NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FTPS access over WAN?
Setting up a FTP connection over WAN to a ReadyNAS device can be very tricky. After some time I found a solution and posted it here.
But I have noticed that it's possible to login over FTPS locally, but not from outside, from WAN. Strange, parts of this WAN block lives on.
The intersting stuff starts below, in the second post.
At first wehre are all ProFTPd files located? Here:
Active FTP configuration file is /etc/proftpd.conf. It looks like this:
And it includes a ftps conf file, /etc/frontview/proftpd/ftps.conf, that reads:
But I have noticed that it's possible to login over FTPS locally, but not from outside, from WAN. Strange, parts of this WAN block lives on.
The intersting stuff starts below, in the second post.
At first wehre are all ProFTPd files located? Here:
# find / \( -path '/c' -o -path '/USB' \) -prune -or -iname '*proftpd*' -exec ls -ld {} \;
drwx------ 2 admin admin 16384 Jan 21 14:57 /etc/default/config/etc/frontview/proftpd
-rw------- 1 admin admin 168 Jan 17 2007 /etc/default/config/etc/frontview/usb/access/non-share/proftpd
-rw------- 1 admin admin 162 Jan 17 2007 /etc/default/config/etc/frontview/usb/access/non-share/proftpd.vfat
-rw------- 1 admin admin 159 Jul 11 2006 /etc/default/config/etc/frontview/usb/access/share/proftpd
-rw------- 1 admin admin 153 Jul 11 2006 /etc/default/config/etc/frontview/usb/access/share/proftpd.vfat
-rw-r--r-- 1 admin admin 2006 Apr 8 2009 /etc/default/config/etc/proftpd.conf
-rw-r--r-- 1 root root 211 Jul 11 2006 /etc/default/proftpd
-rwxr-xr-x 1 root root 4200 Jun 5 2008 /etc/init.d/proftpd
drwxr-xr-x 2 admin admin 16384 Jan 21 15:08 /etc/frontview/proftpd
-rw------- 1 admin admin 168 Jan 17 2007 /etc/frontview/usb/access/non-share/proftpd
-rw------- 1 admin admin 162 Jan 17 2007 /etc/frontview/usb/access/non-share/proftpd.vfat
-rw------- 1 admin admin 169 Jan 21 15:08 /etc/frontview/usb/access/share/proftpd
-rw------- 1 admin admin 163 Jan 21 15:08 /etc/frontview/usb/access/share/proftpd.vfat
-rw-r--r-- 1 root root 298 Aug 25 00:55 /etc/pam.d/proftpd
-rw-r--r-- 1 admin admin 2138 Jan 25 22:18 /etc/proftpd.conf
-rwxr-xr-x 1 root root 1139488 Nov 10 2011 /usr/sbin/proftpd
-rw-r--r-- 1 root root 36 Nov 10 2011 /var/lib/dpkg/info/proftpd.list
-rw-r----- 1 root root 15885 Jan 28 14:19 /var/log/proftpd.log
drwxr-xr-x 2 nobody admin 16384 May 22 2008 /var/run/proftpd
srwxrwxrwx 1 root root 0 Jan 25 22:18 /var/run/proftpd.sock
-rw-r--r-- 1 root root 632 Jan 28 14:19 /var/run/proftpd.scoreboard
-rw-r--r-- 1 root root 6 Jan 25 22:18 /var/run/proftpd.pid
-rw-r--r-- 1 root root 6440 Jan 25 22:17 /var/run/proftpd.delayActive FTP configuration file is /etc/proftpd.conf. It looks like this:
# cat /etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody/nogroup" and "ftp" for normal operation and anon.
ServerName "NETGEAR ReadyNAS"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
AllowStoreRestart on
UseReverseDNS off
IdentLookups off
TimesGMT off
WtmpLog off
ServerLog /var/log/proftpd.log
SystemLog /var/log/proftpd.log
TransferLog /var/log/proftpd.log
BanLog /var/log/proftpd.log
MaxLoginAttempts 2
BanEngine on
BanTable /ramfs/ftp_ban.tbl
BanOnEvent MaxLoginAttempts 5/00:10:00 00:15:00
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
DenyFilter \*.*/
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd on
# Uncomment this if you would use quota module:
#Quotas on
# Port 21 is the standard FTP port.
Port 21
MasqueradeAddress duo
DynMasqRefresh 7200
PassivePorts 49000 49020
AllowForeignAddress on
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
<Directory /*>
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
AllowOverwrite on
</Directory>
Include /etc/frontview/proftpd/ftps.conf
Include /etc/frontview/proftpd/User.conf
And it includes a ftps conf file, /etc/frontview/proftpd/ftps.conf, that reads:
# cat /etc/frontview/proftpd/ftps.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/frontview/apache/apache.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
TLSOptions NoSessionReuseRequired
TLSOptions NoSessionReuseRequired
</IfModule>
22 Replies
Replies have been turned off for this discussion
- First comparing the logs proftpd.log and tls.log for differences when logging in an out with FTPS over LAN resp WAN.
