FTPS: クライアント認証あり
# vsftpd.conf # SSL強制 ssl_enable=YES force_local_logins_ssl=YES force_local_data_ssl=YES ## Implicitモードの場合 # implicit_ssl=YES # listen_port=990 # サーバー証明書関係 # This option specifies the location of the RSA certificate to use for SSL encrypted connections. rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem # This option specifies the location of the RSA private key to use for SSL encrypted connections. rsa_private_key_file=/etc/pki/tls/private/vsftpd.key ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES ssl_tlsv1_1=YES ssl_tlsv1_2=YES # 下記にのってるcipher suite # https://weakdh.org/sysadmin.html ssl_ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # クライアント証明書関係 # If set to yes, all SSL client connections are required to present a client certificate. require_cert=YES # If enabled, vsftpd will request (but not necessarily require; see require_cert) a certificate on incoming SSL connections. ssl_request_cert=YES # If set to yes, all SSL client certificates received must validate OK validate_cert=YES # This option is the name of a file to load Certificate Authority certs from, # for the purpose of validating client certs ca_certs_file=/etc/pki/vsftpd_self_CA/cacert.pem # If true, OpenSSL connection diagnostics are dumped to the vsftpd log file. # debug_ssl=YES
ただし、軽く調べた限りだと、FTPS (クライアント認証) に対応しているクライアントは少ない
- Windows => WinSCP
- クライアント証明書を指定する設定項目がある
- macOS => Cyberduck
- オレオレ自己証明書の場合は、OSのキーチェーンにその証明書を取り込んでおく
ふつうのFTPS: クライアント認証なし
# vsftpd.conf ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_request_cert=NO require_cert=NO rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem rsa_private_key_file=/etc/pki/tls/private/vsftpd.key ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES ssl_tlsv1_1=YES ssl_tlsv1_2=YES ssl_ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA # debug_ssl=YES
参考: https://security.appspot.com/vsftpd/vsftpd_conf.html
