Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 08-29-2007, 02:16 AM   #1
magic_
Junior Member
 
Join Date: Aug 2007
Posts: 5
Default Unable to create cert.

Hey,

I am using ioftpd version 6.2.1 and have a fresh install. No scripts at the moment installed.

At the moment when i execute my bat file in FlashFXP the hourglass appears until the client timeouts. This is what flashfxp shows:
Code:
[R] site exec kebabfabriken.bat
[R] Connection lost: kebabfabriken
I do not get any errors in logs.

My SSL section in ioftpd.ini looks like this:

Code:
# Encryption - See "Permissions" section below for syntax. The default
# allows anyone to connect to the server.
#
# To force everyone (a good idea!) to use secure connections except for
# the default ioFTPD account which is configured to only allow connections
# from the same machine as the server use
#    Require_Encrypted_Auth  = !-ioFTPD *
#    Require_Encrypted_Data  = !-ioFTPD *
#
Require_Encrypted_Auth  = !*
Require_Encrypted_Data  = !*

#
#                >>>>>>>>>>>> SSL CHANGE THIS <<<<<<<<<<<<<<
#
# After you have created your certificate, change this to the name you used
# which should be your dynamic DNS name, your fixed external IP address, or
# if you have neither of those a made up descriptive name for you server.
# Since all locally generated certificates will report as being unverified
# you might as well get rid of clients also complaining your cert name doesn't
# match your DNS name or IP address.
;Certificate_Name        = ioFTPD

Explicit_Encryption     = True
# limit encryption to a particular type: SSL2, SSL3, TLS
# leave this undefined to support any of them
;Encryption_Protocol     = SSL3
# Don't set min higher than 128 or non-Vista FTP clients not built with openSSL
# won't be able to connect...
#Min_Cipher_Strength     = 128
#Max_Cipher_Strength     = 256

# IDNT command handler
Get_External_Ident      = True

# Traffic Balancing
;Data_Devices            =
;Random_Devices          = True
I have created a .bat file that contains this:

makecert.exe -r -n "CN=kebabfabriken"-eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

I put makecert.exe, certmgr.exe, kebabfabriken.bat in a folder that i access when using Flashfxp and i have chmod:ed that folder to 777. I am using the ioFTPD account so i should have maximum permission. ioftpd is installed as a service and using the local system account option to log on. Is this incorrect?

Does anyone know what I am doing wrong?
magic_ is offline   Reply With Quote
Old 08-29-2007, 03:20 AM   #2
Zer0Racer
Senior Member
ioFTPD Scripter
 
Join Date: Oct 2002
Posts: 703
Default

I would run that in a regular command prompt. Though it seems you're missing the certs filename in the bat-file. Add ie. ioFTPD.cer after -sy 12. And you might have to put a space between the CN part and "-eku".

Then it should generate a file called ioFTPD.cer that you have to install/import (double-click). You also have to change some things in your ioFTPD.ini, ie. removing a couple of # and ; so that those options are active.
Code:
### Encryption ###
Require_Encrypted_Auth  = !*
Require_Encrypted_Data  = !*
Certificate_Name        = kebabfabriken
Explicit_Encryption     = True
;Encryption_Protocol     = TLS
Min_Cipher_Strength     = 128
Max_Cipher_Strength   = 256
/ZR
Zer0Racer is offline   Reply With Quote
Old 08-29-2007, 04:17 AM   #3
magic_
Junior Member
 
Join Date: Aug 2007
Posts: 5
Default update...

Hey ZR, thx for the tips.

I missed the space between "CN=kebabfabriken" -eku.

I tried to execute the bat file in the command prompt and a windows pops up saying that makecert.exe is not a valid 32-bit application and the prompt says failed.

I got my hands on a another makecert.exe file and now i get this:

Code:
makecert.exe -r -n "CN=kebabfabriken" -eku 1.3.6.1.5.5.7.3.1 -ss  my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 kebabfabriken.cer Error: Can't create the key of the subject ('kebabfabriken')
Failed
I haven't made the changes you suggested to the ioftpd.ini file, if i understood you correctly, that should be after the cert is created and imported?

