SUN-Jail – Solaris 10 convicted ! Part II Dammit… I forgot to lock the door !


OK… so hopefully you already went through Part I, but if not, this may not make much sense as I am not going to re-visit anything here.  This is for the mod_tls setup for ftps or ftpes if you are using filezilla… I was not familiar with the ftpes connection state, but now I am and so are you… I was using fireFTP and everything was working fine, but in the interest of testing more than what I use, I found this new tidbit of information 🙂

So lets first tweak the proftpd.conf file, add this to the bottom of the file:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                off
</IfModule>
Take note of the files referenced here.  Go ahead and create the log dir, def do this as you will need it if anything is not working… and then we can move on to making the key/cert.  Keep in mind that I am using webmin for the proftpd control and it allows you to apply changes following a save eliminating the need for a manual restart of proftpd 🙂

Make this dir, please make this or the key/cert command will whine like a bitty baby…

mkdir -p /etc/proftpd/ssl

Then make the key/cert:

openssl req -new -x509 -days 365 -nodes -out /etc/proftp /ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Make sure to answer all the posed questions:

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter  your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name  of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT  Department").
Common Name (eg, YOUR name) []: <--  Enter the Fully Qualified Domain Name of the system (e.g.  "server1.example.com").
Email Address []: <-- Enter your Email  Address.

And again now we are done.  Not too bad… right?  I set up a few test users to allow me to tail the log file and watch as they login to make sure I can see what is expected as well as what isn’t…

May 25 15:35:08 mod_tls/2.2.1[2020]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:08 mod_tls/2.2.1[2020]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:09 mod_tls/2.2.1[2020]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:35:10 mod_tls/2.2.1[2020]: Protection set to Private
May 25 15:35:26 mod_tls/2.2.1[2021]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:26 mod_tls/2.2.1[2021]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:27 mod_tls/2.2.1[2021]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
May 25 15:35:27 mod_tls/2.2.1[2021]: Protection set to Private
May 25 15:35:51 mod_tls/2.2.1[2022]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:52 mod_tls/2.2.1[2022]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:52 mod_tls/2.2.1[2022]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:36:33 mod_tls/2.2.1[2023]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:36:33 mod_tls/2.2.1[2023]: TLS/TLS-C requested, starting TLS handshake
May 25 15:36:33 mod_tls/2.2.1[2023]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
Advertisements

, , , , , , , , ,

  1. #1 by gmconklin on June 1, 2010 - 1:13 pm

    Well upon investigating and/or doing a final review of the prod server in question… I guess I work with Linux too much and didn’t realize/check that/if Solaris would start this service @ boot… of course you know that answer already, it did not. Thanks to the client rebooting for some unknown reason… this was discovered… so you need to add an entry into /etc/init.d for proftpd… just create this in the webmin interface and it will be great… here is what it looks like however:

    #!/bin/sh
    # Start the proftp service at boot time

    case “$1” in
    ‘start’)
    /usr/local/sbin/proftpd
    ;;
    ‘stop’)
    ;;
    *)
    echo “Usage: $0 { start | stop }”
    ;;
    esac
    exit 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: