* [9fans] ftpd on 9front problems with TLS
@ 2025-04-11 10:09 Garry
2025-04-23 23:32 ` mia via 9fans
0 siblings, 1 reply; 3+ messages in thread
From: Garry @ 2025-04-11 10:09 UTC (permalink / raw)
To: 9fans
[-- Attachment #1: Type: text/plain, Size: 1864 bytes --]
Hello, I'm trying set up ftpd to use TLS, but cannot get it to work. The ftpd service runs and accepts connections with
Connected to temeraire.
220 Plan 9 FTP server ready.
But TLS doesn't seem to work.
This is how I made my certificate:
ramfs -p
cd /tmp
auth/rsagen -t 'service=tls role=client host=temeraire' > key
chmod 600 key
cp key /sys/lib/tls/key # or: store key in secstore
auth/rsa2x509 'C=AU CN=temeraire' /sys/lib/tls/key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert
My tcp21 file looks like this:
#!/bin/rc
exec /bin/ip/ftpd -d -c/sys/lib/tls/cert $*
My /cfg/temeraire/cpustart file looks like this and the key appears to exist in factotum.
bind -a '#l0' /net
ip/ipconfig
ip/ipconfig ether /net/ether0
cat /net/ndb
cat /sys/lib/tls/key >>/mnt/factotum/ctl
Attempting to debug the connection with OpenSSL gives me this:
openssl s_client -connect temeraire:21 -starttls ftp -servername temeraire
CONNECTED(00000004)
100000000A000000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1605:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 55 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Apologies for the text dump, I just wanted to be clear about what my setup is like.
Does anybody have any ideas what I've left out, or got wrong here?
Thank you
Garry
------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T086867ac9995804e-M999bbe4d92fc8b5c836b9bf4
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
[-- Attachment #2: Type: text/html, Size: 3883 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] ftpd on 9front problems with TLS
2025-04-11 10:09 [9fans] ftpd on 9front problems with TLS Garry
@ 2025-04-23 23:32 ` mia via 9fans
2025-04-23 23:44 ` Garry
0 siblings, 1 reply; 3+ messages in thread
From: mia via 9fans @ 2025-04-23 23:32 UTC (permalink / raw)
To: 9fans
Quoth Garry <taylor.garry@gmail.com>:
> Hello, I'm trying set up ftpd to use TLS, but cannot get it to work.
Hi,
> openssl s_client -connect temeraire:21 -starttls ftp -servername temeraire
> CONNECTED(00000004)
> 100000000A000000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1605:SSL alert number 40
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 55 bytes and written 325 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
This is a symptom of tlsServer() not being able to find the key in factotum.
Some further diagnosis on my end shows that the way you have generated the tls key is at fault,
it seems like keys missing the 'owner=*' attribute in factotum will not be read.
See the example in rsa(8):
> auth/rsagen -t 'service=tls role=client owner=*' >key
> auth/rsa2x509 'C=US CN=*.cs.bell-labs.com' key | auth/pemencode CERTIFICATE >cert
If you correct your rsagen invocation to the following, you should be able to get this working.
> auth/rsagen -t 'service=tls role=client owner=*' > key
In the future, please direct 9front specific questions to the 9front mailing list.
I am not subscribed to 9fans and this is true for many of those that may be able
to assist you.
- mia
------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T086867ac9995804e-Ma7b2cfc1582330fccf41c2ea
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] ftpd on 9front problems with TLS
2025-04-23 23:32 ` mia via 9fans
@ 2025-04-23 23:44 ` Garry
0 siblings, 0 replies; 3+ messages in thread
From: Garry @ 2025-04-23 23:44 UTC (permalink / raw)
To: 9fans
[-- Attachment #1: Type: text/plain, Size: 356 bytes --]
Thank you mia, I will try this later when I get home, and I'll start using the 9front mailing list too.
Thanks again
Garry
------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T086867ac9995804e-M4048b68df90cc6fb703d29a8
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
[-- Attachment #2: Type: text/html, Size: 908 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-04-23 23:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-11 10:09 [9fans] ftpd on 9front problems with TLS Garry
2025-04-23 23:32 ` mia via 9fans
2025-04-23 23:44 ` Garry
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).