Problem beim einloggen mit TLS

[seraph1976]

hallo
meine konfig der server und iptables funktionieren einwandfrei. sobald ich aber mod_tls enable, komme ich folgende fehlermeldung im client:

Code:

Data Socket Error: Connection failed

so habe ich es configuriert:

Code:

TransferLog             NONE
WtmpLog                 off
SystemLog               NONE

MultilineRFC2228        on
DefaultServer           on
ShowSymlinks            on

TimeoutLogin            60                                              # TimeOut für Login
TimeoutIdle             600                                             # Inaktivitaet
TimeoutNoTransfer       600                                             # keine Datenuebertragung (Listing, File, ...)
TimeoutStalled          300                                             # haengende Datenuebertragung
TimeoutSession          7200                                            # Gesamtdauer einer Session

MaxInstances            20

DenyFilter              \*.*/

<IfModule mod_tls.c>
        TLSProtocol SSLv23
</IfModule>

<Global>
        Umask           022  022
        RootLogin       off
</Global>
# Set the user and group that the server normally runs at.
User            proftpd
Group           proftpd

<VirtualHost x.x.x.x>
        ServerName      test
        Port            6666
        AllowOverwrite  on
        DelayEngine     off

        AuthPAM off
        AuthOrder mod_auth_file.c
        AuthUserFile /etc/proftpd/ftpd.passwd

        Defaultroot     /srv/ftp

        IdentLookups off

        AllowForeignAddress on

        AllowRetrieveRestart on
        AllowStoreRestart on

        MaxClientsPerUser       2 "Max. 2 Logins erlaubt!"
        MaxClientsPerHost       2 "Max. 2 Logins erlaubt!"
        MaxHostsPerUser         1 "Nur von einem Rechner einloggen!"
        MaxLoginAttempts        3 "Hesch s'Passwort vergaessse... wixi :-)"

        DeferWelcome            on
        DisplayFirstChdir       .message

        <IfModule mod_tls.c>
                TLSEngine off
                TLSRequired off
                TLSRSACertificateFile /etc/proftpd/host.cert
                TLSRSACertificateKeyFile /etc/proftpd/host.key
        </IfModule>
</VirtualHost>

[VolGas]

Hallo!

Folgender Anweisungsblock sollte funktionieren:

Code:

    TLSEngine               on
    TLSProtocol             SSLv23
    TLSRequired             off
    TLSVerifyClient         off
   
    TLSOptions              NoCertRequest
    TLSLog                  /var/log/proftpd/tls.log
   
    # CA-Cert optional
#   TLSCACertificateFile        /etc/ssl/certs/CA.cert
    TLSRSACertificateFile       /etc/ssl/certs/meinserver.tld.cert
    TLSRSACertificateKeyFile    /etc/ssl/certs/meinserver.tld.key

Wenn es damit immer noch nicht funktionieren sollte, dann im TLSLog nachsehen.
Eine Beispiel-Konfiguration für einen Default- und beliebig viele virtuelle Server findet man ->hier.

Ich hoffe, du kommst damit weiter.

mfg.
  VolGas


Nachtrag:
Achtung: aufpassen bei Virtual-Hosts!
Fast alle Direktiven beziehen sich, sofern sie nicht in einem "<Global>...</Global>"-Block befinden,
nur auf den Default-Server! Der/die VHost-Server laufen dann mit ihren eigenen (Default-)Settings!
Deshalb nach Möglichkeit alles als Gobal definieren wie in dem Konfigurations-Beispiel gezeigt wird.

[seraph1976]

hallo
habe die konfig jetzt geändert, so dass es auch optisch besser aussieht und den virtual server gelöscht, benötige ich gar nicht.

aber funktionieren, neh leider nicht und das logfile ist auch leer? hmmm

hier nochmals der error:

Code:

[R] Data Socket Error: Connection timed out
[R] List Error
[R] PASV

config:

Code:

ServerType              standalone
PidFile                 /var/run/proftpd.pid

MaxInstances            20
MaxConnectionRate       4
SocketBindTight         off
UseReverseDNS           off

RootRevoke              on
DefaultServer           on
MultilineRFC2228        on

<IfModule mod_tls.c>
        TLSProtocol     SSLv23
</IfModule>

# Log definieren
TransferLog             NONE
WtmpLog                 off
SystemLog               NONE


# --------------------------------------------
# globale Settings
# --------------------------------------------

<Global>
User            proftpd
Group           proftpd


        # --------------------------------------------
        # Login
        # --------------------------------------------
       
        ServerIdent             on "FTP server ready."
        DeferWelcome            on

        IdentLookups off
RequireValidShell       off
RootLogin        off

TimeoutLogin            60
MaxClientsPerUser       2 "Max. 2 Logins erlaubt!"
MaxClientsPerHost       2 "Max. 2 Logins erlaubt!"
MaxHostsPerUser         1 "Nur von einem Rechner einloggen!"
        MaxLoginAttempts        3 "Hesch s'Passwort vergaessse... wixi :-)"

        # --------------------------------------------
        # Authentifikation: Standard
        # --------------------------------------------
AuthPAM off
AuthOrder mod_auth_file.c
        AuthUserFile /etc/proftpd/ftpd.passwd
       
       
        # --------------------------------------------
        # TLS Standards
        # --------------------------------------------

