Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th February 2011, 18:06
ernie49 ernie49 is offline
Junior Member
 
Join Date: Aug 2009
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default pure-ftpd tls problem

Hello,

I have installed a CentOS 5.5 with latest updates. After this I install pure-ftpd 1.0.29-1.el5.1. I configured it with virtual users and TLS=1 in config. I created a .pem ssl key in /etc/ssl/private with openssl. Pure-ftp starts without problem. FTP works fine but if I try ftpes with Filezilla it hangs. Filezilla is at latest version.

Filezilla connect log:

Connecting to xxx.xxx.x.17:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 16:44. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Error: Could not connect to server


Pure-ftpd log:

pure-ftpd: (?@xxx.xxx.x.159) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please reconnect using SSL/TLS security mechanisms.

Did someone have an idea what kind of problem it could be?

Thanks for help.

Ernie

update:

I tried vsftpd and pro-ftpd. FTP works fine for them but I have the same problem with TLS (ftpes) for both too.

Last edited by ernie49; 10th February 2011 at 13:29.
Reply With Quote
Sponsored Links
  #2  
Old 10th February 2011, 20:50
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Can you post your PureFTPd configuration file?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 11th February 2011, 10:06
ernie49 ernie49 is offline
Junior Member
 
Join Date: Aug 2009
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here is my conf file:


ChrootEveryone yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 8
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous yes
SyslogFacility ftp
DontResolve yes
MaxIdleTime 5
PureDB /etc/pure-ftpd/pureftpd.pdb
PAMAuthentication yes
LimitRecursion 10000 8
AnonymousCanCreateDirs no
MaxLoad 4
PassivePortRange 30000 50000
AntiWarez yes
Umask 133:022
MinUID 500
UseFtpUsers no
AllowUserFXP no
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload yes
AltLog clf:/var/log/pureftpd.log
MaxDiskUsage 90
CustomerProof yes
TLS 1
IPV4Only yes


Thank you to help me.

Kind regards

Ernie
Reply With Quote
  #4  
Old 12th February 2011, 11:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

I've written a tutorial about how to set up TLS with PureFTPd on CentOS which has not been published yet. This is an excerpt from it which you should try:

Quote:
2 Installing OpenSSL

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yum install openssl


3 Configuring PureFTPd

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 0
[...]


4 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [GB]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Berkshire]: <-- Enter your State or Province Name.
Locality Name (eg, city) [Newbury]: <-- Enter your City.
Organization Name (eg, company) [My Company Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, your name or your server's hostname) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 14th February 2011, 10:54
ernie49 ernie49 is offline
Junior Member
 
Join Date: Aug 2009
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hello,

1. openssl is installed (latest version from Centos)
2. TLS = 1
3: I generated cert files from openssl and certtool (from gnutls) also. I placed them to /etc/ssl/private and /etc/pure-ftpd. I tried one by one.
4. I did a chmod 600 to the files too. And I restarted pure-ftpd by every change.

But nothing had change. Always the same problem.

Kind regards.

Ernie
Reply With Quote
  #6  
Old 15th February 2011, 15:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

What's the output of
Code:
getenforce
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 15th February 2011, 17:38
ernie49 ernie49 is offline
Junior Member
 
Join Date: Aug 2009
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

getenforce= Disabled
I suppose getenforce=SELinux.

Firewall (iptables) is also disabled at the moment because it's a futur web and ftp server and I test it on my lan. So there are no firewall problems or passive port problems.

Thank you that you try to help me.

Kind regards

Ernie
Reply With Quote
  #8  
Old 16th February 2011, 17:29
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Is this a physical server or a virtual machine?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 17th February 2011, 12:05
ernie49 ernie49 is offline
Junior Member
 
Join Date: Aug 2009
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

It's a virtual machine. I runs on VMWare (vSphere) ESX 4.
Reply With Quote
  #10  
Old 20th February 2011, 03:47
shellscripter shellscripter is offline
Junior Member
 
Join Date: Feb 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

cp /etc/ssl/private/pure-ftpd.pem /etc/pki/pure-ftpd/pure-ftpd.pem

/etc/init.d/pure-ftpd restart

Last edited by shellscripter; 20th February 2011 at 03:50.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 11:49
Postfix TLS library problem spanish General 5 2nd July 2010 14:02
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 13:20
TLS problem JimmiJames Server Operation 2 9th March 2007 22:10
Webmail Relay Error palkat General 17 23rd April 2006 19:12


All times are GMT +2. The time now is 03:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.