From owner-freebsd-questions@FreeBSD.ORG Thu Dec 9 13:46:13 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 899C4106566B for ; Thu, 9 Dec 2010 13:46:13 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from mail-qy0-f170.google.com (mail-qy0-f170.google.com [209.85.216.170]) by mx1.freebsd.org (Postfix) with ESMTP id 2752B8FC08 for ; Thu, 9 Dec 2010 13:46:12 +0000 (UTC) Received: by qyk10 with SMTP id 10so7561378qyk.15 for ; Thu, 09 Dec 2010 05:46:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=aq89KI7m0adiyJqOZ2F/6cxCA9Qwrl6EJpgXo4gr5us=; b=KeFN0Pfept5hr/t5MFKBipACuTT/eBBip3zX6ZDR4OPQ4r6gv5/JlT/lcIbQltkuHh 5zmiy0giZP4su5D9Tra4CT2C1UfILGXAa218GYa7nV0jD0hIS/2g9frIhw/57qGAAu9F c05u8tEJm+q1BY438PI7S8i7Wv5A4p00stQ9I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=fF0PdrOyvucSfNMtS16UiLsZmvdFmI9SD5RXhnI7RU/TqnaLpmESFQ4EwCx65VXIC1 RQmzy1NwuseQdjc8QSEyPe9gxKPBPZQh/zLR9O47PjuZ9dHebSX2poXSuharvunAGY1J vO9UrwJv8iSqa+SEt3XBrdCMwmlBhuQhgNa5E= MIME-Version: 1.0 Received: by 10.229.184.141 with SMTP id ck13mr7998460qcb.107.1291902372062; Thu, 09 Dec 2010 05:46:12 -0800 (PST) Received: by 10.229.217.210 with HTTP; Thu, 9 Dec 2010 05:46:11 -0800 (PST) In-Reply-To: References: Date: Thu, 9 Dec 2010 14:46:11 +0100 Message-ID: From: Redd Vinylene To: Odhiambo Washington Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: questions Subject: Re: vsftpd + SSL not working X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2010 13:46:13 -0000 On Thu, Dec 9, 2010 at 1:16 PM, Odhiambo Washington wro= te: > > > On Thu, Dec 9, 2010 at 3:10 PM, Redd Vinylene wro= te: > >> I'm trying to set up a virtual vsftpd-ssl-2.3.2 server (FreeBSD >> 8.2-PRERELEASE) so my band can share new tracks, production material and >> what not, but my SSL certificate keeps messing it up: >> http://pastie.org/1358536 - anybody know why? It works just fine when I >> disable the SSL. I have no firewalls running. >> >> I hope this is not too off-topic. I just don't know where else to ask. >> >> > Would it not be better if you posted your configuration and debug logs fo= r > those willing to help you out to see? > It's all in http://pastie.org/1358536, but incase you don't want to click the link: ## /var/log/vsftpd.conf (FTPRush) Wed Dec 8 11:21:07 2010 [pid 38781] CONNECT: Client "161.149.221.220" Wed Dec 8 11:21:07 2010 [pid 38781] DEBUG: Client "161.149.221.220", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert" Wed Dec 8 11:21:08 2010 [pid 38780] [bruner] OK LOGIN: Client "161.149.221.220" Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client "161.149.221.220", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert" Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: NONE" Wed Dec 8 11:21:08 2010 [pid 38781] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN" And then the directory listing after 3 minutes: Wed Dec 8 11:24:29 2010 [pid 38781] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: 3" ## /var/log/vsftpd.conf (FlashFXP) Wed Dec 8 11:33:50 2010 [pid 56557] [bruner] OK LOGIN: Client "161.149.221.220" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, reused, no cert" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: NONE" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL shutdown state is: SSL_SENT_SHUTDOWN" Wed Dec 8 11:33:51 2010 [pid 56558] [bruner] DEBUG: Client "161.149.221.220", "SSL ret: 18446744073709551615, SSL error: error:00000000:lib(0):func(0):reason(0), errno: 22" Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client "161.149.221.220", "/bruner_december_2010/track_1.mp3" Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client "161.149.221.220", "/bruner_december_2010/tracks.sfv" Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client "161.149.221.220", "/bruner_december_2010/tracks.txt" Wed Dec 8 11:33:53 2010 [pid 56559] [bruner] OK DELETE: Client "161.149.221.220", "/bruner_december_2010/tracks.m3u" And in FlashFXP: [R] 200 PORT command successful. Consider using PASV. [R] STOR tracks.m3u [R] Transfer Failed! [R] Connection lost: bruner I tried installing OpenSSL 1.0.0b from ports over 0.9.8p that came with FreeBSD - and then recompiling vsftpd (commenting out the .if ${OSVERSION} = < 700000 and the .endif below it in the Makefile to force it to link to the port) - but it made no difference. ## openssl s_client -state -connect :800 (remote box) CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A 3280:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:= 567: ## openssl s_client -tls1 -state -connect :800 (remote box) CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:protocol version SSL_connect:error in SSLv3 read server hello A 3392:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:284: ## openssl s_server -cert vsftpd.pem -key vsftpd.pem -accept 4443 (localhost) Using default temp DH parameters Using default temp ECDH parameters ACCEPT -----BEGIN SSL SESSION PARAMETERS----- MHUCAQECAgMBBAIAOQQgMAQ7m6+qXFxEjTGqANwiHnptuHDkR+55xtbmzAhtHDwE MLF1LRUOLLBlR8J9QrkZkiCtBgWC88NwFVX4p9wYtt09Ms0MQm/EuzMB1Jm7uquC taEGAgRM/7XlogQCAgEspAYEBAEAAAA=3D -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA25= 6-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-= DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:= DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC4-SHA:RC4= -MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CB= C-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA Secure Renegotiation IS NOT supported ## openssl s_client -tls1 -state -connect :4443 (remote box) CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=3D0 /C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner verify error:num=3D18:self signed certificate verify return:1 depth=3D0 /C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner i:/C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner --- Server certificate -----BEGIN CERTIFICATE----- MIIC5DCCAk2gAwIBAgIJANrpCuP43bQNMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV BAYTAk5MMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlBbXN0ZXJkYW0x DDAKBgNVBAoTAzc4ODEQMA4GA1UEAxMHSiBEaWxsYTAeFw0xMDEyMDcwOTQxNDFa Fw0xMTEyMDcwOTQxNDFaMFYxCzAJBgNVBAYTAk5MMRMwEQYDVQQIEwpTb21lLVN0 YXRlMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDDAKBgNVBAoTAzc4ODEQMA4GA1UEAxMH SiBEaWxsYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx78B3EY/eC5iZJVD /+Oczf0hpzFCv9p2Ue9SBVVDQcL0sSkLJASDoiuq57Dz2/zCoNcU9SfCGrXAx6gh 4D7q6beK5m+WZFZSF5//PMqdie4ufNDyUaYZaO+MwLbs2a61HAEVCo167h/CMIVx va1sbVNUIYuLiorMYNJ1OVrRAzECAwEAAaOBuTCBtjAdBgNVHQ4EFgQUYbBXLuPC AWa4yOlyKuvAhcFszy8wgYYGA1UdIwR/MH2AFGGwVy7jwgFmuMjpcirrwIXBbM8v oVqkWDBWMaskldHKASkdJQkEhdSTMBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UE