FTPS over LAN - proftpd.log# tail -f /var/log/proftpd.log
Jan 28 15:33:01 duo proftpd[29900] 10.0.1.160 (10.0.1.15[10.0.1.15]): FTP session opened.
Jan 28 14:33:05 duo proftpd[29900] 10.0.1.160 (10.0.1.15[10.0.1.15]): Preparing to chroot to directory '/home/ftp'
Jan 28 14:33:05 duo proftpd[29900] 10.0.1.160 (10.0.1.15[10.0.1.15]): USER bob: Login successful.
Jan 28 14:33:14 duo proftpd[29900] 10.0.1.160 (10.0.1.15[10.0.1.15]): FTP session closed.
FTPS over LAN - tls.log# tail -f /var/ftpd/tls.log
Everything works fine. But notice the differnces in time, the hour should be 14 for all events.
Jan 28 15:33:01 mod_tls/2.4.2[29900]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Jan 28 15:33:01 mod_tls/2.4.2[29900]: TLS/TLS-C requested, starting TLS handshake
Jan 28 15:33:02 mod_tls/2.4.2[29900]: TLSv1/SSLv3 connection accepted, using cipher AES128-SHA (128 bits)
Jan 28 15:33:04 mod_tls/2.4.2[29900]: Protection set to Private
Jan 28 14:33:06 mod_tls/2.4.2[29900]: starting TLS negotiation on data connection
Jan 28 14:33:06 mod_tls/2.4.2[29900]: TLSv1/SSLv3 renegotiation accepted, using cipher AES128-SHA (128 bits)
Jan 28 14:33:06 mod_tls/2.4.2[29900]: TLSv1/SSLv3 data connection accepted, using cipher AES128-SHA (128 bits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ok let's move on to connecting over WAN.
FTPS over WAN - proftpd.log# tail -f /var/log/proftpd.log
Result: The connection could not be established.
Jan 28 15:45:19 duo proftpd[29939] 10.0.1.160 (119.78.39.30[119.78.39.30]): FTP session opened.
Jan 28 15:45:20 duo proftpd[29939] 10.0.1.160 (119.78.39.30[119.78.39.30]): FTP session closed.
FTPS over WAN - tls.log# tail -f /var/ftpd/tls.log
Result: The connection could not be established.
Jan 28 15:45:19 mod_tls/2.4.2[29939]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Jan 28 15:45:20 mod_tls/2.4.2[29939]: TLS/TLS-C requested, starting TLS handshake
Jan 28 15:45:20 mod_tls/2.4.2[29939]: unable to accept TLS connection: received EOF that violates protocol
Jan 28 15:45:20 mod_tls/2.4.2[29939]: TLS/TLS-C negotiation failed on control channel - That leeds to OpenSSL.
# echo $SSL_CERT_DIR
Empty.
Where are OpenSSL files stored. Here:# find / \( -path '/c' -o -path '/USB' \) -prune -or -iname '*OpenSSL*' -exec ls -ld {} \;
-rw-r--r-- 1 root root 7782 Jul 16 2005 /etc/ssl/openssl.cnf
-rwxr-xr-x 1 root root 395784 May 20 2008 /usr/bin/openssl
lrwxrwxrwx 1 root root 20 Jan 21 14:58 /usr/lib/ssl/openssl.cnf -> /etc/ssl/openssl.cnf
-rwxr-xr-x 1 root root 1013 Jan 22 16:22 /usr/local/lib/libevent_openssl.la
-rwxr-xr-x 1 root root 94924 Jan 22 16:22 /usr/local/lib/libevent_openssl-2.0.so.5.0.1
lrwxrwxrwx 1 root root 29 Jan 22 16:22 /usr/local/lib/libevent_openssl-2.0.so.5 -> libevent_openssl-2.0.so.5.0.1
lrwxrwxrwx 1 root root 29 Jan 22 16:22 /usr/local/lib/libevent_openssl.so -> libevent_openssl-2.0.so.5.0.1
-rw-r--r-- 1 root root 21 May 20 2008 /var/lib/dpkg/info/openssl.conffiles
-rw-r--r-- 1 root root 17851 May 20 2008 /var/lib/dpkg/info/openssl.list
Inside openssl.cnf:# cat /etc/ssl/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always - Can anyone see what's causes this and what's wrong?
