Hola,
Adjunto envio un fichero que encontré explicando el parche proftpd-tls.
Espero que sirva de ayuda,
Pedro
--
Pedro Martinez Juliá
\ yoros@terra.es
)| yoros@wanadoo.es
/ http://yoros.cjb.net
Socio HispaLinux #311
Usuario Linux #275438 - http://counter.li.org
GnuPG publi c information: pub 1024D/74F1D3AC
Key fingerprint = 8431 7B47 D2B4 5A46 5F8E 534F 588B E285 74F1 D3AC
TLS patch for proftpd-1.2.0 together with OpenSSL >= 0.9.4, based on the
"draft-murray-auth-ftp-ssl-05.txt" IETF draft.
Copyright (c) 2000 Peter 'Luna' Runestig <peter@runestig.com>
The verify_crl() function by Ralf S. Engelschall <rse@engelschall.com>
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
Patching:
$ tar xzf proftpd-1.2.0.tar.gz
$ cd proftpd-1.2.0
$ patch -p1 < ../proftpd-tls.current.patch
Or just use the prepatched tarball.
Configuring:
$ ./configure [--with-openssl-dir=DIR]
Building:
$ make
Installation:
$ make install
By default, proftpd looks for a single configuration file as
/usr/local/etc/proftpd.conf. Copy sample-configurations/basic.conf to
/usr/local/etc/proftpd.conf and modify to suit your needs. More advanced
configuration examples are also included.
The proftpd server tries to use these TLS related files by default:
ftpd-rsa.pem RSA certificate, may include private key
ftpd-rsa-key.pem RSA private key
ftpd-dsa.pem DSA certificate, may include private key
ftpd-dsa-key.pem DSA private key
ftpd-crl.pem Certificate Revokation List
ftpd-dhparam.pem DH Parameters (a set of DH params is compiled in)
These files is searched for in the following directorys (in this order):
* Current working directory of the process.
* Specified by the `X509_get_default_cert_dir_env()` environment variable
(usually $SSL_CERT_DIR).
* `X509_get_default_cert_dir()`, usually (openssl-dir)/certs.
* `X509_get_default_private_dir()`, usually (openssl-dir/private.
Default CRL directory for the proftpd server is (openssl-dir)/crl.
If you don't have any "proper" certificate files (signed by some CA), you might
create a self-signed one using the ``openssl'' command:
$ openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
This creates a cert which is valid 365 days, you might want to adjust that.
X509 client authentication
--------------------------
Support for user authentication is possible through the custom function
int x509_to_user(X509 *peer_cert, char *userid, int len) in the file
src/x509_to_user.c, and by a .tlslogin file in the user's home directory.
o tls_userid_from_client_cert() is called and returns a user id or NULL.
tls_userid_from_client_cert() calls the site specific function
x509_to_user().
o If the user name, set by the USER command, equals the user id mapped from the
client cert, the user is logged right in.
o If "USER" differ from the user id mapped from the client cert the function
tls_is_user_valid() is called to check "USER"'s ~/.tlslogin file.
That file, if it exist, contains one or more X509 certificates in PEM for-
mat. If the client cert is present in the file, the user is logged right in.
o If tls_userid_from_client_cert() can't map a user id from the client cert,
tls_is_user_valid() is called to check "USER"'s ~/.tlslogin file. If the
client cert is present in the file, the user is logged right in.
Hash symlinks for certs: ln -s cert.pem `openssl x509 -hash -noout -in cert.pem`.0
Hash symlinks for CRLs: ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r0
Default cipher list is "ALL:!EXP".
How to put together a 'cipher list string':
Key Exchange Algorithms:
"kRSA" RSA key exchange
"kDHr" Diffie-Hellman key exchange (key from RSA cert)
"kDHd" Diffie-Hellman key exchange (key from DSA cert)
"kEDH' Ephemeral Diffie-Hellman key exchange (temporary key)
Authentication Algorithm:
"aNULL" No authentication
"aRSA" RSA authentication
"aDSS" DSS authentication
"aDH" Diffie-Hellman authentication
Cipher Encoding Algorithm:
"eNULL" No encodiing
"DES" DES encoding
"3DES" Triple DES encoding
"RC4" RC4 encoding
"RC2" RC2 encoding
"IDEA" IDEA encoding
MAC Digest Algorithm:
"MD5" MD5 hash function
"SHA1" SHA1 hash function
"SHA" SHA hash function (should not be used)
Aliases:
"ALL" all ciphers
"SSLv2" all SSL version 2.0 ciphers (should not be used)
"SSLv3" all SSL version 3.0 ciphers
"EXP" all export ciphers (40-bit)
"EXPORT56" all export ciphers (56-bit)
"LOW" all low strength ciphers (no export)
"MEDIUM" all ciphers with 128-bit encryption
"HIGH" all ciphers using greater than 128-bit encryption
"RSA" all ciphers using RSA key exchange
"DH" all ciphers using Diffie-Hellman key exchange
"EDH" all ciphers using Ephemeral Diffie-Hellman key exchange
"ADH" all ciphers using Anonymous Diffie-Hellman key exchange
"DSS" all ciphers using DSS authentication
"NULL" all ciphers using no encryption
Each item in the list may include a prefix modifier:
"+" move cipher(s) to the current location in the list
"-" remove cipher(s) from the list (may be added again by
a subsequent list entry)
"!" kill cipher from the list (it may not be added again
by a subsequent list entry)
If no modifier is specified the entry is added to the list at the current
position. "+" may also be used to combine tags to specify entries such as
"RSA+RC4" describes all ciphers that use both RSA and RC4.
For example, all available ciphers not including ADH key exchange:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
All algorithms including ADH and export but excluding patented algorithms:
HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA
The OpenSSL command
openssl ciphers -v <list of ciphers>
may be used to list all of the ciphers and the order described by a specific
<list of ciphers>.
Attachment:
pgpAsmKmn6mUs.pgp
Description: PGP signature