Glftpd Update Tutorial To Fix OpenSSL by Independent (IND)
34 of 863 files
independent
- Browsers may flag this download as unwanted or malicious. If unsure, scan it with VirusTotal.
-
Last modified Sep 2, 2020 12:33:10 AM
MD5 checksum aaf7c28eab86717eac96b9e4eee689ad
Mime type
Download scn-glfx.zip
Size 4 kB
2013 October 10
- Text / Guides and how-tos
3 items in the archive
- GLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AND_PASV_BUGS_INCL_ECDSA_HOWTO-SCENENOTICE.rar
- file_id.diz
- GLFTPD_UPDATE_TUTORIAL_TO_FIX_OPENSSL_AND_PASV_BUGS_INCL_ECDSA_HOWTO-SCENENOTICE.nfo
*** Question: Why you should update GLFTPD?! ***
glftpd versions bug history:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
glFTPd 2.02+v6_20111227 64/32BiT Linux+TLS -> around 2y old, TLS bug, PASV bug
glFTPd v2.01 (glftpd.eu) -> 8y old, TLS bug, PASV bug
glFTPd v2.02RC1 -> nearly 1y old, TLS bug, PASV bug
new:
~~~~
glFTPd v2.02RC2 -> (2013-07-16) no known OpenSSL/TLS bugs
glFTPd v2.02RC3 -> (2013-09-23) Added support for ECDHE key exchange to make PFS work for ECC certs.
glFTPd v2.02RC4 -> (2013-10-09) fixed FREEBSD compile with OpenSSL 1.0.1e + removed limits for mmap_amount
TLS bug:
~~~~~~~~
server sends wrong TLS info's, fixed with OpenSSL 1.0+
fix: use latest static or dynamic glftpd(RC2/RC3/RC4) and a operating system with OpenSSL 1.0+
PASV bug:
~~~~~~~~~
glftpd sends wrong IP time to time with PASV
[R1] 227 Entering Passive Mode (0,220,208,7,52,41)
[R1] Opening data connection IP: 0.220.208.7 PORT: 13353
PROBLEMS WITH OLD GLFTPD VERSIONS PASV BUG AND OLD OPENSSL BUG:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** Tons of 0byte files and incomplete releases! (produced by handshake errors etc) ***
So please update your system to new glftpd version immediately
Benefits of ECDSA: faster, smaller and noone can decrypt recorded sessions
if they get hold of servers pem file. (eg. NSA)
URL: http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
1) Please update your glftpd to prevent 0byte files and improve speeds.
2) We recommend to use ECDSA certificate system instead old DSA certificate to block all sites not upgraded yet and use
the benefits of ECDSA.
3) We recommend to enforce SSLFXP and disable plain login for your own security.
UPDATE GLFTPD:
~~~~~~~~~~~~~~
a) Download new glftpd version from: http://www.glftpd.eu
b) Extract!
c) Depends on your architecture (32bit / 64bit) just copy the binaries (all files instead *.sh (beware eg. dated.sh))
located in /newglftpd/bin/ to /oldglftpd/bin/ with eg. "cp -f <file1> <file2>" and execute ./libcopy.sh.
If you change from 32bit to 64bit you must recompile some binaries of course.
d) Execute ./create_server_key.sh in /newglftpd/ without any options to create a ftpd-ecdsa.pem and
copy it to /oldglftpd/etc/ftpd-ecdsa.pem
e) Edit GLFTPD config and disable (eg. #DSA_CERT_FILE /glftpd/etc/ftpd-dsa.pem) and use
CERT_FILE /glftpd/etc/ftpd-ecdsa.pem to ban all old glftpd systems that not updated yet.
(help us to stop the 0byte file mess)
DONE!
~~~~~
problems:
~~~~~~~~~
1) sslfxp wont work from old cert glftpd to new cert glftpd versions (so bug siteops to update their glftpd/cert system)
2) Some tools (PREEE/FLASHFXP/FTPRUSH) won't work if OpenSSL DLL's not updated
FIX: Install http://slproweb.com/products/Win32OpenSSL.html (Light)
Overwrite libeay32.dll and libssl32.dll from OpenSSL Light installation folder
to PREE/FLASHFXP/FTPRUSH installation folder (or subfolders where the dll's are located)
3) glftpd changelog (pftp):
For anyone using pftp please change your sources to use
SSLv23_client_method in tlsutil.cc. For some stupid reason i left it with
SSLv3_client_method which is actually worse :( This will make your
connections more secure and actually allow the use of ECDSA ciphers.
DONE!
~~~~~