Anshu
2017-02-13 03:28:24 UTC
Hello Everyone,
Has anyone landed into SSL context error with ProFTPD and RDS
(postgres) as a back-end? SSL is not forced at RDS
level.##SELECTION_END##
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: exiting  postgres
cmd_escapestring
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: unrecoverable backend error
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: error:
'mod_sql_postgres/4.0.4'
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: message: 'could not create
SSL context: SSL error code 336236705
'
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: entering     postgres
cmd_exit
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: exiting  postgres cmd_exit
# proftpd -V
Compile-time Settings:
 Version: 1.3.6rc5 (git)
 Platform: LINUX [Linux 4.4.19-29.55.amzn1.x86_64 x86_64]
 Built: Mon Feb 13 2017 02:29:18 UTC
 Built With:
    configure  '--build=x86_64-redhat-linux' '--host=x86_64-redhat-
linux' '--target=x86_64-amazon-linux-gnu' '--program-prefix=' '
--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '
--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '
--includedir=/usr/include' '--libdir=/usr/lib64' '
--libexecdir=/usr/libexec' '--localstatedir=/var' '
--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '
--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '
--localstatedir=/var/run/proftpd' '--disable-strip' '--enable-ctrls' '-
-enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-
openssl' '--enable-shadow' '--with-lastlog' '--with-
libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '
--with-pkgconfig=lib64/pkgconfig' '--with-
shared=mod_auth_pam:mod_ban:mod_ctrls_admin:mod_deflate:mod_dnsbl:mod_d
ynmasq:mod_exec:mod_facl:mod_load:mod_quotatab:mod_quotatab_file:mod_qu
otatab_radius:mod_quotatab_sql:mod_radius:mod_ratio:mod_readme:mod_rewr
ite:mod_shaper:mod_site_misc:mod_snmp:mod_sql:mod_wrap2:mod_wrap2_file:
mod_wrap2_sql:mod_unique_id:mod_auth_otp:mod_digest:mod_sftp:mod_sftp_p
am:mod_sftp_sql:mod_sql_mysql:mod_sql_passwd:mod_sql_postgres:mod_tls:m
od_tls_fscache:mod_tls_shmcache:mod_proxy_protocol:mod_ifsession' '
--enable-devel=stacktrace' 'build_alias=x86_64-redhat-linux'
'host_alias=x86_64-redhat-linux' 'target_alias=x86_64-amazon-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
 CFLAGS: -g2  -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall
-fno-omit-frame-pointer -Werror=implicit-function-declaration -Wextra
-Werror=implicit-function-declaration -Winit-self -Wno-missing-field-
initializers -Wno-unused-parameter -fdelete-null-pointer-checks -g3 -O0
-Wcast-align -Wchar-subscripts -Winline -Wstrict-prototypes -Wmissing-
declarations -Wnested-externs -Wpointer-arith -Wshadow -Wundef
-Wcomment -Wdeclaration-after-statement -Wfloat-equal -Wformat
-Wimplicit-function-declaration -Wmaybe-uninitialized -Wmissing-braces
-Wpointer-to-int-cast -Wstack-protector -Wstrict-overflow -Wswitch
-Wunreachable-code -fstack-protector -fstack-protector-all
 LDFLAGS: -L$(top_srcdir)/lib  -rdynamic -L/usr/lib64/mysql
-L/usr/lib64/mysql -L/usr/lib64
 LIBS: -lacl  -lssl -lcrypto -lcap -lsupp -lattr -lnsl -lresolv
-lresolv -lcrypt -ldl Â
# This is a basic ProFTPD configuration file (rename it toÂ
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon, and that you
# use PAM authentication.
LoadModule mod_proxy_protocol.c
ServerName "FILE API Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# General database support (http://www.proftpd.org/docs/contrib/mod_sql
.html)
   LoadModule mod_sql.c
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL
tables
# (contrib/mod_sql_passwd.html)
   LoadModule mod_sql_passwd.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
   LoadModule mod_sql_postgres.c
# Support for the SSH2, SFTP, and SCP protocols, for secure file
transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp
.html)
