实现基于SSL的FTPS

目录

    • 目录
      • 查看是否支持SSL
      • 创建自签名证书
      • 配置vsftpd服务支持SSL
      • 测试
      • 欢迎访问个人博客httpwwwihaiyuncc

查看是否支持SSL

[root@centos7 ~]# ldd `which vsftpd`
    linux-vdso.so.1 =>  (0x00007fff729c8000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f6358444000)
    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f6358239000)
    libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f635801f000)
    libpam.so.0 => /lib64/libpam.so.0 (0x00007f6357e10000)
    libcap.so.2 => /lib64/libcap.so.2 (0x00007f6357c0b000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f6357a06000)
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f635761c000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f635725b000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f635700c000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f6356d25000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f6356b21000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f63568ee000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f63566d8000)
    libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f63564b0000)
    libattr.so.1 => /lib64/libattr.so.1 (0x00007f63562aa000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f63588e4000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f635609b000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f6355e97000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f6355c7c000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f6355a60000)
    libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f6355859000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f6355632000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f63553d1000)
[root@centos7 ~]# ldd `which vsftpd` | grep libssl          # 支持的
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f69c6fe5000)

创建自签名证书

[root@centos7 ~]# cd /etc/pki/tls/certs
[root@centos7 certs]# make vsftpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  vsftpd.pem ; \
echo ""    >> vsftpd.pem ; \
cat $PEM2 >> vsftpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.........................................+++
.......................................................+++
writing new private key to '/tmp/openssl.7gPwj6'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:haiyun.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.ihaiyun.cc
Email Address []:


[root@centos7 certs]# openssl x509 -in vsftpd.pem -noout -text          # 查看证书
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=haidian, O=haiyun.com, OU=opt, CN=www.ihaiyun.cc
        Validity
            Not Before: Oct 13 07:10:13 2017 GMT
            Not After : Oct 13 07:10:13 2018 GMT
        Subject: C=CN, ST=beijing, L=haidian, O=haiyun.com, OU=opt, CN=www.ihaiyun.cc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:7d:40:95:ed:7b:c1:a2:ed:88:6e:bd:0c:c6:
                    7d:24:d1:5e:b3:f1:d5:9a:ef:6b:83:95:89:13:64:
                    7b:91:12:60:c9:cd:32:ed:2c:fe:48:48:9f:bb:d7:
                    b3:48:5f:b4:5a:1e:74:d1:d1:71:37:e6:7b:9c:bc:
                    df:ce:a4:64:f4:8e:bd:23:0e:13:5d:54:a3:94:90:
                    6c:6f:34:bb:b3:8a:ab:57:f0:95:d0:95:18:1d:24:
                    20:cb:fd:4f:57:9a:62:c6:7c:0e:78:10:3a:9c:56:
                    46:3a:3f:b8:6a:88:d5:c6:43:88:a2:8b:5d:96:d6:
                    a3:7e:8f:47:bb:d5:95:3d:6a:4f:1c:f7:a6:a4:2d:
                    65:7e:c6:23:fd:b4:e5:a8:a5:1a:e4:0f:2c:27:d5:
                    bc:b0:2e:51:50:8e:8f:cf:b9:ea:e6:4c:5c:24:05:
                    d1:76:68:32:3e:23:38:02:81:9d:a2:40:c8:ca:91:
                    b9:ee:4b:e5:bb:75:06:09:7f:9b:47:6e:c3:3f:e1:
                    b4:48:ad:39:c8:7d:ab:a0:61:1c:bb:c5:ba:f5:e2:
                    9c:3e:e4:34:d0:7e:f8:8c:51:0d:e8:0c:c4:66:6f:
                    3a:44:a9:e2:56:be:1e:26:f3:d5:18:0a:86:4e:22:
                    bd:ac:a6:12:25:b6:56:7c:fb:9b:25:02:01:17:e4:
                    a7:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                48:F2:61:FD:CD:29:64:49:18:14:7B:E5:DF:A5:DC:CC:69:1C:44:C4
            X509v3 Authority Key Identifier: 
                keyid:48:F2:61:FD:CD:29:64:49:18:14:7B:E5:DF:A5:DC:CC:69:1C:44:C4

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         08:a0:5d:34:eb:05:f8:75:f2:15:5e:38:0b:cf:1d:86:7d:8e:
         cb:f9:b5:7e:b3:15:1b:b5:b2:4b:e4:d8:64:09:c4:71:9b:17:
         67:12:7d:24:6b:af:cb:22:6b:08:6f:e9:af:35:5e:54:5f:43:
         38:57:3c:8c:c5:ac:28:43:cf:6c:9b:1e:46:28:e3:6a:05:f3:
         70:0e:d1:26:2e:44:2c:4b:c6:26:70:82:a3:97:f6:fc:ea:1d:
         76:19:f7:96:3d:76:9a:95:19:5b:14:7f:4f:e0:87:18:df:cb:
         79:20:b4:f2:f7:e1:b9:aa:ae:3b:0d:b2:98:e4:76:ee:35:77:
         f3:e4:03:7c:77:47:47:e4:78:6b:1a:45:04:1a:37:ca:f5:58:
         e3:a5:8e:07:31:0d:2c:cc:79:d5:00:1c:85:a5:00:8f:f1:fa:
         20:bb:4e:1e:a0:3a:64:55:d4:76:04:75:85:6d:de:24:bb:54:
         56:bb:62:3d:1b:49:90:36:af:09:3d:df:56:28:e7:c8:f5:e6:
         ee:ca:0f:43:00:c7:1a:f3:d4:56:24:5e:da:73:73:0c:ed:6b:
         d8:82:47:3e:6c:5d:3c:23:03:e4:8d:43:31:e9:c4:c5:df:90:
         79:c3:c9:fb:cd:44:45:8d:27:a7:e6:30:a8:a8:3f:bb:f1:a2:
         ae:c1:f5:a4

配置vsftpd服务支持SSL

[root@centos7 ~]# vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES      # 启用SSL
allow_anon_ssl=YES      # 匿名不支持SSL
force_local_logins_ssl=YES      # 本地用户登录加密
force_local_data_ssl=YES        # 本地用户数据传输加密
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

测试

欢迎访问个人博客:http://www.ihaiyun.cc/

你可能感兴趣的:(linux)