Btw, should i use sha1 or md5? what is recommended? I heard sha1 for security, md5 for performance?
magic_ is offline   Reply With Quote
Old 08-29-2007, 06:23 AM   #4
Zer0Racer
Senior Member
ioFTPD Scripter
 
Join Date: Oct 2002
Posts: 703
Default

They way I do it using a bat-file called rsa_keygen.bat and it looks like this
Code:
@echo off
echo This batch will generate an SChannel compatible RSA 1024bits key for your ioFTPD
echo -----
set temphost=
set /P temphost=Please enter your server's hostname (example: xxx.dyndns.org):
echo Please Wait ... generating new certificate
echo -----
makecert.exe -r -n CN=%temphost% -b 01/01/2005 -e 01/01/2015 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ioftpd.cer
echo -----
pause
The version of makecert.exe is 5.131.1863.1 and when I try the exact command you're using it works. Which Windows version are you using? Maybe there is a special makecert version for it or something.


/ZR

EDIT: After some research I found that there is a special version of makecert for Windows Vista and if you try to run it on WinXP SP2 it says it's not a valid 32-bit application. (http://forums.microsoft.com/MSDN/Sho...40297&SiteID=1) They suggest downloading the codesigningX86.exe from cryptguard.com (http://www.cryptguard.com/documentat...es_tools.shtml) since it's no longer available from microsoft.com. Direct link: https://www.cryptguard.com/files/codesigningx86.exe

Hope it helps.

Last edited by Zer0Racer; 08-29-2007 at 06:34 AM.
Zer0Racer is offline   Reply With Quote
Old 08-29-2007, 07:41 AM   #5
magic_
Junior Member
 
Join Date: Aug 2007
Posts: 5
Default update 2..

ZR,

I made an exact copy of the contents of your rsa_keygen.bat file. I also checked my makecert.exe version and it seems to be identical to the one you have, i.e 5.131.1863.1 .

Here is the output of your .bat file:
Code:
C:\Documents and Settings\magic\Desktop>rsa_keygen.bat
This batch will generate an SChannel compatible RSA 1024bits key for your ioFTPD

-----
Please enter your server's hostname (example: xxx.dyndns.org):kebabfabriken.xxxxx.xxx
Please Wait ... generating new certificate
-----
Error: Can't create the key of the subject ('JoeSoft')
Failed
-----
Press any key to continue . . .
I can't seem to figure out where JoeSoft come from?

I use a special version of WinXP Pro SP2. Its pretty stripped down (using nlite) to use very little memory and other resources. Maybe that could be the cause too, that something ( a service etc) is needed to create certificates? Any ideas of what makecert.exe is dependent of if that is the case?

I tried creating a certificate on my laptop which worked without any problem using my .bat file, not your rsa_keygen.bat file. Whats weird is that i use the same stripped down version of Windows XP pro SP2 on my laptop. Is is possible to copy it over to my other pc? wild shot, but i assume you cant do that. hmm

This is the line that worked for me on my laptop:

makecert.exe -r -n "CN=kebabfabriken" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr CurrentUser -a sha1 -sk kebabfabriken -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 kebabfabriken.cer

Ideas? :/

Last edited by magic_; 08-29-2007 at 08:15 AM. Reason: update..
magic_ is offline   Reply With Quote
Old 08-29-2007, 10:17 AM   #6
Yil
Too much time...
FlashFXP Beta Tester
ioFTPD Administrator
 
Join Date: May 2005
Posts: 1,194
Default

Double check via certmgr that you don't already have a certificate installed with the name you're trying to use...

I'm guessing the stripped down XP you're using is the real problem here now. Try comparing your laptop services to the stripped version for things related to crypto...
Yil is offline   Reply With Quote
Old 08-29-2007, 02:50 PM   #7
Zer0Racer
Senior Member
ioFTPD Scripter
 
Join Date: Oct 2002
Posts: 703
Default

I'm also using an nLite-modded install of WinXP Pro SP2. No problem here.

/ZR
Zer0Racer is offline   Reply With Quote
Old 08-30-2007, 12:22 AM   #8
magic_
Junior Member
 
Join Date: Aug 2007
Posts: 5
Default update on Yil´s suggestions

Yil,

I started certmgr.exe and found that no certificate, with any of the names i have tried, was installed. I also looked on my laptop and saw that there was certificate named kebabfabriken, hence confirming that the creation had succeeded on this machine. Both machines have the cryptographic services installed and running. I found however that this service has very little impact on the creation of the certificate. I could still create a certificate on my laptop if this service was stopped. I could not however execute certmgr.exe and view certificates when this service was stopped.