BxMJQW1zdGVyZGFtMQwwCgYDVQQKEwM3ODgxEDAOBgNVBAMTB0ogRGlsbGGCCQDa 6Qrj+N20DTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAfbkuNOb5N7 AyXsiMLRXkRkWmaampUPuz0zYHn+dYjutV/jowscxc+CHKGHkbfsShSV7eF50k5b YIcsm+E6ftcshcWpreTj6khFmyMBInCKMY1NrHUJcL3f8FgRBB8tS3aX0qcrch45 T+Hp2wku0v34s/eZoLmbulQ6z7x7F30e -----END CERTIFICATE----- subject=3D/C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner issuer=3D/C=3DUS/ST=3DCA/L=3DLos Angeles/O=3DBBFTP/CN=3DBruner --- No client certificate CA names sent --- SSL handshake has read 1180 bytes and written 232 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 30043B9BAFAA5C5C448D31AA00DC221E7A6DB870E447EE79C6D6E6CC086D1C3C Session-ID-ctx: Master-Key: B1752D150E2CB06547C27D42B9199220AD060582F3C3701555F8A7DC18B6DD3D32CD0C426FC= 4BB3301D499BBBAAB82B5 Key-Arg : None Start Time: 1291826659 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- ## /usr/local/etc/vsftpd.conf # portinstall pam_pwdfile # gem install htauth # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem # htpasswd-ruby -c -b /usr/home/bruner/users.db anonymous_enable=3DNO listen=3DYES listen_port=3D800 connect_from_port_20=3DYES background=3DYES write_enable=3DYES local_enable=3DYES local_root=3D/usr/home/bruner/content virtual_use_local_privs=3DYES ftpd_banner=3DWelcome to the Bruner Brothers FTP: http://www.youtube.com/watch?v=3D6xQyOR7WBIo ssl_enable=3DYES force_local_data_ssl=3DYES force_local_logins_ssl=3DYES require_ssl_reuse=3DNO rsa_cert_file=3D/usr/local/etc/vsftpd.pem pam_service_name=3Dvsftpd pasv_promiscuous=3DYES port_promiscuous=3DYES xferlog_enable=3DYES xferlog_file=3D/usr/home/bruner/transfers.log debug_ssl=3DYES ## /etc/pam.d/vsftpd auth required /usr/local/lib/pam_pwdfile.so pwdfile /usr/home/bruner/users.db account required /usr/lib/pam_permit.so ## dmesg Copyright (c) 1992-2010 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.2-PRERELEASE #0: Mon Nov 29 12:32:44 CET 2010 bruner@bruner:/usr/obj/usr/src/sys/GENERIC amd64 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz (2135.55-MHz K8-class CPU) Origin =3D "GenuineIntel" Id =3D 0x6fb Family =3D 6 Model =3D f Stepp= ing =3D 11 Features=3D0xbfebfbff Features2=3D0xe3bd AMD Features=3D0x20100800 AMD Features2=3D0x1 TSC: P-state invariant real memory =3D 4294967296 (4096 MB) avail memory =3D 4093214720 (3903 MB) ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs FreeBSD/SMP: 1 package(s) x 4 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP): APIC ID: 3 ioapic0: Changing APIC ID to 4 ioapic1: Changing APIC ID to 5 ioapic0 irqs 0-23 on motherboard ioapic1 irqs 32-55 on motherboard kbd1 at kbdmux0 acpi0: on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 cpu0: on acpi0 cpu1: on acpi0 cpu2: on acpi0 cpu3: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: irq 16 at device 1.0 on pci0 pci1: on pcib1 em0: port 0xecc0-0xecdf mem 0xdfd80000-0xdfd9ffff,0xdfda0000-0xdfdbffff irq 16 at device 0.0 on pci1 em0: Using an MSI interrupt em0: [FILTER] em0: Ethernet address: 00:15:17:6b:2c:32 em1: port 0xece0-0xecff mem 0xdfdc0000-0xdfddffff,0xdfde0000-0xdfdfffff irq 17 at device 0.1 on pci1 em1: Using an MSI interrupt em1: [FILTER] em1: Ethernet address: 00:15:17:6b:2c:33 pcib2: irq 16 at device 28.0 on pci0 pci2: on pcib2 pcib3: at device 0.0 on pci2 pci3: on pcib3 pcib4: at device 2.0 on pci3 pci4: on pcib4 vgapci0: port 0xdc00-0xdcff mem 0xc8000000-0xcfffffff,0xdfef0000-0xdfefffff irq 33 at device 2.0 on pci4 pci4: at device 4.0 (no driver attached) uart2: port 0xd8c0-0xd8ff mem 0xdfeef000-0xdfeeffff,0xc7f80000-0xc7ffffff irq 34 at device 4.1 on pci4 uart2: [FILTER] pci4: at device 4.2 (no driver attached) atapci0: port 0xd8a0-0xd8a7,0xd888-0xd88b,0xd8a8-0xd8af,0xd88c-0xd88f,0xd8b0-0xd8bf mem 0xdfeeef00-0xdfeeefff irq 32 at device 7.0 on pci4 atapci0: [ITHREAD] ata2: on atapci0 ata2: [ITHREAD] ata3: on atapci0 ata3: [ITHREAD] pcib5: irq 16 at device 28.4 on pci0 pci5: on pcib5 pcib6: irq 17 at device 28.5 on pci0 pci6: on pcib6 uhci0: port 0xbc60-0xbc7f irq 21 at device 29.0 on pci0 uhci0: [ITHREAD] usbus0: on uhci0 uhci1: port 0xbc80-0xbc9f irq 20 at device 29.1 on pci0 uhci1: [ITHREAD] usbus1: on uhci1 uhci2: port 0xbca0-0xbcbf irq 21 at device 29.2 on pci0 uhci2: [ITHREAD] usbus2: on uhci2 ehci0: mem 0xdfcffc00-0xdfcfffff irq 21 at device 29.7 on pci0 ehci0: [ITHREAD] usbus3: EHCI version 1.0 usbus3: on ehci0 pcib7: at device 30.0 on pci0 pci7: on pcib7 isab0: at device 31.0 on pci0 isa0: on isab0 atapci1: port 0xbc30-0xbc37,0xbc28-0xbc2b,0xbc38-0xbc3f,0xbc2c-0xbc2f,0xbc40-0xbc4f,0xbc5= 0-0xbc5f irq 23 at device 31.2 on pci0 atapci1: [ITHREAD] ata4: on atapci1 ata4: [ITHREAD] ata5: on atapci1 ata5: [ITHREAD] acpi_hpet0: iomem 0xfed00000-0xfed003ff on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 900 atrtc0: port 0x70-0x7f irq 8 on acpi0 fdc0: port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: does not respond device_attach: fdc0 attach returned 6 uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 uart0: [FILTER] orm0: at iomem 0xc0000-0xcafff,0xec000-0xeffff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] ppc0: cannot reserve I/O port range est0: on cpu0 p4tcc0: on cpu0 est1: on cpu1 p4tcc1: on cpu1 est2: on cpu2 p4tcc2: on cpu2 est3: on cpu3 p4tcc3: on cpu3 Timecounters tick every 1.000 msec usbus0: 12Mbps Full Speed USB v1.0 usbus1: 12Mbps Full Speed USB v1.0 usbus2: 12Mbps Full Speed USB v1.0 usbus3: 480Mbps High Speed USB v2.0 ugen0.1: at usbus0 uhub0: on usbus0 ugen1.1: at usbus1 uhub1: on usbus1 ugen2.1: at usbus2 uhub2: on usbus2 ugen3.1: at usbus3 uhub3: on usbus3 uhub0: 2 ports with 2 removable, self powered uhub1: 2 ports with 2 removable, self powered uhub2: 2 ports with 2 removable, self powered device_attach: afd0 attach returned 6 acd0: CDROM at ata2-slave PIO3 ad8: 1907729MB at ata4-master UDMA100 SATA 3Gb/s uhub3: 6 ports with 6 removable, self powered ad10: 1907729MB at ata5-master UDMA100 SATA 3Gb/s SMP: AP CPU #2 Launched! SMP: AP CPU #1 Launched! SMP: AP CPU #3 Launched! Root mount waiting for: usbus3 uhub_reattach_port: port 1 reset failed, error=3DUSB_ERR_TIMEOUT uhub_reattach_port: device problem (USB_ERR_TIMEOUT), disabling port 1 Trying to mount root from ufs:/dev/ad8s1a ugen0.2: at usbus0 ugen3.2: at usbus3 uhub4: on usbus3 ukbd0: on usbus0 kbd2 at ukbd0 ums0: on usbus0 ZFS NOTICE: Prefetch is disabled by default if less than 4GB of RAM is present; to enable, add "vfs.zfs.prefetch_disable=3D0" to /boot/loader.conf. ZFS filesystem version 4 ZFS storage pool version 15 ums0: 3 buttons and [Z] coordinates ID=3D0 uhub4: 4 ports with 4 removable, self powered em0: link state changed to UP Many thanks!