ich habe Probleme mit TLS auf ProFTPd und Debian Stretch Linux. Ohne TLS klappt die Verbindung und das FTP-Benutzerverzeichnis wird in FileZilla anzeigt.
/etc/proftpd/conf.d/custom.conf
Code: Alles auswählen
<Global>
RequireValidShell off
</Global>
UseIPv6 off
DefaultRoot ~ ftpuser
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>
Code: Alles auswählen
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSVerifyClient off
TLSRequired on
</IfModule>
Code: Alles auswählen
openssl s_client -connect 127.0.0.1:21 -starttls ftp
CONNECTED(00000003)
depth=0 C = DE, ST = Germany, L = Kirchentellinsfurt, O = Seicom Verwaltungs GmbH, CN = web.germany.com, emailAddress = info@germany.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Kirchentellinsfurt, O = Seicom Verwaltungs GmbH, CN = web.germany.com, emailAddress = info@germany.com
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Germany/L=Kirchentellinsfurt/O=Seicom Verwaltungs GmbH/CN=web.germany.com/emailAddress=info@germany.com
i:/C=DE/ST=Germany/L=Kirchentellinsfurt/O=Seicom Verwaltungs GmbH/CN=web.germany.com/emailAddress=info@germany.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIJAKEejfpCO1APMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
VQQGEwJERTEQMA4GA1UECAwHR2VybWFueTEbMBkGA1UEBwwSS2lyY2hlbnRlbGxp
bnNmdXJ0MSAwHgYDVQQKDBdTZWljb20gVmVyd2FsdHVuZ3MgR21iSDEYMBYGA1UE
AwwPd2ViLmdlcm1hbnkuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlcm1hbnku
Y29tMB4XDTE5MDUyMDA5MDExOVoXDTIzMDUxOTA5MDExOVowgZkxCzAJBgNVBAYT
AkRFMRAwDgYDVQQIDAdHZXJtYW55MRswGQYDVQQHDBJLaXJjaGVudGVsbGluc2Z1
cnQxIDAeBgNVBAoMF1NlaWNvbSBWZXJ3YWx0dW5ncyBHbWJIMRgwFgYDVQQDDA93
ZWIuZ2VybWFueS5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9AZ2VybWFueS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgN6RXa6ZJlrDjE0jUIQWL
bGF5YEbxHLhXVbjdYf7RBi0U4yllHalJs5dhZ4hq/Ooo88f7Gl0hFTKyczk6Nq1C
B8U41AAWjJAurkFHrMfC6b3XI22bTeN8cQOytF7/YqQgkoaEIyDa7txSUVpCaBi0
k4sjWJtuxoc+2baTvpOuspXeg1ZVgX6Bp69kZ4MfDe3Mhc9N+LXk6yI90iI13D5o
4vN4jYrzrVHR2wZJXnd19XxqhUkaMut69D23ngvwYaywvgVOqBa1h4jsvfeSmNKK
L4pFEWBMHJ8uP2+BigHQSAhMZ3hmZFdHIRJIGNtPimEh1hf2+Xv3Iz7O4xrMWkvB
AgMBAAGjUzBRMB0GA1UdDgQWBBQRJHwHS37/e2+fZ8ynJoo8R4eBbjAfBgNVHSME
GDAWgBQRJHwHS37/e2+fZ8ynJoo8R4eBbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQC571AqfifJnyA4whBkFb1yFnpOiDOaKKg3iTxbgdipXALd
dI4jOancHJBrp7NwU1Xe6u7F9r0YsMRQPAjUKoEJb0VROuFVg2bRjNdPj8szPgDP
62C6D4YJaZLLIemxVoiLyeoSmtqMyC0WQJrGTTW8boKjjqR+T7nez/DlYQbGt2nE
ugCNM5Sa//wk+QcWawzOIucrQiNNSwFrpbD+xPXW7yTFofNUZHleTsmGplyzzcZd
B4OHNhj90Rpc88Tu4IQNmS3gP+nFcE6OXa7tI87SMBNElkgQQa6HMkNg24z8F8Pi
HWpB2GMkpt03MxMX4nGIgQAFvU4e35ikriK3+e70
-----END CERTIFICATE-----
subject=/C=DE/ST=Germany/L=Kirchentellinsfurt/O=/CN=/emailAddress=
issuer=/C=DE/ST=Germany/L=Kirchentellinsfurt/O=/CN=/emailAddress=
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1657 bytes and written 324 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A8F122B2457D29253D32E9AEB749ACCEA9E769DF866610C5D632860541E4C689
Session-ID-ctx:
Master-Key: F88342D78958331A5EBA9FDEE0147E2DCD46325D3B970F2923455C74A9D36C4AC684C4C396DB820BF78250B3A3C9951B
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1558347055
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
220 ProFTPD 1.3.5b Server (FTP) [127.0.0.1]
Was mache ich falsch?Status: Überprüfe Zertifikat...
Status: TLS-Verbindung hergestellt.
Status: Angemeldet
Status: Empfange Verzeichnisinhalt...
Status: Vom Server gesendete Adresse für den Passiv-Modus ist nicht routingfähig. Benutze stattdessen die Serveradresse.
Befehl: MLSD
Fehler: Zeitüberschreitung der Verbindung nach 20 Sekunden Inaktivität
Fehler: Verzeichnisinhalt konnte nicht empfangen werden
Gruß
BrotherJ