Hello,

I'm trying to use FTPS using Proftpd but i'm still having some troubles with the use of CRL.

I have configured proftpd with server Certificate , i had declared my client CA and Declared too a CRL to deny acces for Revoked client.

The problem is , using CRL file , all of revoked client access to the ftp server .

Bellow all information about my configuration and the other information

proftpd.conf
-------------


        #############################################################
        # TLS configuration
        #############################################################
        <ifModule mod_tls.c>

                # Configure the server address presented to clients on the assumption that that IP address or DNS host
                # is acting as a NAT gateway or port forwarder for the server
#               MasqueradeAddress      10.10.200.10

                # PassivePorts restricts the range of ports from which the server will select when sent the PASV command from a
                # client. The port range selected must be in the non-privileged range (eg. greater than or equal to 1024); it is
                # STRONGLY RECOMMENDED that the chosen range be large enough to handle many simultaneous passive connections (for
                # example, 49152-65534, the IANA-registered ephemeral port range).
                PassivePorts 49160 49166

                # to enable TLS function
                TLSEngine on

                # to log TLS actions
                TLSLog /PROFTPD_home/logs/tls.log ALL

                # Are clients required to use FTP over TLS when talking to this server?
                TLSRequired on

                # Server's certificates
                TLSRSACertificateFile /PROFTPD_home/Certs/server/new-OBS-serverCert.pem
                TLSRSACertificateKeyFile /PROFTPD_home/Certs/server/new-OBS-serverKey.pem
                TLSOptions StdEnvVars
                # CA the server trusts
#               TLSCACertificateFile /PROFTPD_home/Certs/CA/CA-Cert.pem
                TLSCACertificatePath /PROFTPD_home/Certs/CA/
#               TLSCARevocationFile /PROFTPD_home/Certs/CRL/Ca-Crl.pem
                TLSCARevocationPath /PROFTPD_home/Certs/CRL/

                # Authenticate clients that want to use FTP over TLS?
                TLSVerifyClient on

                # The RootRevoke directive causes all root privileges to be dropped once a user is authenticated.
                # This will also cause active transfers to be disabled, if the server is listening on a port less than 1025.
                # Note that this only affects active transfers; passive transfers will not be blocked.
                RootRevoke on
                TLSVerifyDepth 9
        </ifModule>
        #############################################################
        # END TLS configuration
        #############################################################

</VirtualHost>


Trace after connection with a revoked Certificate, in the tls.log file i have this :
--------------------------------------------------------------------------------------


May 05 20:13:35 mod_tls/2.1.1[28874]: TLS/TLS-C requested, starting TLS handshake
May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 05 20:13:36 mod_tls/2.1.1[28874]: Client: C = FR, ST = FRANCE, L = Cesson Sevigne, O = Orange Business Services, OU = ENG/ UNIX, CN = BAROUDI Abdelmounim, emailAddress = client02 <at> ornage.fr
May 05 20:13:36 mod_tls/2.1.1[28874]: Protection set to Private
May 05 20:13:36 mod_tls/2.1.1[28874]: starting TLS negotiation on data connection
May 05 20:13:36 mod_tls/2.1.1[28874]: TLSv1/SSLv3 data connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)




NB : I have tried all my certificates and CRL with apache server  and it's work well

the log from a httpd server is like this :


[Mon May 05 18:17:10 2008] [info] Certificate with serial 2 (0x2) revoked per CRL from issuer /C=FR/ST=FRANCE/O=Orange Business Services/OU=UNIX Engineering Team/CN=ENG Administrator/emailAddress=administrator <at> orange.fr
[Mon May 05 18:17:10 2008] [error] Certificate Verification: Error (23): certificate revoked
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1787): OpenSSL: Write: SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806): OpenSSL: Exit: error in SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [debug] ssl_engine_kernel.c(1806): OpenSSL: Exit: error in SSLv3 read client certificate B
[Mon May 05 18:17:10 2008] [info] SSL library error 1 in handshake (server1:443, client 172.30.4.123)
[Mon May 05 18:17:10 2008] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Mon May 05 18:17:10 2008] [info] Connection to child 67 closed with abortive shutdown(server 1:443, client 172.30.4.123)


Thanks in advance for your reply

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html