[VSFTPD] FTPS設定 (クライアント認証もあるよ)

hiroroooo299 51views 更新:2017年4月11日

FTPS: クライアント認証あり

# vsftpd.conf

# SSL強制
ssl_enable=YES

force_local_logins_ssl=YES
force_local_data_ssl=YES

## Implicitモードの場合
# implicit_ssl=YES
# listen_port=990

# サーバー証明書関係
# This option specifies the location of the RSA certificate to use for SSL encrypted connections.
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

# This option specifies the location of the RSA private key to use for SSL encrypted connections.
rsa_private_key_file=/etc/pki/tls/private/vsftpd.key


ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES


# 下記にのってるcipher suite
# https://weakdh.org/sysadmin.html

ssl_ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# クライアント証明書関係
# If set to yes, all SSL client connections are required to present a client certificate.
require_cert=YES

# If enabled, vsftpd will request (but not necessarily require; see require_cert) a certificate on incoming SSL connections.
ssl_request_cert=YES

# If set to yes, all SSL client certificates received must validate OK
validate_cert=YES

# This option is the name of a file to load Certificate Authority certs from,
# for the purpose of validating client certs
ca_certs_file=/etc/pki/vsftpd_self_CA/cacert.pem

# If true, OpenSSL connection diagnostics are dumped to the vsftpd log file.
# debug_ssl=YES

ただし、軽く調べた限りだと、FTPS (クライアント認証) に対応しているクライアントは少ない

  • Windows => WinSCP
    • クライアント証明書を指定する設定項目がある
  • macOS => Cyberduck
    • オレオレ自己証明書の場合は、OSのキーチェーンにその証明書を取り込んでおく

ふつうのFTPS: クライアント認証なし

# vsftpd.conf

ssl_enable=YES

force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_request_cert=NO
require_cert=NO

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
rsa_private_key_file=/etc/pki/tls/private/vsftpd.key

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES

ssl_ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# debug_ssl=YES

参考: https://security.appspot.com/vsftpd/vsftpd_conf.html

ログイン / 新規登録してコメントする

このソースコードをストックして後で利用したり、作業に利用したソースコードをまとめることができます。

こちらもお役に立つかもしれません