ROOT CA
================
Create Root Key
openssl genrsa -des3 -out rootCA.key 4096
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Create a certificate (Done for each server)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create the certificate key
openssl genrsa -out mydomain.com.key 2048
Create the signing request
openssl req -new -key mydomain.com.key -out mydomain.com.csr
upload the request to the root CA and sign it using following method.
create signed cert from root CA
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
on Each Server and client
=========================
Add the CA to the trusted CA
update-ca-trust force-enable
cp rootCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Check the time is correct on rootCA Server , client and the server (if not , ssl won't work properly)
curl FTPS command:
curl -v --connect-timeout 5 -T "testfile1" --cert ./192.168.20.2.crt --key 192.168.20.2.key --cacert /etc/ssl/certs/ca-bundle.crt --ftp-ssl -u "data:data@" ftps://192.168.20.1/test2/"testfile1"
lftp
====
lftp -e "debug 13; set ftp:ssl-force true; set ftp:ssl-protect-data true; set ftp:ssl-protect-list true; set ftp:ssl-auth SSL; set ssl:verify-certificate no;" -p 990 -u MQ ftps://ftpsserver.gsn.ae:/123/
curl -vvv --connect-timeout 5 -T "testfile1" --cacert /etc/ssl/certs/ca-bundle.crt --ftp-ssl -u "data:data" ftps://upstream.ssd.ae:/"testfile1"
TLSEngine on
TLSRequired on
TLSCACertificateFile /root/keysforupstream/rootCA.crt
TLSRSACertificateFile /root/keysforupstream/upstream.crt
TLSRSACertificateKeyFile /root/keysforupstream/upstream.key
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest UseImplicitSSL NoSessionReuseRequired
Port 990
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# <IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
#</IfDefine>
ftps
===========
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.60.21.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.60.21.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
Second one
---------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
pam_service_name=vsftpd
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/root/FTPS/192.168.60.21.crt
rsa_private_key_file=/root/FTPS/192.168.60.21.key
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
eicar
FTPS ERROR CONF
-------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.20.1.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.20.1.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
Centos6.6
=================================
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=YES
tcp_wrappers=YES
#chroot_local_user=YES
#local_root=/home/$USER
#user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.20.3.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.20.3.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
FTPS transfer 10 GIG file
SFTP transfer
================
Create Root Key
openssl genrsa -des3 -out rootCA.key 4096
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Create a certificate (Done for each server)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create the certificate key
openssl genrsa -out mydomain.com.key 2048
Create the signing request
openssl req -new -key mydomain.com.key -out mydomain.com.csr
upload the request to the root CA and sign it using following method.
create signed cert from root CA
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
on Each Server and client
=========================
Add the CA to the trusted CA
update-ca-trust force-enable
cp rootCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Check the time is correct on rootCA Server , client and the server (if not , ssl won't work properly)
curl FTPS command:
curl -v --connect-timeout 5 -T "testfile1" --cert ./192.168.20.2.crt --key 192.168.20.2.key --cacert /etc/ssl/certs/ca-bundle.crt --ftp-ssl -u "data:data@" ftps://192.168.20.1/test2/"testfile1"
lftp
====
lftp -e "debug 13; set ftp:ssl-force true; set ftp:ssl-protect-data true; set ftp:ssl-protect-list true; set ftp:ssl-auth SSL; set ssl:verify-certificate no;" -p 990 -u MQ ftps://ftpsserver.gsn.ae:/123/
curl -vvv --connect-timeout 5 -T "testfile1" --cacert /etc/ssl/certs/ca-bundle.crt --ftp-ssl -u "data:data" ftps://upstream.ssd.ae:/"testfile1"
TLSEngine on
TLSRequired on
TLSCACertificateFile /root/keysforupstream/rootCA.crt
TLSRSACertificateFile /root/keysforupstream/upstream.crt
TLSRSACertificateKeyFile /root/keysforupstream/upstream.key
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest UseImplicitSSL NoSessionReuseRequired
Port 990
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# <IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
#</IfDefine>
ftps
===========
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.60.21.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.60.21.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
Second one
---------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
pam_service_name=vsftpd
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/root/FTPS/192.168.60.21.crt
rsa_private_key_file=/root/FTPS/192.168.60.21.key
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
eicar
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
FTPS ERROR CONF
-------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.20.1.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.20.1.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
error:
====================
< 220 (vsFTPd 3.0.2)
> USER data
< 331 Please specify the password.
> PASS data
* FTP response reading failed
* Closing connection #0
curl: (56) NSS: client certificate not found (nickname not specified)
ftps fix
=-=======================
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=YES
tcp_wrappers=YES
chroot_local_user=YES
local_root=/home/$USER
user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.20.1.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.20.1.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
allow_writeable_chroot=YES
Centos6.6
=================================
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
vsftpd_log_file=/var/log/vsftpd.log
listen=YES
#listen_address=3.3.3.1
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=YES
tcp_wrappers=YES
#chroot_local_user=YES
#local_root=/home/$USER
#user_sub_token=$USER
implicit_ssl=YES
listen_port=990
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
#require_cert=YES
#validate_cert=YES
ca_certs_file=/etc/ssl/certs/ca-bundle.crt
rsa_cert_file=/etc/vsftpd/Cert/192.168.20.3.crt
rsa_private_key_file=/etc/vsftpd/Cert/192.168.20.3.key
cmds_allowed=ABOR,ACCT,ALLO,APPE,CCC,CDUP,CWD,EPSV,LIST,MDTM,MLST,MODE,NLST,NOOP,OPTS,PASS,PASV,PBSZ,PORT,PWD,QUIT,REIN,REST,RETR,RNFR,RNTO,SITE,SIZE,STAT,STOR,STRU,SYST,TYPE,USER,FEAT,PROT
pasv_enable=YES
pasv_max_port=65535
pasv_min_port=64000
#allow_writeable_chroot=YES
FTPS transfer 10 GIG file
SFTP transfer
curl --connect-timeout 5 -k -u "$username:" --key /root/.ssh/id_rsa --pubkey /root/.ssh/id_rsa.pub "sftp://$targetIP/"$tgtDirname"/$remotefile" -T "$filefullpath" >/dev/null 2>&1
curl --connect-timeout 5 -k "sftp://$targetIP/"$tgtDirname"/$remotefile" --user "$username:$password" -T "$filefullpath" >/dev/null 2>&1