The following small script has been copied over from madboa.com:
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’
Setting
A few virtual servers were set up for one of our customers and to improve security we only publicly allowed HTTP/HTTPS and OpenVPN. So the customer would have to vpn in before a SSH session could be established. So far so good…
Customer is able to happily vpn in from multiple clients and open SSH sessions to do his work until… well until he actually dared to transfer a file to one of the servers using WinSCP/PSCP (sftp -> scp fallback). Now whenever an attempt was made to transfer a file he received:
Read error from remote host a.b.c.d: Connection reset by peer
So we went ahead and investigated possible causes for this error by initially following the “user error” path. But neither the WinSCP client nor pscp.exe were able to successfully transfer a file. We finally experimented with file sizes and found out that files smaller than 4kb were actually being transferred without a problem…
Furthermore we were also able to successfully transfer files of “any” size (we test up to 30MB) from another server that was connected via a second OpenVPN server. Also ICMP tests showed no connection drops or apparent latency issues. So it could not be an OpenVPN issue itself but rather something protocol related. Our first guess was the MTU size because SSH debug output showed a successful key exchange and a drop of the connection as soon as data was going to be transferred and our customer connects via an ADSL link.
So we added the following options to both the OpenVPN server and client configuration:
tun-mtu 1500
fragment 1300
mssfix
And voilá, copying files via SSH works like a charm now.
CC -> Common Criteria
EAL -> Evaluation Assurance Level
http://www.bsi.de/cc/eal_stufe.htm
Recent Comments