Article delegate-en/1163 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FTPS seems to not check client-certificates
21 May 2001 07:22:53 GMT (Yutaka Sato)


On 05/18/01(06:06) you dirk laurijssen <> wrote
in <_A1160@delegate-en.ML_>
 |when I launch the delegate as a FTPS-proxy using :
 |     delegated -P8021 -v FCL="sslway -cert /tmp/server-cert.pem
 |     -key /tmp/server-key.pem -ac -Vrfy  -vd" DGROOT=/tmp
 |     SERVER=ftp://<ip-adres>:9021 CMAP="sslway:FCL:ftp-data"
 |     CMAP="sslway -St:FCL:ftp"
 |this results in the client-certificate not being checked. This because
 |the verify_callback is never performed due to the fact that they sv_vrfy
 |is not set.

In your configuration:

< FCL="sslway -cert /tmp/server-cert.pem -key /tmp/server-key.pem -ac -Vrfy -vd"
< CMAP="sslway -St:FCL:ftp"
< CMAP="sslway:FCL:ftp-data"

unconditional FCL makes conditional FCLs in CMAPs be disabled.
It should be something like follows:

> CMAP="sslway -cert ... -key ... -Vrfy -St:FCL:ftp"
> CMAP="sslway -cert ... -key ...:FCL:ftp-data"

 |btw line 351 in sllway.c saying "if(
 |SSL_CTX_use_certificate_file(ctx,certfile,SSL_FILETYPE_PEM) ){
 |                DEBUG("certfile loaded: %s",keyfile);      "
 |should become "if(
 |SSL_CTX_use_certificate_file(ctx,certfile,SSL_FILETYPE_PEM) ){
 |                DEBUG("certfile loaded: %s",certfile);"

Thank you.  I will correct it in the next release.

  @ @ Yutaka Sato <>
 ( - ) National Institute of Advanced Industrial Science and Technology (AIST)
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]