   LoadModule mod_sftp.c
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for
user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
   LoadModule mod_sftp_sql.c
# Use pam to authenticate (default) and be authoritative.
# Only need the LoadModule if mod_auth_pam is a DSO.
LoadModule mod_auth_pam.c
AuthPAMConfig proftpd
AuthOrder mod_sql.c
# PersistentPasswd causes problems with NIS/LDAP.
PersistentPasswd off
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Define the log formats
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       xfer    "%F %u"
ExtendedLog /var/log/proftpxferlog WRITE xfer
SQLAuthTypes         Plaintext
SQLAuthenticate      users
SQLConnectInfo       ***@rds.fapi-rds.dev.xxxx.com proftp qm9d^:CJ
SQLDefaultUIDÂ Â Â Â Â Â Â Â 14Â Â Â # CHANGE FOR YOUR FTP USERS UID FOUND IN
/etc/passwd
SQLDefaultGIDÂ Â Â Â Â Â Â Â 50Â Â # CHANGE FOR YOUR FTP USERS GID, FOUND IN
/etc/groups
RequireValidShell    off
SQLUserInfo          fapi.sftpusers userid passwd uid gid homedir shell
SQLNegativeCache     off
SQLLogFile           /var/log/proftpd-sql
# Lines for Key Auth
SFTPAuthMethods publickey password
    # Define a SELECT statement to retrieve users' authorized SSH keys
    SQLNamedQuery get-user-authorized-keys SELECT "sshkey FROM
fapi.sftpusers WHERE userid='%U'"
    # Define a SELECT statement to retrieve hosts' authorized SSH keys
    SQLNamedQuery get-host-authorized-keys SELECT "key FROM
fapi.sftphostkeys WHERE host='%{0}'"
    SFTPEngine on
    Port 2222
    SFTPLog /var/log/sftp.log
    # Host keys, for server host authentication
    SFTPHostKey /etc/ssh/ssh_proftpdhost_dsa_key
    SFTPHostKey /etc/ssh/ssh_proftpdhost_rsa_key
      # Instead of using a file-based key store, we tell mod_sftp to
use
      # the SQL-based key store provided by mod_sftp_sql
      SFTPAuthorizedUserKeys sql:/get-user-authorized-keys
Manual connection works:
# psql -h rds.fapi-rds.dev.xxxxx.com -Uproftp  fapi
Password for user proftp:Â
psql (9.2.18, server 9.5.4)
WARNING: psql version 9.2, server version 9.5.
         Some psql features might not work.
SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
fapi=>Â
Has anyone landed into SSL context error with ProFTPD and RDS
(postgres) as a back-end? SSL is not forced at RDS
level.##SELECTION_END##
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: exiting  postgres
cmd_escapestring
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: unrecoverable backend error
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: error:
'mod_sql_postgres/4.0.4'
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: message: 'could not create
SSL context: SSL error code 336236705
'
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: entering     postgres
cmd_exit
2017-02-10 04:45:48,753 mod_sql/4.3[4261]: exiting  postgres cmd_exit
# proftpd -V
Compile-time Settings:
 Version: 1.3.6rc5 (git)
 Platform: LINUX [Linux 4.4.19-29.55.amzn1.x86_64 x86_64]
 Built: Mon Feb 13 2017 02:29:18 UTC
 Built With:
    configure  '--build=x86_64-redhat-linux' '--host=x86_64-redhat-
linux' '--target=x86_64-amazon-linux-gnu' '--program-prefix=' '
--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '
--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '
--includedir=/usr/include' '--libdir=/usr/lib64' '
--libexecdir=/usr/libexec' '--localstatedir=/var' '
--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '
--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '
--localstatedir=/var/run/proftpd' '--disable-strip' '--enable-ctrls' '-
-enable-dso' '--enable-facl' '--enable-ipv6' '--enable-nls' '--enable-
openssl' '--enable-shadow' '--with-lastlog' '--with-
libraries=/usr/lib64/mysql' '--with-includes=/usr/include/mysql' '
--with-pkgconfig=lib64/pkgconfig' '--with-
shared=mod_auth_pam:mod_ban:mod_ctrls_admin:mod_deflate:mod_dnsbl:mod_d
ynmasq:mod_exec:mod_facl:mod_load:mod_quotatab:mod_quotatab_file:mod_qu
otatab_radius:mod_quotatab_sql:mod_radius:mod_ratio:mod_readme:mod_rewr
ite:mod_shaper:mod_site_misc:mod_snmp:mod_sql:mod_wrap2:mod_wrap2_file:
mod_wrap2_sql:mod_unique_id:mod_auth_otp:mod_digest:mod_sftp:mod_sftp_p
am:mod_sftp_sql:mod_sql_mysql:mod_sql_passwd:mod_sql_postgres:mod_tls:m
od_tls_fscache:mod_tls_shmcache:mod_proxy_protocol:mod_ifsession' '
--enable-devel=stacktrace' 'build_alias=x86_64-redhat-linux'
'host_alias=x86_64-redhat-linux' 'target_alias=x86_64-amazon-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
