curl FTPS with client certificate to a vsftpd
What you need is: mandatory cert validation. The relevant vsftpd directive is validate_cert, which by default is NO.
Add the following options:
require_cert=YES
validate_cert=YES
ca_certs_file=/somewhere/cacerts.pem
Don't use self-signed certs, since the server checks the cert using one of ca's certs in that ca_certs_file.
Related videos on Youtube
Comments
-
weeheavy over 1 year
I'd like to authenticate FTP clients either via username+password or a client certificate. Only FTPS is allowed.
User/password works, but while testing with curl (I don't have another option) and a client certificate, I need to pass a user. Isn't it technically possible to authenticate only by providing a certificate?
vsftpd.conf
passwd_chroot_enable=YES chroot_local_user=YES ssl_enable=YES rsa_cert_file=usrlocal/ssl/certs/vsftpd.pem force_local_data_ssl=YES force_local_logins_ssl=YES
Tested with
curl -v -k -E client-crt.pem --ftp-ssl-reqd ftp://server:21/testfile
the output is:* SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DES-CBC3-SHA * Server certificate: * SSL certificate verify result: self signed certificate (18), continuing anyway. > USER anonymous < 530 Anonymous sessions may not use encryption. * Access denied: 530 * Closing connection #0 * SSLv3, TLS alert, Client hello (1): curl: (67) Access denied: 530
This is theoretically ok, as i forbid anonymous access. If I specify a user with
-u username:pass
it works, but it would without a certificate too.The client certificate seems to be ok, it looks like this:
client-crt.pem
-----BEGIN RSA PRIVATE KEY----- content -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- content -----END CERTIFICATE-----
What am I missing? Thanks in advance. (The OS is Solaris 10 SPARC).