Glftpd Update Tutorial To Fix OpenSSL   by Independent (IND)

*** Question: Why you should update GLFTPD?! *** glftpd versions bug history: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ glFTPd 2.02+v6_20111227 64/32BiT Linux+TLS -> around 2y old, TLS bug, PASV bug glFTPd v2.01 (glftpd.eu) -> 8y old, TLS bug, PASV bug glFTPd v2.02RC1 -> nearly 1y old, TLS bug, PASV bug new: ~~~~ glFTPd v2.02RC2 -> (2013-07-16) no known OpenSSL/TLS bugs glFTPd v2.02RC3 -> (2013-09-23) Added support for ECDHE key exchange to make PFS work for ECC certs. glFTPd v2.02RC4 -> (2013-10-09) fixed FREEBSD compile with OpenSSL 1.0.1e + removed limits for mmap_amount TLS bug: ~~~~~~~~ server sends wrong TLS info's, fixed with OpenSSL 1.0+ fix: use latest static or dynamic glftpd(RC2/RC3/RC4) and a operating system with OpenSSL 1.0+ PASV bug: ~~~~~~~~~ glftpd sends wrong IP time to time with PASV [R1] 227 Entering Passive Mode (0,220,208,7,52,41) [R1] Opening data connection IP: 0.220.208.7 PORT: 13353 PROBLEMS WITH OLD GLFTPD VERSIONS PASV BUG AND OLD OPENSSL BUG: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** Tons of 0byte files and incomplete releases! (produced by handshake errors etc) *** So please update your system to new glftpd version immediately Benefits of ECDSA: faster, smaller and noone can decrypt recorded sessions if they get hold of servers pem file. (eg. NSA) URL: http://en.wikipedia.org/wiki/Elliptic_Curve_DSA 1) Please update your glftpd to prevent 0byte files and improve speeds. 2) We recommend to use ECDSA certificate system instead old DSA certificate to block all sites not upgraded yet and use the benefits of ECDSA. 3) We recommend to enforce SSLFXP and disable plain login for your own security. UPDATE GLFTPD: ~~~~~~~~~~~~~~ a) Download new glftpd version from: http://www.glftpd.eu b) Extract! c) Depends on your architecture (32bit / 64bit) just copy the binaries (all files instead *.sh (beware eg. dated.sh)) located in /newglftpd/bin/ to /oldglftpd/bin/ with eg. "cp -f <file1> <file2>" and execute ./libcopy.sh. If you change from 32bit to 64bit you must recompile some binaries of course. d) Execute ./create_server_key.sh in /newglftpd/ without any options to create a ftpd-ecdsa.pem and copy it to /oldglftpd/etc/ftpd-ecdsa.pem e) Edit GLFTPD config and disable (eg. #DSA_CERT_FILE /glftpd/etc/ftpd-dsa.pem) and use CERT_FILE /glftpd/etc/ftpd-ecdsa.pem to ban all old glftpd systems that not updated yet. (help us to stop the 0byte file mess) DONE! ~~~~~ problems: ~~~~~~~~~ 1) sslfxp wont work from old cert glftpd to new cert glftpd versions (so bug siteops to update their glftpd/cert system) 2) Some tools (PREEE/FLASHFXP/FTPRUSH) won't work if OpenSSL DLL's not updated FIX: Install http://slproweb.com/products/Win32OpenSSL.html (Light) Overwrite libeay32.dll and libssl32.dll from OpenSSL Light installation folder to PREE/FLASHFXP/FTPRUSH installation folder (or subfolders where the dll's are located) 3) glftpd changelog (pftp): For anyone using pftp please change your sources to use SSLv23_client_method in tlsutil.cc. For some stupid reason i left it with SSLv3_client_method which is actually worse :( This will make your connections more secure and actually allow the use of ECDSA ciphers. DONE! ~~~~~