| View previous topic :: View next topic |
| Author |
Message |
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 858
Location: online
|
 Posted: Mon Jun 05, 2006 9:41 pm Post subject: GLFTPD 2.0.1 TLS - Failed TLS negotiation [UNSOLVED/ONGOING] |
 |
|
I am having a SERIOUS issue with glftpd and the use of TLS
Everythings seems to be working but when i set it up to use TLS in the main conf; the client hangs and fails to complete the connection.
Details:
GLFTPD was installed manualy and not using emerge.
dev-tcltk/tls - 1.4.1 - installed
net-libs/gnutls - 1.2.10 - installed
/etc/xinetd.d/glftpd
| Code: | service glftpd
{
disable = no
flags = REUSE NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/tcpd
server_args = /path/to/glftpd/bin/glftpd glftpd -l -L -o -i -e -d -n3 -s /path/to/glftpd/bin/glstrings.bin -r /path/to/glftpd.conf -z cert=/path/to/glftpd-cert/ftpd-dsa.pem
}
|
/etc/xinetd.conf
| Code: | # /etc/xinetd.conf: sample configuration file for xinetd
defaults
instances = 60
log_type = SYSLOG authpriv info
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
|
Some relevant glftpd.conf settings:
| Code: | # If you have dsa cert file
DSA_CERT_FILE /path/to/glftpd-cert/ftpd-dsa.pem
CIPHERS_FOR_CTRL HIGH
# ciphers for dirlists
# CIPHERS_FOR_DIR MEDIUM:HIGH:LOW
CIPHERS_FOR_DIR HIGH
# ciphers for other data transfers
# CIPHERS_FOR_DATA MEDIUM:HIGH:LOW
# The higher the cypher is the slower the upload is
CIPHERS_FOR_DATA HIGH
# TLS enforcements.
userrejectsecure !*
userrejectinsecure *
denydiruncrypted *
denydatauncrypted *
# TLS_FTPS [0/1] (0 is default)
# if 1 glftpd will run in ftps mode, whole connection from the beginning
# will be in ssl mode... (except for connections from bouncers, those must
# supply IDNT command first) (note that data connection is set the ssl mode
# too, use PROT command to switch back if you want) (check ftp-tls draft for more info)
# (for normal ftp server you dont want this)
TLS_FTPS 0
#(note it works with '0' but the issue is when i set it to '1')
valid_ip ( the internal box ip is specifed here)
active_addr ( i have tested this setting either using the internal box ip and the external fqdn)
pasv_addr ( i have tested this setting either using the internal box ip and the external fqdn) 1
pasv_ports (also specifed/open and used the range has 15 ports open)
active_ports (also specifed/open and used the range has 15 ports open)
rootpath /path/to/glftpd/
datapath /ftp-data
# The config file used when we recieve a SIGHUP signal
reload_config /path/to/glftpd/glftpd.conf
|
To create the ssl/tls CERT i used the tool provided with glftpd:
create_server_key.sh
| Code: | # ./create_server_key.sh
create_server_key.sh v1.0 by Slask&HoE
Usage: ./create_server_key.sh [rsa] info
info - can be any word, and it should inform the client
about the server he is logging in (for example servername)
rsa - if you dont specify this then DSA key will be created
certificate is for 900 days and is self-signed |
Under /etc/hosts i have my fqdn specified.
ie :<box internal ip> < my.dns.domain>/<fqdn>
In this setting in fact i have more than 1 fqdn and a few other names. They all point to the same ip.