On of the more interesting parts is, FTPS over WAN tls.log:Jan 28 15:45:20 mod_tls/2.4.2[29939]: TLS/TLS-C requested, starting TLS handshake
How come that TLS can establish handshake locally but not from outside?
Jan 28 15:45:20 mod_tls/2.4.2[29939]: unable to accept TLS connection: received EOF that violates protocol
Jan 28 15:45:20 mod_tls/2.4.2[29939]: TLS/TLS-C negotiation failed on control channel
This was interesting: http://www.proftpd.org/docs/howto/TLS.htmlQuestion: How do I generate the certificate files used by mod_tls?
Answer: The mod_tls module uses the same certificate files as Apache's mod_ssl. The mod_ssl documentation explains what the files are, how they are used, and how to generate your own: http://www.modssl.org/docs/2.7/ssl_faq.html#ToC28 - I am not sure what is wrong in your case, but I routinely access my Pro with ftps ("require explicit FTP over TLS" choice in FileZilla). Implicit FTP over TLS does not work.
- Argh. My WAN refernece client doesn't seem to ask for certificate. I will try to ad it manually. But, hey it works over LAN, this might not be the cause for connectivity problems. Where does ReadyNAS store the default certificate?
- Is it this file?
lrwxrwxrwx 1 admin admin 32 Jan 21 15:08 5041aabe.0 -> /etc/frontview/apache/apache.pem
- Can anyone confirm or deny if apache.pem is the TLS certificate on ReadyNAS?
Thanks, yes explicit FTP over TLS is the way. Transmission FTP client calls it FTP with TLS/SSL, but it's about TLS for ReadyNAS. TLS at Wikipedia.StephenB wrote: I am not sure what is wrong in your case, but I routinely access my Pro with ftps ("require explicit FTP over TLS" choice in FileZilla). Implicit FTP over TLS does not work.
In my hunt for certificates. I used this command to list all non binary files containing 'BEGIN RSA':# find / \( -path /c -o -path /USB -o -path /home -o -path /proc -o -path /sys \) -prune -o -type f -exec grep -IiHn 'BEGIN RSA' {} \;That command took some time to complete on my poor Sparc machine :) infact I canceled it
/etc/frontview/apache/apache.pem:1:-----BEGIN RSA PRIVATE KEY-----
/etc/ssh/ssh_host_rsa_key:1:-----BEGIN RSA PRIVATE KEY-----
/root/.ssh/id_rsa:1:-----BEGIN RSA PRIVATE KEY-----
This file also looks interesting./etc/ssh ssh_host_rsa_key.pub
Another way:# find / \( -path /c -o -path /USB -o -path /home -o -path /proc -o -path /sys \) -prune -o -type f | egrep -i '\.(pub|key|pem|dsa|rsal|ppk)$'
/etc/frontview/apache/apache.pem
/etc/ssh/ssh_host_rsa_key.pub
/root/.ssh/id_rsa.pub
/usr/share/doc/libnet-ssleay-perl/examples/server_key.pem- Looks like there is only one certificate file on the nas. That is apache.pem
# find / \( -path /c -o -path /USB -o -path /home -o -path /proc -o -path /sys \) -prune -o -type f -exec grep -IHn 'BEGIN CERTIFICATE' {} \;
/etc/frontview/apache/apache.pem:16:-----BEGIN CERTIFICATE-----
Here is ome more bout TLS:
http://wiki.filezilla-project.org/FTPS_ ... 8Server%29
http://wiki.filezilla-project.org/Network_Configuration - Here is the log fom Filezilla, using explicit FTP over TLS from WAN:
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.3g Server (NETGEAR ReadyNAS) [10.0.1.160]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Error: Could not connect to server
I must have been blind. ftps.conf confirms that apache.pem is the certificate file:TLSRSACertificateFile /etc/frontview/apache/apache.pem
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
