Configurazione SSL/TLS di ProFtpd: Difference between revisions
Jump to navigation
Jump to search
Created page with "Si ipotizza di avere o certificati SSL già pronti * Attivare il la configurazione SSL sed -i -e "s_^#Include /etc/proftpd/tls.conf_Include /etc/proftpd/tls.conf_" /etc/p..." |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 40: | Line 40: | ||
# | # | ||
# CA the server trusts... | # CA the server trusts... | ||
TLSCACertificateFile /var/lib/dehydrated/certs/ftp.diesis.priv/chain.pem | |||
# ...or avoid CA cert and be verbose | # ...or avoid CA cert and be verbose | ||
#TLSOptions NoCertRequest EnableDiags | #TLSOptions NoCertRequest EnableDiags | ||
| Line 77: | Line 77: | ||
*Provare a connettersi con filezilla | *Provare a connettersi con filezilla | ||
* Se succede che proftpd va al 100% di cpu, provare ad aggiungere la direttiva: | |||
SocketOptions sndbuf 1024 rcvbuf 1024 | |||
=Riferimenti= | =Riferimenti= | ||
https://www.server-world.info/en/note?os=Debian_8&p=ftp&f=7 | https://www.server-world.info/en/note?os=Debian_8&p=ftp&f=7 | ||
*[https://forums.proftpd.org/smf/index.php?topic=3510.0 100% CPU load for any TLS secured transfer] | |||
Latest revision as of 17:00, 30 November 2018
Si ipotizza di avere o certificati SSL già pronti
- Attivare il la configurazione SSL
sed -i -e "s_^#Include /etc/proftpd/tls.conf_Include /etc/proftpd/tls.conf_" /etc/proftpd/proftpd.conf
- Modificare la configurazione TLS, inserendo i nomi dei certificati corretti:
cat | sudo tee /etc/proftpd/tls.conf <<EOFile # # Proftpd sample configuration for FTPS connections. # # Note that FTPS impose some limitations in NAT traversing. # See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html # for more information. # <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 # # Server SSL certificate. You can generate a self-signed certificate using # a command like: # # openssl req -x509 -newkey rsa:1024 \ # -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ # -nodes -days 365 # # The proftpd.key file must be readable by root only. The other file can be # readable by anyone. # # chmod 0600 /etc/ssl/private/proftpd.key # chmod 0640 /etc/ssl/private/proftpd.key # TLSRSACertificateFile /var/lib/dehydrated/certs/ftp.diesis.priv/fullchain.pem TLSRSACertificateKeyFile /var/lib/dehydrated/certs/ftp.diesis.priv/privkey.pem # # CA the server trusts... TLSCACertificateFile /var/lib/dehydrated/certs/ftp.diesis.priv/chain.pem # ...or avoid CA cert and be verbose #TLSOptions NoCertRequest EnableDiags # ... or the same with relaxed session use for some clients (e.g. FireFtp) #TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # #TLSOptions AllowClientRenegotiations # # Authenticate clients that want to use FTP over TLS? # #TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # #TLSRequired on # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off </IfModule> EOFile
- Riavviare proftpd
systemctl restart proftpd systemctl status proftpd.service -l
- Provare a connettersi con filezilla
- Se succede che proftpd va al 100% di cpu, provare ad aggiungere la direttiva:
SocketOptions sndbuf 1024 rcvbuf 1024