PureFTP TLS problem - sucked for 2 days.

Discussion in 'Installation/Configuration' started by pavljiks, Jan 25, 2011.

  1. pavljiks

    pavljiks New Member

    Ubuntu 10.10, ISPconfog 3.0.3.2.
    Installed following http://www.howtoforge.com/perfect-server-ubuntu-10.10-maverick-meerkat-ispconfig-3-p4
    and
    http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

    Double check using http://www.howtoforge.com/how-to-configure-pureftpd-to-accept-tls-sessions-on-debian-lenny
    Try dozen of self signed and godaddy certificates.
    But still can't login using FTPES (explict TLS/SSL)
    Usual plain FTP works fine.

    Switching FTP+TLS
    Code:
    [email protected]:/home/user# echo 1 > /etc/pure-ftpd/conf/TLS
    Ilustrate full certificate generation process:
    Code:
    [email protected]:/home/user# /etc/init.d/pure-ftpd-mysql restart
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -D -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -u 1000 -H -E -8 UTF-8 -b -A -d -B
    [email protected]:/home/user# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
    Generating a 2048 bit RSA private key
    ..............+++
    ...............................................+++
    writing new private key to '/etc/ssl/private/pure-ftpd.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:LV
    State or Province Name (full name) [Some-State]:LV
    Locality Name (eg, city) []:LV
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:LV
    Organizational Unit Name (eg, section) []:LV
    Common Name (eg, YOUR name) []:server1.mydomain.me
    Email Address []:[email protected]
    
    Restarting pure-ftpd-mysql
    Code:
    [email protected]:/home/user# /etc/init.d/pure-ftpd-mysql restart
    Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -D -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -u 1000 -H -E -8 UTF-8 -b -A -d -B
    
    Got normally looking certificate and key.
    Code:
    cat pure-ftpd.pem
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAuFOxcX9pBvt9qBR8rLQ0q222y3rCtnZUJNTxZxLHKxt9gfVD
    30WOqf7dX4JuNbZU9WkRC9iVBV/GfH4Pddh/XpHtvUUMfI/CX7uUqJkAoCPiRPlE
    ......
    faAs69cSo9UrkCg6+9wRWfi24tOkzqbiOqoC0yceIWxoYYErbwfpG5fJ6Ybzzsko
    0MHXwckPaBirJd4gFVVOTaHLYgGVJvyQQFu+gO/NFysGcRvQKU9A0w==
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIEVzCCAz+gAwIBAgIJAPGR8PXLd+qXMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
    .........
    JATs50UFqxej5QWWDn+ozsfcYH1px8CDR1LJiBF68D6eh0KPC9HnIvqfR+4WNJFJ
    Oibz9buSPbZ3CpcF2ci2PRdzC6tss0BE+g/ziNFXWObE0/pvOQB02z/Jzzf0o1/M
    RPCIR87dvbpEQ/E=
    -----END CERTIFICATE-----
    

    And when i try to connect. Using filezilla with explicit TLS method as described i get.

    Code:
    Status:	Resolving address of server1.mydomain.at
    Status:	Connecting to 1.1.1.1:21...
    Status:	Connection established, waiting for welcome message...
    Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:	220-You are user number 1 of 50 allowed.
    Response:	220-Local time is now 15:25. Server port: 21.
    Response:	220-This is a private system - No anonymous login
    Response:	220-IPv6 connections are also welcome on this server.
    Response:	220 You will be disconnected after 15 minutes of inactivity.
    Command:	AUTH TLS
    Response:	234 AUTH TLS OK.
    Status:	Initializing TLS...
    Error:	GnuTLS error -73: ASN1 parser: Error in TAG.
    Error:	Could not connect to server
    Status:	Waiting to retry...
    Status:	Resolving address of server1.mydomain.at
    Status:	Connecting to 1.1.1.1:21...
    Status:	Connection established, waiting for welcome message...
    Response:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:	220-You are user number 1 of 50 allowed.
    Response:	220-Local time is now 15:25. Server port: 21.
    Response:	220-This is a private system - No anonymous login
    Response:	220-IPv6 connections are also welcome on this server.
    Response:	220 You will be disconnected after 15 minutes of inactivity.
    Command:	AUTH TLS
    Response:	234 AUTH TLS OK.
    Status:	Initializing TLS...
    Error:	GnuTLS error -73: ASN1 parser: Error in TAG.
    Error:	Could not connect to server
    Debug log from server:
    Code:
    Jan 25 15:25:33 server1 pure-ftpd: ([email protected]) [INFO] New connection from 1.1.1.1
    Jan 25 15:25:33 server1 pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
    Jan 25 15:25:33 server1 pure-ftpd: ([email protected]) [WARNING] Sorry, cleartext sessions are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.
    Have tried different ftp client SmartFTP (which is also pureftp TLS supported).

    His output.
    Code:
    [15:30:28] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    [15:30:28] 220-You are user number 2 of 50 allowed.
    [15:30:28] 220-Local time is now 15:30. Server port: 21.
    [15:30:28] 220-This is a private system - No anonymous login
    [15:30:28] 220-IPv6 connections are also welcome on this server.
    [15:30:28] 220 You will be disconnected after 15 minutes of inactivity.
    [15:30:28] AUTH TLS
    [15:30:28] 234 AUTH TLS OK.
    [15:30:28] SSL: Error (Error=0x80090308).
    [15:30:28] The token supplied to the function is invalid
    [15:30:28] Client closed the connection.
    [15:30:28] Connect failed. Waiting to retry (30s)...
    Maybe someone has find some solution. I am so :confused:
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Have you tried to accept the default values (by just pressing ENTER) when you generated the certificate?
     
  3. pavljiks

    pavljiks New Member

    yes also default values including correct CN and excluding it.
     
  4. pavljiks

    pavljiks New Member

    is it possible for you to paste here correct working certificate (self tested). i know it sounds stupid but i just can't imagine what else i could try to test.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you install the pure-ftpd package from Ubuntu or did you compile it yourself or got it from any other source?
     
  6. pavljiks

    pavljiks New Member

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    It seems as if ubuntu compiles pure-ftpd with the gnutls library for ssl instead of openssl. I've read in the internet that certs created with openssl sometimes cause parsing errors with gnutls. So you might want to try to create a new self signed certificate with the cert tool that comes with gnutls instaed of the openssl tool and try to use that with pure-ftpd. Here is a tutorial to create a key and certificate with gnutls:

    http://ubuntuforums.org/showthread.php?t=1241136
     
  8. pavljiks

    pavljiks New Member

    gnutls certificates helps. But i can't find any how to compile pure-ftp with openssl library. becouse i need to use legimite openssl certificate from godaddy.
     

Share This Page