note: The fqdn ones are pointing for my wan ip which is forward to the lan ip in the router
FTP clients that i am using and that support SSL/TLS
Windows : Fillezilla
NIX : LFTP
I have read /glftpd/docs/README.TLS
| Quote: | ------------------------------------------------------------------------
first of all, what is ftp TLS :
------------------------------------------------------------------------
ftp TLS is a secure extension for normal ftp standard which lets us
use SSLv3 encryption with ftp connections, it is described in included
IETF draft file (draft-murray-auth-ftp-ssl-xx.txt), please read it
for a lot of important informations on how does it work
------------------------------------------------------------------------
now, how to install glftpd-TLS :
------------------------------------------------------------------------
first install glftpd using the steps in glftpd.docs, now create yourself
a key with the included script file (/glftpd/create_server_key.sh),
for example "/glftpd/create_server_key.sh FOOBAR" will make DSA key (default)
with filename ftpd-dsa.pem and comment test "FOOBAR"
when done, put it to some safe place (outside /glftpd chroot)
and tell glftpd where to get it (add DSA_CERT_FILE /glftpd/ftpd-dsa.pem line to
glftpd.conf) and you are done with basic install, now verify all works ok
if you have any problems check error.log, if you used RSA key use RSA_CERT_FILE...
etc ... etc ...
basically to create 100% secure site you will want to use this setting :
userrejectsecure !*
userrejectinsecure *
denydiruncrypted *
denydatauncrypted * |
LFTP as been compiled like this: net-ftp/lftp-3.4.6 +gnutls +nls -socks5 +ssl
Errors and issues:
Main problem is simple:
If i try to connect to glftpd while it uses TLS_FTPS 1 in its conf, my client (lftp) hangs when it tries to 'list' or use 'site cmd'.
in glftpd/ftp-data/logs/error.log
i get : Failed TLS negotiation on control channel, disconnected.
at frist the error as simple; i thought...
connecting with: lftp -u <user> -p <port> <fqdn/ip/dnsdomain> -d
I decided to change TLS_FTPS 1 to '0' and tried to connect with debug option. The output was 'clear'
| Code: | ---- Connecting to <fqdn> (<internal ip) <port>
<--- 220 <hostname> (glFTPd 2.01 Linux+TLS) ready.
---> FEAT
<--- 211- Extensions supported:
<--- AUTH TLS
<--- AUTH SSL
<--- PBSZ
<--- PROT
<--- CPSV
<--- SSCN
<--- MDTM
<--- SIZE
<--- REST STREAM
<--- SYST
<--- 211 END
---> AUTH TLS
<--- 234 AUTH TLS successful
---> USER <testing>
Certificate: CN=<certificate-name>
Issued by: CN=<certificate-name>
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>'
<--- 331 Password required for <testing>.
---> PASS XXXX
<--- 230 User <testing> logged in.
---> PWD
<--- 257 "/" is current directory.
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (<internal-ip>,255,247)
---- Connecting data socket to (<internal-ip) port
---- Data connection established
---> LIST
<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.
Certificate: CN=<certificate-name>
Issued by: CN=<certificate-name>
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>'
---- Got EOF on data connection
---- Closing data socket
|
At this point i thought... and i belive i was right, that i had to make a 'proper' certificate matching the fqdn; so i did .
output was:
| Code: |
---- Connecting to <fqdn> (internal-ip) port
<--- 220-
<--- 220 hostname (glFTPd 2.01 Linux+TLS) ready.
---> FEAT
<--- 211- Extensions supported:
<--- AUTH TLS
<--- AUTH SSL
<--- PBSZ
<--- PROT
<--- CPSV
<--- SSCN
<--- MDTM
<--- SIZE
<--- REST STREAM
<--- SYST
<--- 211 END
---> AUTH TLS
<--- 234 AUTH TLS successful
---> USER <testing>
Certificate: CN=<proper-fqdn>
Issued by: CN=<proper-fqdn>
WARNING: Certificate verification: Not trusted
<--- 331 Password required for <testing>.
---> PASS XXXX
<--- 230 User <testing>logged in.
---> PWD
<--- 257 "/" is current directory.
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PASV
<--- 227 Entering Passive Mode (<internal-ip>,255,251)
---- Connecting data socket to (<internal-ip> port
---- Data connection established
---> LIST
<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.
