[BlueOnyx:11328] Re: 5108R FTPS

Wisja.net info at wisja.net
Fri Sep 14 13:26:10 -05 2012 

Hi Michael,

Please check your blueonyx mail, I realy like some offlist help ;)

Wisja

On Fri, 14 Sep 2012 18:44:05 +0200, Michael Stauber wrote
> Hi Chris,
> 
> > Alright, I did all that, and tried connecting "explicit" and now it 
> > errors like this:
> > 
> > Status:	Resolving address of www.domain.com
> > Status:	Connecting to 208.x.y.z:21...
> > Status:	Connection established, waiting for welcome message...
> > Response:	220 ProFTPD 1.3.4a Server (ProFTPD server) [::ffff:208.x.y.z]
> > Command:	AUTH TLS
> > Response:	500 AUTH not understood
> > Command:	AUTH SSL
> > Response:	500 AUTH not understood
> > Error:	Critical error
> > Error:	Could not connect to server
> > 
> > And now I found something new.  The main IP on the server is different 
> > than the IP of the domain (due to the fact that the domain uses SSL). 
> > If I connect to the main IP of the server, then it works OK.
> > 
> > So it's working, and I can probably live with that, but the result is a 
> > little cumbersome for the customer, since they're accustomed to being 
> > able to use their domain as the FTP host, and not some other IP address.
> > 
> > I wonder if that can be made to work, or if that is a pipe-dream.
> 
> Yeah, it can be made to work on the IP of the Vsite, too - if that one
> is different from the main IP.
> 
> At the bottom of /etc/proftpd.conf you got the VirtualHost containers
> for all the extra IP's. Just add a container like this for the IP of
> that Vsite where you want FTPS to work (and substitute the correct IP):
> 
> <IfModule mod_tls.c>
>   <VirtualHost 208.67.251.187>
>    TLSEngine on
>    TLSLog /var/log/proftpd/tls.log
>    TLSRequired off
>    TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
>    TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
>    TLSVerifyClient off
>    TLSOptions NoCertRequest
>    TLSRenegotiate required off
>         TLSOptions UseImplicitSSL
>         # The "standard" implicit FTPS port is 990
>         Port 990
>   </VirtualHost>
> </IfModule>
> 
> If the client's Vsite has an SSL certificate, you could even use that
> one instead of defaulting to the Dovecot certificate, which I used here
> because it's there by default and saves us the hassle of creating yet
> another self-signed certificate just for FTPS.
> 
> I'm thinking of hacking all this into the BlueOnyx GUI to finally
> provide working FTPS "out of the box". But I'm still a bit torn about
> running ProFTPD stand alone and no longer behind Xinetd (which has
> benefits for security reasons).
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list