Username:
Password:

Details for "GLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AND_PASV_BUGS_INCL_ECDSA_HOWTO-SCENENOTICE"

NoticeGLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AND_PASV_BUGS_INCL_ECDSA_HOWTO-SCENENOTICE
Uploaded2013-10-10 16:55:55
Real NFOShow the real NFO
Web NFO
Show/Hide
*** Question: Why you should update GLFTPD?! ***
glftpd versions bug history:
glFTPd 2.02+v6_20111227 64/32BiT Linux+TLS - around 2y old, TLS bug, PASV bug
glFTPd v2.01 (glftpd.eu) - 8y old, TLS bug, PASV bug
glFTPd v2.02RC1 - nearly 1y old, TLS bug, PASV bug
new:
glFTPd v2.02RC2 - (2013-07-16) no known OpenSSL/TLS bugs
glFTPd v2.02RC3 - (2013-09-23) Added support for ECDHE key exchange to make PFS work for ECC certs.
glFTPd v2.02RC4 - (2013-10-09) fixed FREEBSD compile with OpenSSL 1.0.1e + removed limits for mmap_amount
TLS bug:
server sends wrong TLS infos, fixed with OpenSSL 1.0+
fix: use latest static or dynamic glftpd(RC2/RC3/RC4) and a operating system with OpenSSL 1.0+
PASV bug:
glftpd sends wrong IP time to time with PASV
[R1] 227 Entering Passive Mode (0,220,208,7,52,41)
[R1] Opening data connection IP: 0.220.208.7 PORT: 13353
PROBLEMS WITH OLD GLFTPD VERSIONS PASV BUG AND OLD OPENSSL BUG:
*** Tons of 0byte files and incomplete releases! (produced by handshake errors etc) ***
So please update your system to new glftpd version immediately
Benefits of ECDSA: faster, smaller and noone can decrypt recorded sessions
if they get hold of servers pem file. (eg. NSA)
URL: http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
1) Please update your glftpd to prevent 0byte files and improve speeds.
2) We recommend to use ECDSA certificate system instead old DSA certificate to block all sites not
upgraded yet and use
the benefits of ECDSA.
3) We recommend to enforce SSLFXP and disable plain login for your own security.
UPDATE GLFTPD:
a) Download new glftpd version from: http://www.glftpd.eu
b) Extract!
c) Depends on your architecture (32bit / 64bit) just copy the binaries (all files instead *.sh (beware
eg. dated.sh))
located in /newglftpd/bin/ to /oldglftpd/bin/ with eg. cp -f file1 file2 and execute ./libcopy.sh.
If you change from 32bit to 64bit you must recompile some binaries of course.
d) Execute ./create_server_key.sh in /newglftpd/ without any options to create a ftpd-ecdsa.pem and
copy it to /oldglftpd/etc/ftpd-ecdsa.pem
e) Edit GLFTPD config and disable (eg. #DSA_CERT_FILE /glftpd/etc/ftpd-dsa.pem) and use
CERT_FILE /glftpd/etc/ftpd-ecdsa.pem to ban all old glftpd systems that not updated yet.
(help us to stop the 0byte file mess)
DONE!
problems:
1) sslfxp wont work from old cert glftpd to new cert glftpd versions (so bug siteops to update their
glftpd/cert system)
2) Some tools (PREEE/FLASHFXP/FTPRUSH) wont work if OpenSSL DLLs not updated
FIX: Install http://slproweb.com/products/Win32OpenSSL.html (Light)
Overwrite libeay32.dll and libssl32.dll from OpenSSL Light installation folder
to PREE/FLASHFXP/FTPRUSH installation folder (or subfolders where the dlls are located)
3) glftpd changelog (pftp):
For anyone using pftp please change your sources to use
SSLv23_client_method in tlsutil.cc. For some stupid reason i left it with
SSLv3_client_method which is actually worse :( This will make your
connections more secure and actually allow the use of ECDSA ciphers.
DONE!
Download nfoGLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AND_PASV_BUGS_INCL_ECDSA_HOWTO-SCENENOTICE.nfo



Comments for "GLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AN..."

No comments yet.



You must login to post a comment!