        <IfModule mod_tls.c>
        TLSEngine off
                TLSTimeoutHandshake     60
                TLSRequired             off
                TLSVerifyClient         off
       
                TLSOptions              NoCertRequest
                TLSLog                  /var/log/proftpd/tls.log
        </IfModule>
       
       
        # --------------------------------------------
        # Post-Login, Timeouts
        # --------------------------------------------
       
        DisplayFirstChdir       .message
TimeoutLogin            60                                              # TimeOut für Login
TimeoutIdle             600                                             # Inaktivitaet
TimeoutNoTransfer       600                                             # keine Datenuebertragung (Listing, File, ...)
TimeoutStalled          300                                             # haengende Datenuebertragung
TimeoutSession          7200                                            # Gesamtdauer einer Session


        # --------------------------------------------
        # Session
        # --------------------------------------------
       
Defaultroot      /srv/ftp

DenyFilter              \*.*/

ShowSymlinks            on
        TimesGMT                on
       
       
        # --------------------------------------------
# Up- & Download
        # --------------------------------------------
       
AllowOverwrite  on
AllowRetrieveRestart on
AllowForeignAddress on
AllowStoreRestart on


# --------------------------------------------
# Datei & Verzeichnis
        # --------------------------------------------
       
Umask            022  022
</Global>

# --------------------------------------------
# Standard-Server
# --------------------------------------------

DefaultAddress          x.x.x
ServerName              ftp
Port            6666

<IfModule mod_tls.c>
        TLSEngine                       on
        TLSRequired                     on
        TLSVerifyClient                 off

        TLSOptions                      NoCertRequest
        TLSLog                          /etc/proftpd/log/tls.log

        TLSRSACertificateFile           /etc/proftpd/host.cert
        TLSRSACertificateKeyFile        /etc/proftpd/host.key
</IfModule>

[VolGas]

Mit "TLSEngine" auf "off" funktioniert alles wie es soll und mit "on" dann nicht mehr?
Ok, dann bleibt wohl nur noch eines: bitte im Debug-Modus nocheinmal versuchen einloggen.
Poste dann hier die Ausgabe des Versuches, aber die Ausgabe vor dem Login bitte auslassen.

mfg.
  VolGas

[seraph1976]

ja genau so ist es, hm kann ich machen, aber wie mache ich das mit dem debug modus?

[VolGas]

Siehe FAQ unter "ProFTPD startet nicht..." -
oder via Foren-Suche dutzendweise.

mfg.
  VolGas

[seraph1976]

also habe jetzt hier den output des debugs:

Code:

ftp.firebird.cc (62.2.188.18[62.2.188.18]) - USER mibono: Login successful.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - Preparing to chroot to directory '/srv/ftp'
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - Environment successfully chroot()ed.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - in dir_check_full(): path = '/', fullpath = '/srv/ftp/'.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_quotatab
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_vroot
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_readme
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ratio
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - setting TimeoutSession of 7200 seconds for current all
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - RootRevoke in effect, dropped root privs
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_ratio
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'SYST' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'SYST' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'SYST' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'SYST' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'SYST' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'FEAT' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'FEAT' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'FEAT' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'FEAT' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'FEAT' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PWD' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PWD' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PWD' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'PWD' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - in dir_check_full(): path = '/', fullpath = '/srv/ftp/'.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PWD' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'TYPE A' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'TYPE A' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'TYPE A' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'TYPE A' to mod_xfer
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'TYPE A' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PROT P' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PROT P' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PROT P' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'PROT P' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching POST_CMD command 'PROT P' to mod_xfer
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PROT P' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - in dir_check_full(): path = '/', fullpath = '/srv/ftp/'.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - Entering Passive Mode (62,2,45,150,14,217).
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PASV' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'PASV' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - in dir_check_full(): path = '/', fullpath = '/srv/ftp/'.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - Entering Passive Mode (62,2,45,150,11,189).
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PASV' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PORT 192,168,1,3,13,68' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PORT 192,168,1,3,13,68' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'PORT 192,168,1,3,13,68' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'PORT 192,168,1,3,13,68' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - in dir_check_full(): path = '/', fullpath = '/srv/ftp/'.
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching LOG_CMD command 'PORT 192,168,1,3,13,68' to mod_log
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'LIST -al' to mod_tls
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'LIST -al' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'LIST -al' to mod_core
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching PRE_CMD command 'LIST -al' to mod_ratio
ftp.firebird.cc (62.2.188.18[62.2.188.18]) - dispatching CMD command 'LIST -al' to mod_ls

ich bin jetzt per ftp eingeloggt auf dem server trotz errors, aber die ortner werden nicht angezeigt

[seraph1976]

schade kann mir niemand helfen :-(

[VolGas]

Sorry, wenn ich erst jetzt wieder antworte - ich hatte eine Auszeit nötig - und verdient!

Dem Debug-Output nach, den Du hier gepostet hast, ist mit dem ProFTPD alles in Ordnung.
Der Client allerdings authentifiziert sich erst ganz normal und schaltet dann erst vor dem Verzeichnislisting
auf TLS um. Dein Client scheint nur den Datenkanal verschlüsseln zu wollen - also sehr wahrscheinlich ein
Konfigurationsproblem Deines Clients.

mfg.
  VolGas