Hi there,
Jani Reinikainen <[EMAIL PROTECTED]> wrote:
> I only get this from IglooFTP:
>
> -----------------
> 220 FTP Server ready.
> AUTH SSL
>
> 234 AUTH SSL successful
>
> Starting SSL/TLS negotiation ...
>
> SSL Error: The server could be requesting a certificate.
"Could be" - I like that :-/
Since you don't seem to be using a client certificate, it might be worth
visiting your Proftpd configuration to verify that that you aren't
requesting client authentication on the server.
> When checking the logfiles for Proftpd, I find this:
>
> -------------------
>
> xxxxxxxxxx.com (10.101.20.150[10.101.20.150]) - FTP session opened.
> xxxxxxxxxx.com (10.101.20.150[10.101.20.150]) - SSL_accept(): (1)
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> xxxxxxxxxx.com (10.101.20.150[10.101.20.150]) - Failed TLS negotiation on
> control channel, disconnected.
> ---------------------
I think the relevant message is probably "no shared cipher" (but I'm
guessing hard here). I took a really quick look at the patch for Proftpd
this afternoon, and the default cipher list in the code is ALL:!EXP
("everything except the export ciphers"). I'd try changing this to ALL -
both by fixing your Proftpd config file *and* (then) by recompiling with
DEFAULTCIPHERLIST in tlsutil.c set to ALL. (I'd try both of these things
because I'm paranoid).
The next line of attack is perhaps to find out how the ciphersuite list is
set in the client. I had a quick look at the docs at iglooftp.com, but I
couldn't see anything very useful to this effect. Although I can see how to
set the cipher list if you're using SRP, the help files are strangely mute
on how to set this for FTP-TLS. Perhaps their support line
([EMAIL PROTECTED]) might help?
Incidentally, one of the standard SSL protocol analyzers might help you to
determine if this is indeed the error message that it is worth paying
attention to...
> I created the certificates on the server using the following commands:
> [snip]
I could be wrong, but I don't think that this is your problem.
> I have the Debian package openssl 0.9.6c-2 installed.
?
I searched debian.org's package directory, and the only openssl reference
that I see is for 0.9.4-5. Furthermore, it's in the "non-US" section of the
Debian packages. If Proftpd only has access to export ("non-US") ciphers and
IglooFTP is expecting anything but an export cipher ("ALL!EXP"), then could
this be the cause of your problem?
(Or did you install this OpenSSL package yourself? And are you using the
static or dynamic Igloo client? And if you're using the dynamic client and
you installed the later OpenSSL package yourself, are you certain that
you're picking up the correct set of OpenSSL libraries?).
Martin.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
