Current time: 11-16-2024, 09:22 AM Hello There, Guest! (LoginRegister)


Post Reply 
FTP over TLS / SSL for a specific domain/user ?
Author Message
thibotus01 Offline
Junior Member
*

Posts: 47
Joined: Feb 2009
Reputation: 0
Post: #1
FTP over TLS / SSL for a specific domain/user ?
Hi,

I use FTP over TLS, I added these lines in my : /etc/proftpd/ispcp/domain-toto.com.conf

Code:
#
# SSL via TLS
#
<IfModule mod_tls.c>
   TLSEngine                   on                                      # on for use of TLS
   TLSLog                      /var/log/proftpd/ftp_ssl.log            # where to log to
   TLSProtocol                 SSLv23                                  # SSLv23 or TLSv1
   TLSOptions                  NoCertRequest                           # either to request the certificate or not
   TLSRSACertificateFile       /etc/ssl/certs/myserver.com.crt # SSL certfile
   TLSRSACertificateKeyFile    /etc/ssl/certs/myserver.com.key # SSL keyfile
   TLSVerifyClient             off                                     # client verification
   TLSRequired on
</IfModule>

But It seems to be activated for all the domains I have. I just want to use FTP over TLS for a specific domain (or specific login). How could be possible ?
(This post was last modified: 08-02-2009 08:25 PM by thibotus01.)
08-02-2009 07:57 PM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #2
RE: FTP over TLS / SSL for a specific domain/user ?
As you said - only possible for the whole Proftpd Server and all your Domains.
I created a Key like yourhoster.tld and everybody can use TLS or not.

Greez BeNe
08-03-2009 06:34 PM
Visit this user's website Find all posts by this user Quote this message in a reply
thibotus01 Offline
Junior Member
*

Posts: 47
Joined: Feb 2009
Reputation: 0
Post: #3
RE: FTP over TLS / SSL for a specific domain/user ?
Ok, so it's due to the TLS / SSL or proftpd engine that we can't force using the SSL for a specific login/debian?
08-03-2009 06:36 PM
Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #4
RE: FTP over TLS / SSL for a specific domain/user ?
SSL negotiation happens before any login-related thing (it would be really silly to enable SSL after having sent the password as plain text), so at this stage the server is unable to know which will be the username/domain. As a result, it's impossible to set TLS only for one login/whatever.
08-04-2009 06:59 AM
Visit this user's website Find all posts by this user Quote this message in a reply
thibotus01 Offline
Junior Member
*

Posts: 47
Joined: Feb 2009
Reputation: 0
Post: #5
RE: FTP over TLS / SSL for a specific domain/user ?
Yeah you right Smile
08-04-2009 07:01 AM
Find all posts by this user Quote this message in a reply
thibotus01 Offline
Junior Member
*

Posts: 47
Joined: Feb 2009
Reputation: 0
Post: #6
RE: FTP over TLS / SSL for a specific domain/user ?
Hum, i'm excpecting a weird problem.
I try to download a big file (7GB) with FTP over TLS/SSL, and after 1.16GB transfered I got an error, and the transfer is canceled. I tried with different files, it's always after around 1GB.

But via FTP, no ssl connection, it works fine.

My client is "transmit" on MAC OS X, and the error message is "socket read error", the full log:

Cmd: RETR lhoal-haabis.iso
150: Opening BINARY mode data connection for lhoal-haabis.iso (7043174707 bytes)

BEFORE
**..... downloading.... **
AFTER

Remote read failed: Unknown error: 0.
426: Transfer aborted. Operation not permitted
Solved Smile Smile


Question: My FTPS client sometimes times out after uploading/downloading more than 1 GB of data. When I turn off SSL/TLS, the upload/download works. Why?
Answer: The culprit behind this is most likely SSL/TLS renegotiations. By default, mod_tls uses SSL/TLS renegotiations to periodically update the session key which protects the data being transferred; see the TLSRenegotiate documentation for more details, particularly the time-based and bytes-based limits at which renegotations are forced.

Some FTPS clients, however, do not support server-initiated SSL/TLS renegotations. When the server does try to force a renegotiation, the client fails that new handshake, cannot upload/download any more data over the protected channel, and the transfer will eventually time out. Alternatively, the transfer could terminate strangely in the middle of the upload/download. Note, however, that not all transfer issues will be caused by SSL/TLS renegotiations. Bugs in firewalls and routers can also cause these symptoms.

Should you suspect that you are having issues with your FTPS client because of SSL/TLS renegotiations, you can configure mod_tls to accept renegotiations if the client requests one, but not to otherwise force them:

TLSRenegotiate required off


http://proftpd.online-mirror.de/docs/howto/TLS.html
(This post was last modified: 08-06-2009 05:31 PM by thibotus01.)
08-06-2009 05:27 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)