--===============1783751105==
Content-Type: multipart/alternative; boundary="0-1506534240-1164544441=:10472"
Content-Transfer-Encoding: 8bit

--0-1506534240-1164544441=:10472
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,

I'm trying to use ProFTPd Server and LFTP Client (all latest versions, built with mod_tls.c and openssl respectively) to secure both the control channel and the data channel during FTP file transfer over TLS per RFC 2228.

The server has a TLS cert issued by a CA. The client has no certificate. The user has a local account on the server host, with /etc/password.

I have to use TLSv1. (SSLv3 and SSLv2 are both turned off. Non-TLS file transfer is not allowed.)

But when I try to connect I get this error message:
TLS/TLS-C requested, starting TLS handshake
unable to accept TLS connection:
(1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
TLS/TLS-C negotiation failed on control channel

I saw the above mentioned as a bug on the ProFTPd user mailing list, but couldn't understand the workaround being proposed.

Here are my changes to the standard proftpd.conf file:
[Removed "Anonymous" section.]

TLSEngine on
TLSLog /var/log/messages
TLSProtocol TLSv1
TLSRequired on
TLSRSACertificateKeyFile /usr/private/serverprivatekey.pem
TLSRSACertificateFile /usr/certs/servercert.pem
TLSCACertificateFile /usr/certs/cacert.pem
TLSVerifyClient off


Here are my changes to the standard contrib/mod_tls.c file:
#define TLS_DEFAULT_PROTOCOL "TLSv1"
static unsigned char tls_engine = TRUE;
static unsigned char tls_required_on_ctrl = TRUE;
static unsigned char tls_required_on_data = TRUE;

On LFTP Client, here are my changes to the standard lftp.conf file:
set ftp:use-feat no
set ftp:ssl-allow yes
set ftp:ssl-allow-anonymous no
set ftp:ssl-auth TLS
set ftp:ssl-data-use-keys yes
set ftp:ssl-force yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-list yes
set ftp:ssl-use-ccc no
set ftps:initial-prot "P"
set ssl:ca-file "/usr/certs/cacert.pem"
set ssl:key-file ""
set ssl:cert-file ""
set ssl:verify-certificate yes

Thank you for your help!

Fal


---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
--0-1506534240-1164544441=:10472
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,

I'm trying to use ProFTPd Server and LFTP Client (all latest versions, built with mod_tls.c and openssl respectively) to secure both the control channel and the data channel during FTP file transfer over TLS per RFC 2228.

The server has a TLS cert issued by a CA.  The client has no certificate.  The user has a local account on the server host, with /etc/password.

I have to use TLSv1.  (SSLv3 and SSLv2 are both turned off.  Non-TLS file transfer is not allowed.)

But when I try to connect I get this error message:
TLS/TLS-C requested, starting TLS handshake
unable to accept TLS connection:
(1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
TLS/TLS-C negotiation failed on control channel

I saw the above mentioned as a bug on the ProFTPd user mailing list, but couldn't understand the workaround being proposed.

Here are my changes to the standard proftpd.conf file:
[Removed
"Anonymous" section.]
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/messages
TLSProtocol TLSv1
TLSRequired on
TLSRSACertificateKeyFile /usr/private/serverprivatekey.pem
TLSRSACertificateFile /usr/certs/servercert.pem
TLSCACertificateFile /usr/certs/cacert.pem
TLSVerifyClient off
</IfModule>

Here are my changes to the standard contrib/mod_tls.c file:
#define TLS_DEFAULT_PROTOCOL "TLSv1"
static unsigned char tls_engine = TRUE;
static unsigned char tls_required_on_ctrl = TRUE;
static unsigned char tls_required_on_data = TRUE;

On LFTP Client, here are my changes to the standard lftp.conf file:
set ftp:use-feat no
set ftp:ssl-allow yes
set ftp:ssl-allow-anonymous no
set ftp:ssl-auth TLS
set ftp:ssl-data-use-keys yes
set ftp:ssl-force yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-list yes
set ftp:ssl-use-ccc no
set ftps:initial-prot "P"
set ssl:ca-file
"/usr/certs/cacert.pem"
set ssl:key-file ""
set ssl:cert-file ""
set ssl:verify-certificate yes

Thank you for your help!

Fal





Everyone is raving about the all-new Yahoo! Mail beta.
--0-1506534240-1164544441=:10472--


--===============1783751105==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--===============1783751105==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============1783751105==--