vsftpd + SSL not working
Redd Vinylene
reddvinylene at gmail.com
Thu Dec 9 13:46:13 UTC 2010
On Thu, Dec 9, 2010 at 1:16 PM, Odhiambo Washington <odhiambo at gmail.com>wrote:
>
>
> On Thu, Dec 9, 2010 at 3:10 PM, Redd Vinylene <reddvinylene at gmail.com>wrote:
>
>> I'm trying to set up a virtual vsftpd-ssl-2.3.2 server (FreeBSD
>> 8.2-PRERELEASE) so my band can share new tracks, production material and
>> what not, but my SSL certificate keeps messing it up:
>> http://pastie.org/1358536 - anybody know why? It works just fine when I
>> disable the SSL. I have no firewalls running.
>>
>> I hope this is not too off-topic. I just don't know where else to ask.
>>
>>
> Would it not be better if you posted your configuration and debug logs for
> those willing to help you out to see?
>
It's all in http://pastie.org/1358536, but incase you don't want to click
the link:
## /var/log/vsftpd.conf (FTPRush)
Wed Dec 8 11:21:07 2010 [pid 38781] CONNECT: Client "161.149.221.220"
Wed Dec 8 11:21:07 2010 [pid 38781] DEBUG: Client "161.149.221.220", "SSL
version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert"
Wed Dec 8 11:21:08 2010 [pid 38780] [bruner] OK LOGIN: Client
"161.149.221.220"
Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client
"161.149.221.220", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not
reused, no cert"
Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: NONE"
Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
And then the directory listing after 3 minutes:
Wed Dec 8 11:24:29 2010 [pid 38781] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: 3"
## /var/log/vsftpd.conf (FlashFXP)
Wed Dec 8 11:33:50 2010 [pid 56557] [bruner] OK LOGIN: Client
"161.149.221.220"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA,
reused, no cert"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: NONE"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client
"161.149.221.220", "SSL ret: 18446744073709551615, SSL error:
error:00000000:lib(0):func(0):reason(0), errno: 22"
Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client
"161.149.221.220", "/bruner_december_2010/track_1.mp3"
Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client
"161.149.221.220", "/bruner_december_2010/tracks.sfv"
Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client
"161.149.221.220", "/bruner_december_2010/tracks.txt"
Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client
"161.149.221.220", "/bruner_december_2010/tracks.m3u"
And in FlashFXP:
[R] 200 PORT command successful. Consider using PASV.
[R] STOR tracks.m3u
[R] Transfer Failed!
[R] Connection lost: bruner
I tried installing OpenSSL 1.0.0b from ports over 0.9.8p that came with
FreeBSD - and then recompiling vsftpd (commenting out the .if ${OSVERSION} <
700000 and the .endif below it in the Makefile to force it to link to the
port) - but it made no difference.
## openssl s_client -state -connect <my_ip>:800 (remote box)
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
3280:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:567:
## openssl s_client -tls1 -state -connect <my_ip>:800 (remote box)
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read server hello A
3392:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:284:
## openssl s_server -cert vsftpd.pem -key vsftpd.pem -accept 4443
(localhost)
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgMAQ7m6+qXFxEjTGqANwiHnptuHDkR+55xtbmzAhtHDwE
MLF1LRUOLLBlR8J9QrkZkiCtBgWC88NwFVX4p9wYtt09Ms0MQm/EuzMB1Jm7uquC
taEGAgRM/7XlogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
Secure Renegotiation IS NOT supported
## openssl s_client -tls1 -state -connect <my_ip>:4443 (remote box)
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
i:/C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAk2gAwIBAgIJANrpCuP43bQNMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV
BAYTAk5MMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlBbXN0ZXJkYW0x
DDAKBgNVBAoTAzc4ODEQMA4GA1UEAxMHSiBEaWxsYTAeFw0xMDEyMDcwOTQxNDFa
Fw0xMTEyMDcwOTQxNDFaMFYxCzAJBgNVBAYTAk5MMRMwEQYDVQQIEwpTb21lLVN0
YXRlMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDDAKBgNVBAoTAzc4ODEQMA4GA1UEAxMH
SiBEaWxsYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx78B3EY/eC5iZJVD
/+Oczf0hpzFCv9p2Ue9SBVVDQcL0sSkLJASDoiuq57Dz2/zCoNcU9SfCGrXAx6gh
4D7q6beK5m+WZFZSF5//PMqdie4ufNDyUaYZaO+MwLbs2a61HAEVCo167h/CMIVx
va1sbVNUIYuLiorMYNJ1OVrRAzECAwEAAaOBuTCBtjAdBgNVHQ4EFgQUYbBXLuPC
AWa4yOlyKuvAhcFszy8wgYYGA1UdIwR/MH2AFGGwVy7jwgFmuMjpcirrwIXBbM8v
oVqkWDBWMaskldHKASkdJQkEhdSTMBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UE
BxMJQW1zdGVyZGFtMQwwCgYDVQQKEwM3ODgxEDAOBgNVBAMTB0ogRGlsbGGCCQDa
6Qrj+N20DTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAfbkuNOb5N7
AyXsiMLRXkRkWmaampUPuz0zYHn+dYjutV/jowscxc+CHKGHkbfsShSV7eF50k5b
YIcsm+E6ftcshcWpreTj6khFmyMBInCKMY1NrHUJcL3f8FgRBB8tS3aX0qcrch45
T+Hp2wku0v34s/eZoLmbulQ6z7x7F30e
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
issuer=/C=US/ST=CA/L=Los Angeles/O=BBFTP/CN=Bruner
---
No client certificate CA names sent
---
SSL handshake has read 1180 bytes and written 232 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
30043B9BAFAA5C5C448D31AA00DC221E7A6DB870E447EE79C6D6E6CC086D1C3C
Session-ID-ctx:
Master-Key:
B1752D150E2CB06547C27D42B9199220AD060582F3C3701555F8A7DC18B6DD3D32CD0C426FC4BB3301D499BBBAAB82B5
Key-Arg : None
Start Time: 1291826659
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
## /usr/local/etc/vsftpd.conf
# portinstall pam_pwdfile
# gem install htauth
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem
-out vsftpd.pem
# htpasswd-ruby -c -b /usr/home/bruner/users.db <username> <password>
anonymous_enable=NO
listen=YES
listen_port=800
connect_from_port_20=YES
background=YES
write_enable=YES
local_enable=YES
local_root=/usr/home/bruner/content
virtual_use_local_privs=YES
ftpd_banner=Welcome to the Bruner Brothers FTP:
http://www.youtube.com/watch?v=6xQyOR7WBIo
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
rsa_cert_file=/usr/local/etc/vsftpd.pem
pam_service_name=vsftpd
pasv_promiscuous=YES
port_promiscuous=YES
xferlog_enable=YES
xferlog_file=/usr/home/bruner/transfers.log
debug_ssl=YES
## /etc/pam.d/vsftpd
auth required /usr/local/lib/pam_pwdfile.so pwdfile
/usr/home/bruner/users.db
account required /usr/lib/pam_permit.so
## dmesg
Copyright (c) 1992-2010 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.2-PRERELEASE #0: Mon Nov 29 12:32:44 CET 2010
bruner at bruner:/usr/obj/usr/src/sys/GENERIC amd64
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz (2135.55-MHz K8-class
CPU)
Origin = "GenuineIntel" Id = 0x6fb Family = 6 Model = f Stepping = 11
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0xe3bd<SSE3,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM>
AMD Features=0x20100800<SYSCALL,NX,LM>
AMD Features2=0x1<LAHF>
TSC: P-state invariant
real memory = 4294967296 (4096 MB)
avail memory = 4093214720 (3903 MB)
ACPI APIC Table: <DELL PE_SC3 >
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 1 package(s) x 4 core(s)
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
cpu2 (AP): APIC ID: 2
cpu3 (AP): APIC ID: 3
ioapic0: Changing APIC ID to 4
ioapic1: Changing APIC ID to 5
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 32-55 on motherboard
kbd1 at kbdmux0
acpi0: <DELL PE_SC3> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
em0: <Intel(R) PRO/1000 Network Connection 7.1.8> port 0xecc0-0xecdf mem
0xdfd80000-0xdfd9ffff,0xdfda0000-0xdfdbffff irq 16 at device 0.0 on pci1
em0: Using an MSI interrupt
em0: [FILTER]
em0: Ethernet address: 00:15:17:6b:2c:32
em1: <Intel(R) PRO/1000 Network Connection 7.1.8> port 0xece0-0xecff mem
0xdfdc0000-0xdfddffff,0xdfde0000-0xdfdfffff irq 17 at device 0.1 on pci1
em1: Using an MSI interrupt
em1: [FILTER]
em1: Ethernet address: 00:15:17:6b:2c:33
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 0.0 on pci2
pci3: <ACPI PCI bus> on pcib3
pcib4: <PCI-PCI bridge> at device 2.0 on pci3
pci4: <PCI bus> on pcib4
vgapci0: <VGA-compatible display> port 0xdc00-0xdcff mem
0xc8000000-0xcfffffff,0xdfef0000-0xdfefffff irq 33 at device 2.0 on pci4
pci4: <unknown> at device 4.0 (no driver attached)
uart2: <Non-standard ns8250 class UART with FIFOs> port 0xd8c0-0xd8ff mem
0xdfeef000-0xdfeeffff,0xc7f80000-0xc7ffffff irq 34 at device 4.1 on pci4
