vsftpd + SSL/TSL

Salut

am un server vsFTPd in care vreau sa am si SSL/TLS



Am dat comanda:

# openssl req -x509 --nodes -days 365 -newkey rsa:2048  -keyout /etc/ssl/private/domain.key  -out /etc/ssl/certs/domain.csr

care dupa mine creaza un self-signed cerificate ,adica,private key si (CSRs) certificate signing requests ,daca nu spun prostii.


Daca vreau sa verific din CLI

# curl -v --ftp-ssl --cacert /etc/ssl/certs/domain.csr --user popescu:popescu ftp://localhost:990


imi returneaza

# curl -v --ftp-ssl --cacert /etc/ssl/certs/domain.csr --user popescu:popescu ftp://localhost:990

* Rebuilt URL to: ftp://localhost:990/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 990 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 990 (#0)
< 220 WELCOME TO FTP SERVICE
> AUTH SSL
< 234 Proceed with negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/domain.csr
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: C=RO; ST=XYZ; L=XYZ; O=Hunting Dreams SA; [email protected]
*  start date: Aug 20 16:52:08 2017 GMT
*  expire date: Aug 20 16:52:08 2018 GMT
* SSL: unable to obtain common name from peer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: unable to obtain common name from peer certificate



Intrebarea mea este la ce se refera erorile:

* SSL: unable to obtain common name from peer certificate
curl: (51) SSL: unable to obtain common name from peer certificate


Am cautat pe net dar nu am inteleg nimic din explicatii.


Poate ma lamureste si pe mine cineva.

Edited by koni2007, 20 August 2017 - 19:46.

La crearea certificatului te întreabă niște detalii, acolo probabil ai sărit peste "Common Name". Crează certificatul din nou și completează toate câmpurile cerute.

Am recreat certificatul si am pus ceva si la "Common Name".

# openssl req -x509 --nodes -days 365 -newkey rsa:2048  -keyout /etc/ssl/private/domain.key  -out /etc/ssl/certs/domain.csr
Generating a 2048 bit RSA private key
..................................................................+++
..................+++
writing new private key to '/etc/ssl/private/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:RO
State or Province Name (full name) [Some-State]:Bucuresti
Locality Name (eg, city) []:Bucuresti
Organization Name (eg, company) [Internet Widgits Pty Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (e.g. server FQDN or YOUR name) []:www.bla-bla-bla.ro
Email Address []:[email protected]

La verificare:

# curl -v --ftp-ssl --cacert /etc/ssl/certs/domain.csr --user popescu:popescu ftp://localhost:990

* Rebuilt URL to: ftp://localhost:990/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 990 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 990 (#0)
< 220 WELCOME TO FTP SERVICE
> AUTH SSL
< 234 Proceed with negotiation.
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/domain.csr
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se...s/sslcerts.html

Acum eroarea este dupa cum se vede legata de self-signed certificate.
Nu o fi auto semnat certificatul?


Cu

#certtool -i < /etc/ssl/certs/domain.csr > domain.csr.view

 domain.csr.view.txt   4.34K   1 downloads

Edited by koni2007, 21 August 2017 - 21:34.

Am mai sapat putin si am ajuns la concluzia ca trebuie sa generez un self-signed certificate din private key sau certificate-request sau public key.

Ceva de genul:

# openssl x509 -req -days 365 -in /etc/ssl/certs/certif-request.pem -signkey /etc/ssl/private/private-key-vsftpd.pem -out /etc/ssl/certs/certificate-signed.crt

Am generat self-signed certificate din certificate-request,dar imi returneaza eroarea:

140669839299840:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE REQUEST

Certificatul autosemnat ar trebui sa contina ceva,insa la mine datorita erorii este gol.


Cum pot corecta ultima eroare generata ?

Edited by koni2007, 23 August 2017 - 20:05.

De ce nu folosesti un certificat Let's Encrypt?

Edited by LensFlare, 25 August 2017 - 10:51.

Cred ca am gasit solutia :

 vsftpd-SSL-TLS.txt   4.37K   6 downloads

In Filezilla  filezilla-ssl.png   172.67K   12 downloads