SSL | Dirk-Jan's blog

vsftpd and SSL

November 28th, 2009 No comments

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

ssl_enable=YES

rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem

force_local_data_ssl=NO

force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

—–BEGIN CERTIFICATE—–

 (your_domain_name.crt)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 3)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 2)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

 (chaining certificate 1)

—–END CERTIFICATE KEY—–

—–BEGIN RSA PRIVATE KEY—–

 (your_domain_name.key)

 —–END RSA PRIVATE KEY—–

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit"

Password: 

—- Connecting to ftp.student.vu.nl (130.37.129.243) port 21

<— 220 Welcome to the Storage FTP service.

—> FEAT

<— 211-Features:

<—  AUTH SSL

<—  AUTH TLS

<—  EPRT

<—  EPSV

<—  MDTM

<—  PASV

<—  PBSZ

<—  PROT

<—  REST STREAM

<—  SIZE

<—  TVFS

<—  UTF8

<— 211 End

—> AUTH TLS

<— 234 Proceed with negotiation.

—> OPTS UTF8 ON

Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl

 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA

 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA

  Trusted

Certificate: C=NL,O=TERENA,CN=TERENA SSL CA

 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

  Trusted

Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

<— 200 Always in UTF8 mode.

—> USER xxx330

<— 331 Please specify the password.

—> PASS XXXX

<— 230 Login successful.       

—> PWD

<— 257 "/"

—> PBSZ 0

<— 200 PBSZ set to 0.

—> PROT P

<— 200 PROT now Private.

—> PROT P

<— 200 PROT now Private.

—> PASV

<— 227 Entering Passive Mode (130,37,129,243,196,139).

—- Connecting data socket to (130.37.129.243) port 50315

—- Data connection established

—> LIST

<— 150 Here comes the directory listing.

Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl

 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA

 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA

  Trusted

Certificate: C=NL,O=TERENA,CN=TERENA SSL CA

 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

  Trusted

Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware

 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root

  Trusted

—- Got EOF on data connection 

—- Closing data socket

drwxrwsr-x    3 72745    513          4096 Oct 23 14:28 public_html

<— 226 Directory send OK.

—> QUIT

—- Closing control socket

$

Categories: Blog Tags: Linux, SSL, vsftpd

eToken, Personal certificate and the Mozilla suite

August 26th, 2009 No comments

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64′. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.

Categories: Blog Tags: Linux, PKI, SSL, Thunderbird

Secured by CAcert

April 8th, 2009 No comments

In oder to secure this personal website I have recently joined the CAcert community. This community driven certificate authority issues free public key certificates. After signing up I created two server certificates, one for the webserver and the other one for secure mail and ldap services.
So if you are using any web or mail related service on the vleeuwen.net domain I would recommend to import the CAcert root certificate. See the CAcert site for more information.

Hopefully one day Mozilla will make the right decision and include the CAcert root keys in their products.

Categories: Blog Tags: CAcert, SSL

Dirk-Jan’s blog

Archive

vsftpd and SSL

eToken, Personal certificate and the Mozilla suite

Secured by CAcert

Archives

Categories