This is a multipart message in MIME format.
--===============0716977101==
Content-Type: multipart/alternative;
boundary="=_alternative 005A5A00C1257440_="

This is a multipart message in MIME format.
--=_alternative 005A5A00C1257440_=
Content-Type: text/plain; charset="US-ASCII"

Hello,

I'm trying to use FTPS using Proftpd but i'm still having some troubles
with the use of CRL.

I have configured proftpd with server Certificate , i had declared my
client CA and Declared too a CRL to deny acces for Revoked client.

The problem is , using CRL file , all of revoked client access to the ftp
server .

Bellow all information about my configuration and the other information

proftpd.conf
-------------


################################################## ###########
# TLS configuration
################################################## ###########


# Configure the server address presented to clients on the
assumption that that IP address or DNS host
# is acting as a NAT gateway or port forwarder for the
server
# MasqueradeAddress 10.10.200.10

# PassivePorts restricts the range of ports from which the
server will select when sent the PASV command from a
# client. The port range selected must be in the
non-privileged range (eg. greater than or equal to 1024); it is
# STRONGLY RECOMMENDED that the chosen range be large
enough to handle many simultaneous passive connections (for
# example, 49152-65534, the IANA-registered ephemeral port
range).
PassivePorts 49160 49166

# to enable TLS function
TLSEngine on

# to log TLS actions
TLSLog /PROFTPD_home/logs/tls.log ALL

# Are clients required to use FTP over TLS when talking to
this server?
TLSRequired on

# Server's certificates
TLSRSACertificateFile
/PROFTPD_home/Certs/server/new-OBS-serverCert.pem
TLSRSACertificateKeyFile
/PROFTPD_home/Certs/server/new-OBS-serverKey.pem
TLSOptions StdEnvVars
# CA the server trusts
# TLSCACertificateFile /PROFTPD_home/Certs/CA/CA-Cert.pem
TLSCACertificatePath /PROFTPD_home/Certs/CA/
# TLSCARevocationFile /PROFTPD_home/Certs/CRL/Ca-Crl.pem
TLSCARevocationPath /PROFTPD_home/Certs/CRL/

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient on

# The RootRevoke directive causes all root privileges to
be dropped once a user is authenticated.
# This will also cause active transfers to be disabled, if
the server is listening on a port less than 1025.
# Note that this only affects active transfers; passive
transfers will not be blocked.
RootRevoke on
TLSVerifyDepth 9

################################################## ###########
# END TLS configuration
################################################## ###########




Trace after connection with a revoked Certificate, in the tls.log file i
have this :
--------------------------------------------------------------------------------------


May 05 20:13:35 mod_tls/2.1.1[28874]: TLS/TLS-C requested, starting TLS
handshake
May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3 connection accepted,
using cipher DHE-RSA-AES256-SHA (256 bits)
May 05 20:13:36 mod_tls/2.1.1[28874]: Client: C = FR, ST = FRANCE, L =
Cesson Sevigne, O = Orange Business Services, OU = ENG/ UNIX, CN = BAROUDI
Abdelmounim, emailAddress = client02@ornage.fr
May 05 20:13:36 mod_tls/2.1.1[28874]: Protection set to Private
May 05 20:13:36 mod_tls/2.1.1[28874]: starting TLS negotiation on data
connection
May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3 data connection
accepted, using cipher DHE-RSA-AES256-SHA (256 bits)




NB : I have tried all my certificates and CRL with apache server and it's
work well

the log from a httpd server is like this :


[Mon May 05 18:17:10 2008] [info] Certificate with serial 2 (0x2) revoked
per CRL from issuer /C=FR/ST=FRANCE/O=Orange Business Services/OU=UNIX
Engineering Team/CN=ENG Administrator/emailAddress=administrator@orange.fr
[Mon May 05 18:17:10 2008] [error] Certificate Verification: Error (23):
certificate revoked
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1787): OpenSSL:
Write: SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [info] SSL library error 1 in handshake
(server1:443, client 172.30.4.123)
[Mon May 05 18:17:10 2008] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
[Mon May 05 18:17:10 2008] [info] Connection to child 67 closed with
abortive shutdown(server 1:443, client 172.30.4.123)


Thanks in advance for your reply
--=_alternative 005A5A00C1257440_=
Content-Type: text/html; charset="US-ASCII"



Hello,



I'm trying to use FTPS using Proftpd but i'm still
having some troubles with the use of CRL.




