I want to add SSL to it because I feel like it makes sense as FTP passwords (and files) are passed in clear text. I would want both the passwords and files transfer to be secure when I need them to be without having to use the web based file managment in siteworx.
Is there supposed to be library file I need to include for openssl?
I did a “find / -name ‘openssl’” and the only thing it came up with was:
/usr/bin/openssl
/usr/include/openssl (I have included this above)
Also, I had to do some extra things last time I manually upgraded ProFTPD on a recomendation from Sago (Thanks Sago-Dan). Will I still have to do the following steps to complete the configuration?
There’s a few things which you have to mod to get it to work in interworx.
The default configuration build of proftpd is pointing to another location (after the make install ) /usr/local/etc/proftpd.conf
If you remove that file with:
10. rm /usr/local/etc/proftpd.conf
then link it to the current one
You should have the configuration part set.
You may also have to copy the files to the proper location because the rpm’ed version of proftpd is stored in /usr/sbin and not /usr/local
Just copy the files which were compiled to the /usr/sbin
12. cp proftpd /usr/sbin
13. cp ftp* /usr/sbin
The --force is needed since the same version (without tls) is already installed.
Regarding the proftpd.conf you DO NOT want to overwrite or other not use the proftpd.conf that comes with iworx. It has the DB connection strings in the conf file that are needed for proftpd to connect to the SQL auth backend. I’d just hand copy any TLS stuff that is needed to the /etc/proftpd.conf.
I have followed your instructions and everything went perfect.
The RPM file name was a little different then the one you specified, but it wasn’t hard to figure out the correct one for my server. There was a ‘.i386’ after the iworx (proftpd-1.2.10-100.iworx.i386.rpm).
I ran the force and it it went okay:
[root@server1 i386]# rpm -Uvh --force /usr/src/redhat/RPMS/i386/proftpd-1.2.10-100.iworx.i386.rpm
Preparing... ########################################### [100%]
1:proftpd warning: /etc/proftpd.conf created as /etc/proftpd.conf.rpmnew
########################################### [100%]
Starting proftpd: [ OK ]
I guess I thought the config file was magically going to add the module code and know where my SSL certificates are by itself.
After adding the following code (based on the sample below) it connected:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSProtocol SSLv23 # this selects the latest crypt version
TLSOptions NoCertRequest # this is REALLY important for WinClients
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on
# Server's certificate
TLSRSACertificateFile /etc/openldap/ldapcert.pem
TLSRSACertificateKeyFile /etc/openldap/ldapkey.pem
TLSCACertificateFile /etc/openldap/demoCA/cacert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>
Thanks for you help, this should come in handy when trasnfer PHP scripts that I don’t want other people seeing!
The Explicit connection works with Mod_TLS, but how would I go about making it work with Implicit?
Also, is there a way to make port 990 secure only? I added a virtual host to the proftpd config file and now it listens on 21 and 990, but conneting to either works with our with SSL.
Also, I’m trying to get DreamWeaver 2004 to connect via SSL and it doesn’t so I’m thinking it is using the implicit method that I can’t connect with when using SmartFTP.
I haven’t setup tls on a proftpd server yet so without trying it out I am probably a bad source. But if you want me to login to your box and play around with it I’d be happy to just to see it working :).
It’s pretty much the same as setting up SSL in the apache config file. I know you can now setup SSL with SiteWorx although I haven’t tried it because I already set a manual way of doing it on my server that is really easy. But if you haven’t set it up on Apache what I said probably didn’t help you too much.
There are 3 parts to setup SSL:
The certificate, which I guess is just another term for public key. This is what the client uses to encrypt the first request to establish a secure connection. Everyone can encrypt with it, but only the person (hopefully just you) with the private key can decrypt it.
The private key
The certificate authority certificate. This is from whomever you buy your certificate from. I think it’s what the browsers look at to see if that is a trust certificate.
So to set this up in ProFTPD you have these lines:
I’m not sure if you could just create a private key / certificate and use it as unsigned (no CAcertificate.crt). Maybe you should try using the SiteWorx SSL feature and then make the /path/to/ssl point to where those are stored.
Or you could just wait till the next update of Iworx ProFTPD because I guess there is a demand for it and they are right there to meet that demand (Good job guy’s, like to see you stay ahead of the curve ) http://interworx.info/forums/showthread.php?p=3417
I just tried something that works and you won’t have to create your own key and certificate!
Also, the compile code is a little different now. This is if you are on Redhat 9.0 box. If you are on another box then you change out the rht90 for your OS.
I just did this exact thing on my Red Hat 9 box since something got messed up when I rebooted about a week ago because I think Iworx change all the RPMs now for each linux OS.
Good luck and hopefully this should get you up and running with your SFTP server.
Did you mean proftpd.conf or proftpd.conf.rpmnew? I thought it would look at .conf and not the .rpmnew.
Do I add it AFTER the /GLOBAL?
Lastly, sadly, I have to ask - how do i choose to turn it on? I figured it would be on my default if i try to connect using TLS now. When I try to connect with TLS after following those steps, I still get:
So no go =/ I have no trouble connecting with SSL with this app otherwise =/ I’m thinking I have to enable SSL on ProFTPD somewhere… somehow.
EDIT: I modified the proftpd.conf file instead, since i was sure that’s the one proftpd uses - and I got a somewhat different response. It looks like it’s TRYING now. The .conf.rpmnew file was just created so that it wouldn’t replace the .conf on us. It’s not the one ProFTPD looks at/for.
After adding the TLS code you pasted into proftpd.conf, i get:
Sorry about the mis-info on the .rpmnew, I have recompilied this a couple times and got confused on which one was which.
I just double checked putting the Interworx Certifcate code in the real .conf file on my server and it still works so the new error you have is probably something with your FTP program. Try using SmartFTP (www.smartftp.com).
And make sure to use Explicit.
[EDIT]
I just installed FlashFXP trial and was able to connect to my server using both Auth_TLS and Auth_SSL. I did get a warning about the InterWorx Certificate being self-signed, but thats it.
Pfft - as if you have any reason to apologize to me for ANYTHING! =)
I can see how it would be confusing - I remember seeing the message after it compiled.
I used CuteFTP Pro 7 and tried Explicit and that didn’t work either. I’ll try SmartFTP. I’ll keep you posted.