基于openssl的vsftpd(vsftpd+SSL/TLS)
1. 思路:找一个CA创建一个私有CA,然后让私有CA给vsftpd签发证书,最后配置vsftpd添加下列选项即可;
ssl_enable=YES #启用SSL功能;
ssl_tlsv1=YES #支持TLSV1协议;
ssl_sslv2=YES #支持SSLV2协议
ssl_sslv3=YES #支持SSLV3协议
allow_anon_ssl=NO #不允许匿名用户使用SSL
force_local_data_ssl=YES #强制本地用户数据传输时使用SSL;
force_local_logins_ssl=YES #强制本地用户登陆时使用SSL;
rsa_cert_file=/etc/vsftpd/ssl/vsftpd_cert.pem(可自定义) #指定RSA类型证书文件
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd_key.pem(可自定义) #指定RSA类型密钥文件
验证过程:
2. openssl的配置:
[root@www vsftpd]# cd /etc/pki/CA/
[root@www CA]# touch index.txt
[root@www CA]# echo 00 > serial
[root@www CA]# ls
certs crl index.txt newcerts private serial
3. 创建私钥:
[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
.............................++++++
..................++++++
e is 65537 (0x10001)
4. 生成自签证书:
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:Skynet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.a.com
Email Address []:caadmin@a.com
5. 创建vsftpd存放密钥及证书的目录:
[root@www CA]# mkdir /etc/vsftpd/ssl
[root@www CA]# cd /etc/vsftpd/ssl/
6. 创建私钥:
[root@www ssl]# (umask 077; openssl genrsa -out ./vsftpd.key 1024)
Generating RSA private key, 1024 bit long modulus
...............................................++++++
.......++++++
e is 65537 (0x10001)
7. 生成证书颁发请求:
[root@www ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:Skynet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ftp.a.com
Email Address []:ftpadmin@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
8. 由于是在同一主机上直接该签发证书请求:
[root@www ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 6 15:23:43 2015 GMT
Not After : Sep 5 15:23:43 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = Skynet
organizationalUnitName = Tech
commonName = ftp.a.com
emailAddress = ftpadmin@a.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:7B:19:F8:FF:10:55:C0:61:48:06:7C:40:50:F5:6B:D9:1F:97:35
X509v3 Authority Key Identifier:
keyid:76:31:6C:5A:84:10:90:D9:CF:03:9C:BB:37:8A:BB:0E:FF:6E:B1:38
Certificate is to be certified until Sep 5 15:23:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
9. 编辑vsftpd.conf文件添加:
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv3=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
10. 重启服务后测试:
匿名用户登录(测试使用的是FlashFXP):
非匿名用户登录:
上面要求用户必须经过验证才能登陆,接下里设置能FlashFXP:
点击站点-->站点管理器-->新建站点(名称自定义)-->输入相关信息-->SSL选项勾选认证SSl项
登录成功,这就是基于openssl的FTP安全传输;
