Article delegate-en/1160 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] FTPS seems to not check client-certificates
17 May 2001 21:06:53 GMT dirk laurijssen <piucabdyi-bkxfmxj3qzxr.ml@ml.delegate.org>


dear yutaka,
when I launch the delegate as a FTPS-proxy using :

     delegated -P8021 -v FCL="sslway -cert /tmp/server-cert.pem
     -key /tmp/server-key.pem -ac -Vrfy  -vd" DGROOT=/tmp
     SERVER=ftp://<ip-adres>:9021 CMAP="sslway:FCL:ftp-data"
     CMAP="sslway -St:FCL:ftp"

this results in the client-certificate not being checked. This because
the verify_callback is never performed due to the fact that they sv_vrfy
is not set.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

to explicitly set sv_vrfy, launching delegate like this makes it hang :

     delegated -P8021 -v FCL="sslway -cert /tmp/server-cert.pem
     -key /tmp/server-key.pem -ac -Vrfy -vd" DGROOT=/tmp
     SERVER=ftp://<ip-adres>:9021 CMAP="sslway:FCL:ftp-data"
     CMAP="sslway -St:FCL:ftp -Vrfy"

logging shows :
04/28 00:12:10.03 [25424] 0+0: --INITIALIZATION START: 7.3.1 on
SunOS/5.7--
04/28 00:12:10.03 [25424] 0+0: server_open(delegate,:8021,listen=20)
04/28 00:12:10.03 [25424] 0+0: server_open(delegate,:8021) BOUND
04/28 00:12:10.04 [25424] 0+0: DGROOT=/tmp^M
04/28 00:12:10.04 [25424] 0+0: <DeleGate/7.3.1 by
ysato@delegate.org>[25424] -P8021 READY^M
<DeleGate/7.3.1 by ysato@delegate.org> [25424] -P8021 READY
DGROOT=/usr/var/spool/delegate-nobody
AIST Research Product No. 2000-ETL-198715-01
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001 National Institute of Advanced Industrial Science and

Technology (AIST)
04/28 00:12:10.04 [25424] 0+0: PORT= 8021/5 (31,85)
04/28 00:12:10.04 [25424] 0+0: OWNER=nobody =>
OWNER=nobody/nobody(nobody/nobody)
04/28 00:12:10.04 [25424] 0+0: ##DeleGate/6.X: MIMECONV=thru is set by
default. MIMECONV="" will make it compatible with forme
r versions.
04/28 00:12:10.04 [25424] 0+0: REMITTABLE = ftp
04/28 00:12:10.05 [25424] 0+0: LIBPATH: sslway ->
/tmp/lib/sslway
04/28 00:12:10.05 [25424] 0+0: ADMIN=piucabdyi-bkxfmxj3qzxr.ml@ml.delegate.org
protocol=ftp(specialist)
-delegated[25424]- WARNING! ADMIN="your_mail_address" should be
specified.
-delegated[25424]- INFO: using ADMIN=piucabdyi-bkxfmxj3qzxr.ml@ml.delegate.org given at
compile
time.
04/28 00:12:10.05 [25424] 0+0: ##DeleGate/6.X: created directory/file
will be non-sharable. SHARE="" will make it compatible w
ith former versions.
04/28 00:12:10.05 [25424] 0+0: #### CACHE DISABLED #### Cache directory
seems not exist: /usr/var/spool/delegate-nobody/cache
04/28 00:12:10.05 [25424] 0+0: MOUNT[0]=[0] /-* =
04/28 00:12:10.05 [25424] 0+0: MOUNT[1]=[1] /=* =
04/28 00:12:10.05 [25424] 0+0: MOUNT[2]=[2] //* = default
04/28 00:12:10.08 [25424] 0+0: env[21]
LIBPATH=.:/opt/delegate7.3.1:/tmp/lib:/opt/delegate7.3.1/src
04/28 00:12:10.08 [25424] 0+0: arg[3] FCL=sslway -cert
/tmp/lib/server-cert.pem -key /tmp/lib/server-key.pem -ac -Vrfy -vd
04/28 00:12:10.08 [25424] 0+0: arg[4]
DGROOT=/tmp
04/28 00:12:10.08 [25424] 0+0: arg[5] SERVER=ftp://<ip-adres>:9021
04/28 00:12:10.08 [25424] 0+0: arg[6] CMAP=sslway:FCL:ftp-data
04/28 00:12:10.08 [25424] 0+0: arg[7] CMAP=sslway -St:FCL:ftp -Vrfy
-cert /tmp/lib/server-cert.pem -key /tmp/lib/server-key.pem
04/28 00:12:10.12 [25424] 0+0: DELEGATE_Modified[0]: 408eda4a
04/28 00:12:10.12 [25424] 0+0: --INITIALIZATION DONE--
04/28 00:12:15.54 [25425] 1+0: -- Fork(OnetimeServer): 25424 -> 25425
04/28 00:12:15.58 [25425] 1+0: (0) accepted [30]
-@[<ip-adres>]ip<host>:1232 (0.041s)(1)
04/28 00:12:15.58 [25426] 1+0: -- Fork(FCL): 25425 -> 25426
04/28 00:12:15.59 [25426] 1+0: #### execFilter[FCL]
[/tmp/lib/sslway]sslway -cert
/tmp/lib/server-cert.pem -key
/tmp/lib/server-key.pem -ac -Vrfy -vd
## SSLway[25426](ip<host>) start
04/28 00:12:15.66 [25425] 1+0: PATH:
ftp://<ip-adres>:9021!cdbsun.cdb.cdc.com:8021!ip<host>:1232!anonymous@ip<host>;1083103935

## SSLway[25426](ip<host>) certfile loaded:
/tmp/lib/server-key.pem
## SSLway[25426](ip<host>) passphrase for
/tmp/lib/server-key.pem -- OK
## SSLway[25426](ip<host>) keyfile loaded:
/tmp/lib/server-key.pem
04/28 00:12:15.67 [25425] 1+0: FTP server ftp://<ip-adres>:9021/
04/28 00:12:15.67 [25425] 1+0: FTPHOPS: 1 [11/11 - -1/-1]
04/28 00:12:15.67 [25425] 1+0: ConnectToServer:
DFLT=ftp://<ip-adres>:9021 REAL=://:0
04/28 00:12:15.67 [25425] 1+0: ConnectToServer connected [5]
{<ip-adres>:9021 <- <ip-adres>:42556} [0.003s]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Do you have any idea what I'm doing wrong, or is it the delegate ?

Kind regards,
dirk L.

btw line 351 in sllway.c saying "if(
SSL_CTX_use_certificate_file(ctx,certfile,SSL_FILETYPE_PEM) ){
                DEBUG("certfile loaded: %s",keyfile);      "
should become "if(
SSL_CTX_use_certificate_file(ctx,certfile,SSL_FILETYPE_PEM) ){
                DEBUG("certfile loaded: %s",certfile);"



  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V