 CFLAGS: -g2  -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall
-fno-omit-frame-pointer -Werror=implicit-function-declaration -Wextra
-Werror=implicit-function-declaration -Winit-self -Wno-missing-field-
initializers -Wno-unused-parameter -fdelete-null-pointer-checks -g3 -O0
-Wcast-align -Wchar-subscripts -Winline -Wstrict-prototypes -Wmissing-
declarations -Wnested-externs -Wpointer-arith -Wshadow -Wundef
-Wcomment -Wdeclaration-after-statement -Wfloat-equal -Wformat
-Wimplicit-function-declaration -Wmaybe-uninitialized -Wmissing-braces
-Wpointer-to-int-cast -Wstack-protector -Wstrict-overflow -Wswitch
-Wunreachable-code -fstack-protector -fstack-protector-all
 LDFLAGS: -L$(top_srcdir)/lib  -rdynamic -L/usr/lib64/mysql
-L/usr/lib64/mysql -L/usr/lib64
 LIBS: -lacl  -lssl -lcrypto -lcap -lsupp -lattr -lnsl -lresolv
-lresolv -lcrypt -ldl Â
# This is a basic ProFTPD configuration file (rename it toÂ
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon, and that you
# use PAM authentication.
LoadModule mod_proxy_protocol.c
ServerName "FILE API Server"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# General database support (http://www.proftpd.org/docs/contrib/mod_sql
.html)
   LoadModule mod_sql.c
# Support for base-64 or hex encoded MD5 and SHA1 passwords from SQL
tables
# (contrib/mod_sql_passwd.html)
   LoadModule mod_sql_passwd.c
#
# Postgresql support (requires proftpd-postgresql package)
# (http://www.proftpd.org/docs/contrib/mod_sql.html)
   LoadModule mod_sql_postgres.c
# Support for the SSH2, SFTP, and SCP protocols, for secure file
transfer over
# an SSH2 connection (http://www.castaglia.org/proftpd/modules/mod_sftp
.html)
   LoadModule mod_sftp.c
# Use SQL (via mod_sql) for looking up authorized SSH2 public keys for
user
# and host based authentication
# (http://www.castaglia.org/proftpd/modules/mod_sftp_sql.html)
   LoadModule mod_sftp_sql.c
# Use pam to authenticate (default) and be authoritative.
# Only need the LoadModule if mod_auth_pam is a DSO.
LoadModule mod_auth_pam.c
AuthPAMConfig proftpd
AuthOrder mod_sql.c
# PersistentPasswd causes problems with NIS/LDAP.
PersistentPasswd off
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Define the log formats
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       xfer    "%F %u"
ExtendedLog /var/log/proftpxferlog WRITE xfer
SQLAuthTypes         Plaintext
SQLAuthenticate      users
SQLConnectInfo       ***@rds.fapi-rds.dev.xxxx.com proftp qm9d^:CJ
SQLDefaultUIDÂ Â Â Â Â Â Â Â 14Â Â Â # CHANGE FOR YOUR FTP USERS UID FOUND IN
/etc/passwd
SQLDefaultGIDÂ Â Â Â Â Â Â Â 50Â Â # CHANGE FOR YOUR FTP USERS GID, FOUND IN
/etc/groups
RequireValidShell    off
SQLUserInfo          fapi.sftpusers userid passwd uid gid homedir shell
SQLNegativeCache     off
SQLLogFile           /var/log/proftpd-sql
# Lines for Key Auth
SFTPAuthMethods publickey password
    # Define a SELECT statement to retrieve users' authorized SSH keys
    SQLNamedQuery get-user-authorized-keys SELECT "sshkey FROM
fapi.sftpusers WHERE userid='%U'"
    # Define a SELECT statement to retrieve hosts' authorized SSH keys
    SQLNamedQuery get-host-authorized-keys SELECT "key FROM
fapi.sftphostkeys WHERE host='%{0}'"
    SFTPEngine on
    Port 2222
    SFTPLog /var/log/sftp.log
    # Host keys, for server host authentication
    SFTPHostKey /etc/ssh/ssh_proftpdhost_dsa_key
    SFTPHostKey /etc/ssh/ssh_proftpdhost_rsa_key
      # Instead of using a file-based key store, we tell mod_sftp to
use
      # the SQL-based key store provided by mod_sftp_sql
      SFTPAuthorizedUserKeys sql:/get-user-authorized-keys
Manual connection works:
# psql -h rds.fapi-rds.dev.xxxxx.com -Uproftp  fapi
Password for user proftp:Â
psql (9.2.18, server 9.5.4)
WARNING: psql version 9.2, server version 9.5.
         Some psql features might not work.
SSL connection (cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
fapi=>Â