I have configured proftpd with server Certificate
, i had declared my client CA and Declared too a CRL to deny acces for
Revoked client.




The problem is , using CRL file , all of revoked client
access to the ftp server .




Bellow all information about my configuration and
the other information




proftpd.conf

-------------





        ################################################## ###########

        # TLS configuration


        ################################################## ###########

        <ifModule
mod_tls.c>




           
    # Configure the server address presented to clients on the
assumption that that IP address or DNS host


           
    # is acting as a NAT gateway or port forwarder for the server


#            
  MasqueradeAddress      10.10.200.10




           
    # PassivePorts restricts the range of ports from which the
server will select when sent the PASV command from a


           
    # client. The port range selected must be in the non-privileged
range (eg. greater than or equal to 1024); it is


           
    # STRONGLY RECOMMENDED that the chosen range be large enough
to handle many simultaneous passive connections (for


           
    # example, 49152-65534, the IANA-registered ephemeral port
range).


           
    PassivePorts 49160 49166




           
    # to enable TLS function


           
    TLSEngine on




           
    # to log TLS actions


           
    TLSLog /PROFTPD_home/logs/tls.log ALL




           
    # Are clients required to use FTP over TLS when talking to
this server?


           
    TLSRequired on




           
    # Server's certificates


           
    TLSRSACertificateFile /PROFTPD_home/Certs/server/new-OBS-serverCert.pem


           
    TLSRSACertificateKeyFile /PROFTPD_home/Certs/server/new-OBS-serverKey.pem


           
    TLSOptions StdEnvVars


           
    # CA the server trusts


#            
  TLSCACertificateFile /PROFTPD_home/Certs/CA/CA-Cert.pem


           
    TLSCACertificatePath /PROFTPD_home/Certs/CA/


#            
  TLSCARevocationFile /PROFTPD_home/Certs/CRL/Ca-Crl.pem


           
    TLSCARevocationPath /PROFTPD_home/Certs/CRL/




           
    # Authenticate clients that want to use FTP over TLS?


           
    TLSVerifyClient on




           
    # The RootRevoke directive causes all root privileges to
be dropped once a user is authenticated.


           
    # This will also cause active transfers to be disabled, if
the server is listening on a port less than 1025.


           
    # Note that this only affects active transfers; passive transfers
will not be blocked.


           
    RootRevoke on


           
    TLSVerifyDepth 9


        </ifModule>

        ################################################## ###########

        # END TLS configuration


        ################################################## ###########



</VirtualHost>





Trace after connection with a revoked Certificate,
in the tls.log file i have this :


--------------------------------------------------------------------------------------





May 05 20:13:35 mod_tls/2.1.1[28874]: TLS/TLS-C
requested, starting TLS handshake


May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3
connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)


May 05 20:13:36 mod_tls/2.1.1[28874]: Client:
C = FR, ST = FRANCE, L = Cesson Sevigne, O = Orange Business Services,
OU = ENG/ UNIX, CN = BAROUDI Abdelmounim, emailAddress = client02@ornage.fr


May 05 20:13:36 mod_tls/2.1.1[28874]: Protection
set to Private


May 05 20:13:36 mod_tls/2.1.1[28874]: starting
TLS negotiation on data connection


May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3
data connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)










NB : I have tried all my certificates and CRL with
apache server  and it's work well




the log from a httpd server is like this :





[Mon May 05 18:17:10 2008] [info] Certificate
with serial 2 (0x2) revoked per CRL from issuer
/C=FR/ST=FRANCE/O=Orange
Business Services/OU=UNIX Engineering Team/CN=ENG Administrator/emailAddress=administrator@orange.fr


[Mon May 05 18:17:10 2008] [error] Certificate
Verification: Error (23): certificate revoked


[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1787):
OpenSSL: Write: SSLv3 read client certificate B


[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806):
OpenSSL: Exit: error in SSLv3 read client certificate B


[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806):
OpenSSL: Exit: error in SSLv3 read client certificate B


[Mon May 05 18:17:10 2008] [info] SSL
library error 1 in handshake (server1:443, client 172.30.4.123)


[Mon May 05 18:17:10 2008] [info] SSL
Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned


[Mon May 05 18:17:10 2008] [info] Connection
to child 67 closed with abortive shutdown(server 1:443, client 172.30.4.123)






Thanks in advance for your reply
--=_alternative 005A5A00C1257440_=--


--===============0716977101==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
--===============0716977101==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============0716977101==--