Bonjour,
Je tente veinement de configurer vsftpd pour faire du ftps (il est vrai
qu'il existe sftp mais c'est pour un autre moment).
j'ai créé un certificat avec les commandes suivantes :
/usr/bin/openssl genrsa -des3 4096 > /etc/vsftpd/ssl.key
/usr/bin/openssl req -new -key ./ssl.key -x509 -out ./server.crt
Dans la config de vsftpd.conf
j'ai initialisé les valeurs suivantes :
ssl_enable=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit SSL v2 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv2=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit SSL v3 protocol
# connections. TLS v1 connections are preferred.
ssl_sslv3=YES
# Only applies if ssl_enable is activated. If enabled, this option will
permit TLS v1 protocol
# connections. TLS v1 connections are preferred.
ssl_tlsv1=YES
# This option specifies the location of the RSA certificate to use for
SSL encrypted connections.
# Default: /usr/share/ssl/certs/vsftpd.pem
#rsa_cert_file=/etc/vsftpd/server.crt
rsa_cert_file=/etc/vsftpd/ssl.key
# This option can be used to select which SSL ciphers vsftpd will allow
for encrpyted SSL
# connections. See the ciphers man page for further details. Note that
restricting ciphers
# can be a useful security precaution as it prevents malicious remote
parties forcing a
# cipher which they have found problems with.
ssl_ciphers=des3
# Only applies if ssl_enable is activated. If activated, all
non-anonymous
# logins are forced to use a secure SSL connection in order to send the
password.
force_local_logins_ssl=NO
# Only applies if ssl_enable is activated. If activated, all
non-anonymous
# logins are forced to use a secure SSL connection in order to send and
# receive data on data connections.
force_local_data_ssl=NO
Le résultat est le suivant quand je démarre le daemon vsftp :
# /usr/sbin/vsftpd
500 OOPS: SSL: cannot load RSA key
résultat du strace ci-dessous :
Je n'ai point trouvé d'info sur ce genre de config. Y a-t-il quelqu'un
qui aurais déjà fait la manip.
D'avance merci
Martial
###############################################
résultat du strace
###############################################
stat64("/etc/vsftpd.conf", {st_mode=S_IFREG|0644, st_size=24483, ...}) =
0
open("/etc/vsftpd.conf", O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=24483, ...}) = 0
mmap2(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x402c9000
mprotect(0x402d0000, 4096, PROT_NONE) = 0
mprotect(0x402c9000, 4096, PROT_NONE) = 0
read(3, "##################\n## Section Se"..., 24483) = 24483
mprotect(0x402c9000, 4096, PROT_READ) = 0
munmap(0x402c9000, 32768) = 0
close(3) = 0
getuid32() = 0
open("/etc/vsftpd/ssl.key", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3311, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x402c9000
read(3, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 3311
read(3, "", 4096) = 0
getpid() = 26731
getpid() = 26731
getpid() = 26731
getpid() = 26731
close(3) = 0
munmap(0x402c9000, 4096) = 0
fcntl64(0, F_GETFL) = 0x8002 (flags O_RDWR|
O_LARGEFILE)
fcntl64(0, F_SETFL, O_RDWR|O_NONBLOCK|O_LARGEFILE) = 0
write(0, "500 OOPS: ", 10500 OOPS: ) = 10
write(0, "SSL: cannot load RSA key", 24SSL: cannot load RSA key) = 24
write(0, "\r\n", 2
) = 2
exit_group(1) = ?
###############################################
résultat du ldd
###############################################
# ldd /usr/sbin/vsftpd
libwrap.so.0 => /lib/libwrap.so.0 (0x4001b000)
libnsl.so.1 => /lib/tls/libnsl.so.1 (0x40024000)
libpam.so.0 => /lib/libpam.so.0 (0x4003a000)
libdl.so.2 => /lib/tls/libdl.so.2 (0x40042000)
libresolv.so.2 => /lib/tls/libresolv.so.2 (0x40045000)
libutil.so.1 => /lib/tls/libutil.so.1 (0x40057000)
libcap.so.1 => /lib/libcap.so.1 (0x4005a000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7
(0x4005e000)
libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7
(0x40090000)
libc.so.6 => /lib/tls/libc.so.6 (0x4018d000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
--
Martial Paupe
IT Department
Kudelski Group | Tel direct : +41 21 732 04 55
1033 Cheseaux | E-mail : martial.paupe<AT>nagra.com
Switzerland