Certificate: CN=<proper-fqdn>
Issued by: CN=<proper-fqdn>
WARNING: Certificate verification: Not trusted
---- Got EOF on data connection
---- Closing data socket |
It looked like it was 'solved'. and now i decided to go back to glftpd.conf and change TLS_FTPS 0 to '1'
What happens now is that the client still hangs on connection. The client output stops at :
| Code: | <--- 220-
`ls' at 0 [FEAT negotiation...] |
glftpd/ftp-data/logs/error.log shows :
| Code: | Mon Jun 5 17:15:10 2006 [6200 ]command: PBSZ 0
Mon Jun 5 17:15:10 2006 [6200 ] command: PROT P
Mon Jun 5 17:15:10 2006 [6200 ] command: PASV
Mon Jun 5 17:15:10 2006 [6200 ] command: LIST
Mon Jun 5 17:18:10 2006 [6200 ] command: QUIT
|
and the old error when o do ctrl+c in the client, or when it times outand
| Code: | | Mon Jun 5 17:22:26 2006 [6497 ] Failed TLS negotiation on control channel, disconnected. |
So now i am lost. I have read most if not all other forums here related to glftpd+tls.
I read the draft-murray-auth-ftp-ssl-xx.txt, which was a bit confusing
Checked this glftp forum and this one that had more info about this.
Google wasnt much friendly and most info i got had something related to firewalls and/or other ftpservers using TLS,
As for #glftpd support channel... well... arent they famous for .... not supporting that much ? 
and now i am lost. i belive that this might have to do with some misconfiguration here; but i need some help trying to figure out where.
_________________
Smart way of asking questions
My UNSOLVED TOPICS
ALL Configs & Hardware SPECIFICATIONS
Last edited by HeXiLeD on Thu Dec 25, 2008 4:14 pm; edited 4 times in total |
|
| Back to top |
|
 |
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 858
Location: online
|
| Posted: Fri Jun 09, 2006 5:56 am Post subject: |
|
|
today i spent all my free time trying to figure out more about this issue.
some conclusions and tests.
# i reinstalled manually glftpd in the box where it was ( gentoo amd64 bit stage1 install)
# i did a fresh install in another box ( gentoo 32bit stage3 install)
# also did a fresh install in another box with fedora 32 bit install
Ftp clients used:
Linux : gftp, kasablanca, ftp, lftp, ncftp, fireftp
Windows: filezilla, fireftp, flashftp
In all those fresh glfftpd installs i decided not to change anything in the default conf other than TLS_FTPS and other encriptation settings.
It all worked until i changed TLS_FTPS 0 to 1
and they all failed to access the server when TLS_FTPS option was turned to 1.
| Quote: | | Failed TLS negotiation on control channel, disconnected |
I also noticed that for some reason and even with ftp:ssl-auth TLS set in lftp; that i wasnt able to upload or download from the server even with the server using TLS_FTPS 0.
The output error message was:
Access failed: 522 You have to turn on secure data connection
so i did .... ftp:ssl-auth TLS, and nothing...
From the 64 bit gentoo to the 32 bit gentoo and fedora there was only a couple changes.
With the 64 bit i noticed in /glftpd/etc/ld.so.conf that it only had
| Code: | /emul/linux/x86/lib
/lib
/lib/tls
/lib32
/lib32/tls
/lib64 |
and was missing:
/lib64/tls
which i added later.
Related to this inside /glftpd i also had a few more /dirs :
/lib /lib32 /lib64
The other 32bit installs had only: /lib
in ld.so.conf and in /gftpd dir
This didnt change much other than the fact that when i connected it gave me a different output login info.
where before i got :
| Code: | WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostname '<my-fqdn>' |
now the 32bit OS were giving :
| Code: | Certificate depth: 0; subject: /ST=. /CN=server; issuer: /ST=. /CN=server
<--- 150 Opening BINARY mode data connection for directory listing using SSL/TLS.
Certificate depth: 0; subject: /ST=. /CN=server; issuer: /ST=. /CN=server
WARNING: Certificate verification: self signed certificate
|
===> This tells me that glftpd in a 64bit might need a tune up if not more <===
Other than this i also go this following output from flashFXP
| Code: |
[L] 220 box (glFTPd 2.01 Linux+TLS) ready.
[L] AUTH TLS
[L] 234 AUTH TLS successful
[L] Connected. Negotiating TLSv1 session..
[L] TLSv1 negotiation successful...
[L] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits)
[L] PBSZ 0
[L] 200 PBSZ 0 successful
[L] USER mike
[L] 331 Password required for <user>.
[L] PASS (hidden)
[L] 215 UNIX Type: L8
[L] FEAT
[L] 211- Extensions supported:
[L] AUTH TLS
[L] AUTH SSL
[L] PBSZ
[L] PROT
[L] CPSV
[L] SSCN
[L] MDTM
[L] SIZE
[L] REST STREAM
[L] SYST
[L] 211 END
[L] PWD
[L] 257 "/" is current directory.
[L] TYPE A
[L] 200 Type set to A.
[L] PROT P
[L] 200 Protection set to Private
[L] PASV
[L] 227 Entering Passive Mode (<lan ip>,255,239)
[L] Opening data connection IP: <wan ip> PORT: <xxxx>
[L] LIST -al
[L] Connected. Negotiating TLSv1 session..
[L] 150 Opening ASCII mode data connection for directory listing using SSL/TLS.
[L] TLSv1 negotiation successful...
[L] TLSv1 encrypted session using cipher DHE-DSS-AES256-SHA (256 bits) |
It says its "using tlsv1" because the client has the TLS conection option turned on. However i dont really know if its really using it since the server had TLS_FTPS was set to 0.
Can anyone confirm?
Right now i only have a few questions and all i need is a yes or a no to try to figure out a few more things.
A: Is there anyone else using glftpd installed manually in a 64 bit gentoo install that is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?
B: Is there anyone that emerged glftpd in a 64bit gentoo and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no
issues?
C: anyone with a 32 Bit gentoo and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?
D: Anyone with glftpd version 2.0.1 instaled and is able to use TLS_FTPS 1 in glftpd.conf and connect to the server with no issues?[/code]
*note: this is glftpd 2.0.1
_________________
Smart way of asking questions
My UNSOLVED TOPICS
ALL Configs & Hardware SPECIFICATIONS |
|
| Back to top |
|
|
bol
n00b
Joined: 27 Dec 2004
Posts: 26
Location: Stockholm, Sweden
|
| Posted: Wed Feb 14, 2007 11:01 am Post subject: |
|
|
I had the same issue on a server, (i686).
And i just couldn't get FTPS working.
But then i read this explanation: http://help.globalscape.com/help/secureserver2/Explicit_versus_implicit_SS.htm
Even if you have FTP_TLS set to "0", you still have a encrypted connection, it's just that the handshake is completed later in the process.
Implicit FTPS isn't a real standard, and isn't supported by many ftp-clients, but with some reconfiguration of Kasablanca, it works fine.
I have read that it should work with FlashFXP to, but i haven't comfirmed this.
Implicit FTPS is not activated by default.
So i belive it's on the client-side the problem is.
I haven't found any other clients that support Implicit FTPS.
Good luck! |
|
| Back to top |
|
|
m4chine
Apprentice
Joined: 12 Mar 2003
Posts: 264
Location: Ventura, CA, USA
|
| Posted: Sat Mar 24, 2007 6:20 pm Post subject: |
|
|
I have installed glftpd-2.01 from portage and have it configured using implicit FTPS (TLS_FTPS=1) on amd64 with no problems. I myself am using KFTPGrabber to make the connection which does support Implicit SSL.
Let me know if you are still having issues and I can post any relevant config's.
Cheers!
_________________
never trust a man who can count to 1023 on his fingers.
-m4chine |
|
| Back to top |
|
|
HeXiLeD
l33t
Joined: 20 Aug 2005
Posts: 858
Location: online
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
