0x402d0000, 4096, PROT_NONE) = 0
mprotect(0x402c9000, 4096, PROT_NONE) = 0
read(3, "##################\n## Section Se"..., 24483) = 24483
mprotect(0x402c9000, 4096, PROT_READ) = 0
munmap(0x402c9000, 32768) = 0
close(3) = 0
getuid32() = 0
open("/etc/vsftpd/ssl.key", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3311, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x402c9000
read(3, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 3311
read(3, "", 4096) = 0
getpid() = 26731
getpid() = 26731
getpid() = 26731
getpid() = 26731
close(3) = 0
munmap(0x402c9000, 4096) = 0
fcntl64(0, F_GETFL) = 0x8002 (flags O_RDWR|
O_LARGEFILE)
fcntl64(0, F_SETFL, O_RDWR|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: ) = 10
write(0, "SSL: cannot load RSA key", 24SSL: cannot load RSA key) = 24
write(0, "\r\n", 2
) = 2
exit_group(1) = ?
###############################################
résultat du ldd
###############################################
# ldd /usr/sbin/vsftpd
libwrap.so.0 => /lib/libwrap.so.0 (0x4001b000)
libnsl.so.1 => /lib/tls/libnsl.so.1 (0x40024000)
libpam.so.0 => /lib/libpam.so.0 (0x4003a000)
libdl.so.2 => /lib/tls/libdl.so.2 (0x40042000)
libresolv.so.2 => /lib/tls/libresolv.so.2 (0x40045000)
libutil.so.1 => /lib/tls/libutil.so.1 (0x40057000)
libcap.so.1 => /lib/libcap.so.1 (0x4005a000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7
(0x4005e000)
libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7
(0x40090000)
libc.so.6 => /lib/tls/libc.so.6 (0x4018d000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
--
Martial Paupe
IT Department
Kudelski Group | Tel direct : +41 21 732 04 55
1033 Cheseaux | E-mail : martial.paupe<AT>nagra.com
Switzerland
Reply to: