+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: Usage (/forum-34.html)
+--- Thread: FTP over TLS / SSL for a specific domain/user ? (/thread-7361.html)
FTP over TLS / SSL for a specific domain/user ? - thibotus01 - 08-02-2009 07:57 PM
Hi,
I use FTP over TLS, I added these lines in my : /etc/proftpd/ispcp/domain-toto.com.conf
Code:
#
# SSL via TLS
#
<IfModule mod_tls.c>
TLSEngine on # on for use of TLS
TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1
TLSOptions NoCertRequest # either to request the certificate or not
TLSRSACertificateFile /etc/ssl/certs/myserver.com.crt # SSL certfile
TLSRSACertificateKeyFile /etc/ssl/certs/myserver.com.key # SSL keyfile
TLSVerifyClient off # client verification
TLSRequired on
</IfModule>But It seems to be activated for all the domains I have. I just want to use FTP over TLS for a specific domain (or specific login). How could be possible ?
RE: FTP over TLS / SSL for a specific domain/user ? - BeNe - 08-03-2009 06:34 PM
As you said - only possible for the whole Proftpd Server and all your Domains.
I created a Key like yourhoster.tld and everybody can use TLS or not.
Greez BeNe
RE: FTP over TLS / SSL for a specific domain/user ? - thibotus01 - 08-03-2009 06:36 PM
Ok, so it's due to the TLS / SSL or proftpd engine that we can't force using the SSL for a specific login/debian?
RE: FTP over TLS / SSL for a specific domain/user ? - kilburn - 08-04-2009 06:59 AM
SSL negotiation happens before any login-related thing (it would be really silly to enable SSL after having sent the password as plain text), so at this stage the server is unable to know which will be the username/domain. As a result, it's impossible to set TLS only for one login/whatever.
RE: FTP over TLS / SSL for a specific domain/user ? - thibotus01 - 08-04-2009 07:01 AM
Yeah you right
RE: FTP over TLS / SSL for a specific domain/user ? - thibotus01 - 08-06-2009 05:27 PM
Hum, i'm excpecting a weird problem.
I try to download a big file (7GB) with FTP over TLS/SSL, and after 1.16GB transfered I got an error, and the transfer is canceled. I tried with different files, it's always after around 1GB.
But via FTP, no ssl connection, it works fine.
My client is "transmit" on MAC OS X, and the error message is "socket read error", the full log:
Cmd: RETR lhoal-haabis.iso
150: Opening BINARY mode data connection for lhoal-haabis.iso (7043174707 bytes)
BEFORE
**..... downloading.... **
AFTER
Remote read failed: Unknown error: 0.
426: Transfer aborted. Operation not permitted
Solved
Question: My FTPS client sometimes times out after uploading/downloading more than 1 GB of data. When I turn off SSL/TLS, the upload/download works. Why?
Answer: The culprit behind this is most likely SSL/TLS renegotiations. By default, mod_tls uses SSL/TLS renegotiations to periodically update the session key which protects the data being transferred; see the TLSRenegotiate documentation for more details, particularly the time-based and bytes-based limits at which renegotations are forced.
Some FTPS clients, however, do not support server-initiated SSL/TLS renegotations. When the server does try to force a renegotiation, the client fails that new handshake, cannot upload/download any more data over the protected channel, and the transfer will eventually time out. Alternatively, the transfer could terminate strangely in the middle of the upload/download. Note, however, that not all transfer issues will be caused by SSL/TLS renegotiations. Bugs in firewalls and routers can also cause these symptoms.
Should you suspect that you are having issues with your FTPS client because of SSL/TLS renegotiations, you can configure mod_tls to accept renegotiations if the client requests one, but not to otherwise force them:
TLSRenegotiate required off
http://proftpd.online-mirror.de/docs/howto/TLS.html