[BlueOnyx:11327] Re: 5108R FTPS

Michael Stauber mstauber at blueonyx.it
Fri Sep 14 11:44:05 -05 2012 

Hi Chris,

> Alright, I did all that, and tried connecting "explicit" and now it 
> errors like this:
> 
> Status:	Resolving address of www.domain.com
> Status:	Connecting to 208.x.y.z:21...
> Status:	Connection established, waiting for welcome message...
> Response:	220 ProFTPD 1.3.4a Server (ProFTPD server) [::ffff:208.x.y.z]
> Command:	AUTH TLS
> Response:	500 AUTH not understood
> Command:	AUTH SSL
> Response:	500 AUTH not understood
> Error:	Critical error
> Error:	Could not connect to server
> 
> And now I found something new.  The main IP on the server is different 
> than the IP of the domain (due to the fact that the domain uses SSL). 
> If I connect to the main IP of the server, then it works OK.
> 
> So it's working, and I can probably live with that, but the result is a 
> little cumbersome for the customer, since they're accustomed to being 
> able to use their domain as the FTP host, and not some other IP address.
> 
> I wonder if that can be made to work, or if that is a pipe-dream.

Yeah, it can be made to work on the IP of the Vsite, too - if that one
is different from the main IP.

At the bottom of /etc/proftpd.conf you got the VirtualHost containers
for all the extra IP's. Just add a container like this for the IP of
that Vsite where you want FTPS to work (and substitute the correct IP):

<IfModule mod_tls.c>
  <VirtualHost 208.67.251.187>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
   TLSRequired off
   TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
   TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
   TLSVerifyClient off
   TLSOptions NoCertRequest
   TLSRenegotiate required off
        TLSOptions UseImplicitSSL
        # The "standard" implicit FTPS port is 990
        Port 990
  </VirtualHost>
</IfModule>

If the client's Vsite has an SSL certificate, you could even use that
one instead of defaulting to the Dovecot certificate, which I used here
because it's there by default and saves us the hassle of creating yet
another self-signed certificate just for FTPS.

I'm thinking of hacking all this into the BlueOnyx GUI to finally
provide working FTPS "out of the box". But I'm still a bit torn about
running ProFTPD stand alone and no longer behind Xinetd (which has
benefits for security reasons).

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list