uart2: [FILTER]
pci4: <unknown> at device 4.2 (no driver attached)
atapci0: <SiI 680 UDMA133 controller> port
0xd8a0-0xd8a7,0xd888-0xd88b,0xd8a8-0xd8af,0xd88c-0xd88f,0xd8b0-0xd8bf mem
0xdfeeef00-0xdfeeefff irq 32 at device 7.0 on pci4
atapci0: [ITHREAD]
ata2: <ATA channel 0> on atapci0
ata2: [ITHREAD]
ata3: <ATA channel 1> on atapci0
ata3: [ITHREAD]
pcib5: <ACPI PCI-PCI bridge> irq 16 at device 28.4 on pci0
pci5: <ACPI PCI bus> on pcib5
pcib6: <ACPI PCI-PCI bridge> irq 17 at device 28.5 on pci0
pci6: <ACPI PCI bus> on pcib6
uhci0: <Intel 82801I (ICH9) USB controller> port 0xbc60-0xbc7f irq 21 at
device 29.0 on pci0
uhci0: [ITHREAD]
usbus0: <Intel 82801I (ICH9) USB controller> on uhci0
uhci1: <Intel 82801I (ICH9) USB controller> port 0xbc80-0xbc9f irq 20 at
device 29.1 on pci0
uhci1: [ITHREAD]
usbus1: <Intel 82801I (ICH9) USB controller> on uhci1
uhci2: <Intel 82801I (ICH9) USB controller> port 0xbca0-0xbcbf irq 21 at
device 29.2 on pci0
uhci2: [ITHREAD]
usbus2: <Intel 82801I (ICH9) USB controller> on uhci2
ehci0: <Intel 82801I (ICH9) USB 2.0 controller> mem 0xdfcffc00-0xdfcfffff
irq 21 at device 29.7 on pci0
ehci0: [ITHREAD]
usbus3: EHCI version 1.0
usbus3: <Intel 82801I (ICH9) USB 2.0 controller> on ehci0
pcib7: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci7: <ACPI PCI bus> on pcib7
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci1: <Intel ICH9 SATA300 controller> port
0xbc30-0xbc37,0xbc28-0xbc2b,0xbc38-0xbc3f,0xbc2c-0xbc2f,0xbc40-0xbc4f,0xbc50-0xbc5f
irq 23 at device 31.2 on pci0
atapci1: [ITHREAD]
ata4: <ATA channel 0> on atapci1
ata4: [ITHREAD]
ata5: <ATA channel 1> on atapci1
ata5: [ITHREAD]
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on
acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
atrtc0: <AT realtime clock> port 0x70-0x7f irq 8 on acpi0
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: does not respond
device_attach: fdc0 attach returned 6
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: [FILTER]
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcafff,0xec000-0xeffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
ppc0: cannot reserve I/O port range
est0: <Enhanced SpeedStep Frequency Control> on cpu0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
est1: <Enhanced SpeedStep Frequency Control> on cpu1
p4tcc1: <CPU Frequency Thermal Control> on cpu1
est2: <Enhanced SpeedStep Frequency Control> on cpu2
p4tcc2: <CPU Frequency Thermal Control> on cpu2
est3: <Enhanced SpeedStep Frequency Control> on cpu3
p4tcc3: <CPU Frequency Thermal Control> on cpu3
Timecounters tick every 1.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 480Mbps High Speed USB v2.0
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ugen2.1: <Intel> at usbus2
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen3.1: <Intel> at usbus3
uhub3: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
device_attach: afd0 attach returned 6
acd0: CDROM <VIRTUALCDROM DRIVE/> at ata2-slave PIO3
ad8: 1907729MB <WDC WD20EARS-00MVWB0 50.0AB50> at ata4-master UDMA100 SATA
3Gb/s
uhub3: 6 ports with 6 removable, self powered
ad10: 1907729MB <WDC WD20EARS-00MVWB0 50.0AB50> at ata5-master UDMA100 SATA
3Gb/s
SMP: AP CPU #2 Launched!
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
Root mount waiting for: usbus3
uhub_reattach_port: port 1 reset failed, error=USB_ERR_TIMEOUT
uhub_reattach_port: device problem (USB_ERR_TIMEOUT), disabling port 1
Trying to mount root from ufs:/dev/ad8s1a
ugen0.2: <Dell> at usbus0
ugen3.2: <vendor 0x04b4> at usbus3
uhub4: <vendor 0x04b4 product 0x6560, class 9/0, rev 2.00/0.0b, addr 2> on
usbus3
ukbd0: <Dell DRAC4, class 0/0, rev 1.10/0.00, addr 2> on usbus0
kbd2 at ukbd0
ums0: <Dell DRAC4, class 0/0, rev 1.10/0.00, addr 2> on usbus0
ZFS NOTICE: Prefetch is disabled by default if less than 4GB of RAM is
present;
to enable, add "vfs.zfs.prefetch_disable=0" to
/boot/loader.conf.
ZFS filesystem version 4
ZFS storage pool version 15
ums0: 3 buttons and [Z] coordinates ID=0
uhub4: 4 ports with 4 removable, self powered
em0: link state changed to UP
Many thanks!
More information about the freebsd-questions
mailing list