I will do a more thorough comparison of services later today, but for now, that is the only one i have found that has some "crypto" affiliation.

I am running out of ideas, usually I would just re-install windows, since my xp install is pretty fresh and its running on a 2.0Ghz opteron, 2GB RAM, 4TB system it wouldn't take that long to do. However its not in my physical presence, its more like ~300km away, so im using remote desktop to connect to it every time i need to make changes. Could the fact that im connecting remotely have anything to do with it? As you see, my guesses are becoming pretty desperate, im running out of ideas

I don't know if this will help, but I thought i would give it a try, the following contains info about the version of xp that im using. I am aware that this kind of info is not very welcome in this forum, so feel free to modify my post if i violate any rule, sorry :/

Code:
This CD was made using nLite:

*********What is Remaining?*********

Applications:

Calculator
Defragmenter

Drivers:

Asynchronous Transfer Mode (ATM)
Battery
Bluetooth Support
Brother Devices
Display Adapters
Display Adapters (old)
Ethernet (LAN)
Firewire (1394) Support
IBM Thinkpad
InfraRed
ISDN
MultiFunctional
Multi-port serial adapters
PCMCIA
Ports (COM & LPT)
SCSI/RAID
Sound Controllers
Toshiba DVD decoder card
Windows Image Acquisition (WIA)

Internet Utilities:

ATM Support
Client for Netware Networks
Internet Explorer
Internet Explorer Core
MAC Bridge
NetShell Cmd-Tool
Network Monitor Driver and Tools
NWLink IPX/SPX/NetBIOS Protocol
Outlook Express
Tcp/Ip Version 6

Operating System Options:

16-bit support
Administrator VB scripts
Application compatibility patch
Command-Line tools
Disk Cleanup
Extra Fonts
Floppy Support
Jet Database Engine
MDAC
Out of Box Experience (OOBE)
Printer Support
Web View

Services:

Application Layer Gateway
Background Intelligent Transfer
COM+
DHCP Client
Distributed Transaction Coordinator (DTC)
DNS Client
Event Log
Internet Authentication (IAS)
Logical Disk Manager
Management Instrumentation (WMI)
Message Queuing (MSMQ)
Network DDE
Performance Logs and Alerts
QoS RSVP
Quality of Service (QoS)
Service Advertising Protocol
Shell Services
SNMP
System Event Notification (SENS)
System Monitor
TCP/IP NetBIOS Helper
Terminal Services
Universal Plug and Play
Volume Shadow Copy
Windows Firewall/Internet Connection Sharing (ICS)
Windows Time
Wireless Zero Configuration

*Note:

Windows File protection is disabled. You can now delete that stupid Xerox folder inside your Program Files!

The Start Bar was tweaked for speed, too.

I was nice to remove the Alexa spyware for you. Alexa is spyware that Windows 
XP ships out with. How nice of them. Alexa tracks your browsing habbits. I 
thought spyware only came with crappy games and programs? Guess I was wrong.

Index Service is gone.

Prefetch folder in C:Windows is gone.


*****************************************************************************************

Just to give you an idea about what was removed:

Themes (Classic Theme is only available)
Wallpaper
Windows Media Player
Windows Movie Maker
Animated Character for Search
Windows XP Tour
Screensavers
Games
Language Pack
Help
System Restore
Windows Update

If you don't see it in the long list, above - then it was probably ripped.

All help is appreciated
magic_ is offline   Reply With Quote
Old 10-02-2007, 02:45 AM   #9
magic_
Junior Member
 
Join Date: Aug 2007
Posts: 5
Default

Hello,

I just wanted to post an update on this thread.
Even though i wasn't able to create a certificate and solve the problem the way i initially wanted to, I just did a simple OS reinstall which solved the problem completely. I am now able to create certificates without any problems.

Thx to ZR and Yil for all the help.

//magic
magic_ is offline   Reply With Quote
Reply

Tags
connections, flashfxp, ioftpd, moment, section

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:02 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)