Mailinglist Archive: opensuse (856 mails)

< Previous Next >
Re: [opensuse] vsftpd and SSL failure WITH SOME PROGRESS


Am 02.10.2016 um 08:35 schrieb Marc Chamberlin:
Hello again Becki and OpenSuSE folks - Sorry for my delay in responding, I got sidelined this week on other problems.... Yes I am using self signed certificates and used a more nuanced approach in generating them starting with a self signed CA, and then using it to sign a certificate for my server. The process I followed is described at - http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority/21340898#21340898

I also followed all the steps to verify the certificates and nothing seems wrong with them. I even imported my CA certificate into Windows and it did not complain about it either and was willing to display the contents back to me after I had installed it. So I really don't get a feeling that anything is wrong with the certificates or with the keys...

To do a bit of further testing I used openssl in its client mode to connect to my server and turned on debug messages as well. I got a different error message as can be seen in the following output, which seems suspicious to my untrained eyes but I really don't know what it means. Goggle is not providing me any joy either...

Doing this on my OpenSuSE server -
openssl s_client -connect localhost:21 -state -nbio
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
139683917674128:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 261 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE


And doing this on my Windows 10 laptop using the GNU tools -

c:\Program Files (x86)\GnuWin32\bin>openssl s_client -starttls ftp -connect bigbang:21 -state -nbio
Loading 'screen' into random state - done
CONNECTED(00000208)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
7848:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/s23_clnt.c:585:

Anyone want to hazard a guess as to what this "unknown protocol" error means?

Thanks again for any and all suggestions, I am kinda lost... Marc...


hello marc,

still kind of lost? i know how it feels being stuck with software problems ...

a few things that come to my mind.

if you're not really a SSL/TLS certificate pro i would recommend to give a test certificate a try.
this way you can narrow down errors or at least be sure that there's nothing wrong with the certificate.

in my vsftpd config i have SSL version 2 and 3 disabled.
please check yours, in the error log above it says sslv2/v3 error
if you disable ssl v2/3 in vsftpd how should one be able to connect?

make sure openssl allows self signed certificates. there must be another --param for that too?

importing certificates into windows. also here some problems are possible.

because with the certificate authority (CA) certificate you need to tell windows that this is a CA cert
the 'normal' cert. the one that got signed by your CA, can be installed with the default settings

another thing ...

the permissions on the certificates for vsftpd must be very strict!
0600 / 0400 by root, otherwise vsftpd will complain

also ....

the 'home' folder of the system user, the folder which vsftpd is going to use, must also be owned by root
if that is not the case i remember having some strange error messages ...

have fun debugging and best of luck ;)

greetings
becki


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups
References