SSL on vsftpd

[max.m]

Hi there, i have trouble on ssl activation for vsftpd on fresh vestacp install over centos 7.0
this is my config:

Code: Select all

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_umask=022
anon_upload_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
dual_log_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
listen=YES
#listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
force_dot_files=YES
ascii_upload_enable=YES
ascii_download_enable=YES
pasv_enable=YES
pasv_max_port=12100
pasv_min_port=12000
use_localtime=YES
####SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_tlsv2=NO
ssl_tlsv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGHT
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Only add code after comment ssl. but whe i try to restart vsftpd not start. Error:

Code: Select all

 vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since dom 2017-11-05 16:05:29 CET; 16s ago
  Process: 10806 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=2)
 Main PID: 5586 (code=killed, signal=TERM)

Starting Vsftpd ftp daemon...
 vsftpd.service: control process exited, code=exited status=2
 Failed to start Vsftpd ftp daemon.
 Unit vsftpd.service entered failed state.
vsftpd.service failed.

suggestions?

thanks

[max.m]

Find a typo in ssl_ciphers=HIGH
but nothing new happend.. :-(

[BartMan__X]

and this is what i like about this Forum.... no answer....

[ScIT]

and this is what i like about this Forum.... no answer....

answer on what? a year old post?

SSL Configuration is quit easy, it's just vsftpd standard: https://www.liquidweb.com/kb/configure-vsftpd-ssl/

[mlopez]

This is what I add to my vsFTP config file /etc/vsftpd/vsftpd.conf:

Code: Select all

#
# SSL Options
#
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key

Note that I used the path of the self-signed certificate, so when connecting to the server a warning message is displayed. This would be used for all domains, that's why the warning message appears because it was issued for the main domain of the server, not for all of the domains hosted on it.

Hope it would help.

Regards!

[deeprus]

Hello.

Just installed new VPS on Debian 9.9 (stretch).
vsftpd version is 3.0.3

Now I'm trying to set up a secure connection for the vsftpd. After adding these two parameters to the configuration file

Code: Select all

ssl_tlsv1_1=YES
ssl_tlsv1_2=YES

my vsftpd server cannot start.
I get the following errors when checking the configuration:

Code: Select all

#vsftpd
500 OOPS: unrecognised variable in config file: ssl_tlsv1_1
500 OOPS: unrecognised variable in config file: ssl_tlsv1_2

Therefore, my vsftpd only starts working when I delete these parameters or comment them out.
Now my configuration is as follows:

Code: Select all

#ssl_tlsv1_1=YES
#ssl_tlsv1_2=YES
ssl_tlsv1=YES

I could not find the description of the ssl_tlsv1_1 and ssl_tlsv1_2 parameters in the man pages or official documentation (https://security.appspot.com/vsftpd/vsftpd_conf.html).
Could you please tell me where these parameters come from and what version of vsftpd are they for?

[skamasle]

Some body post guide where: viewtopic.php?f=44&t=18559

[salvatorenz]

I use this on Centos 7 and have no issues.

#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=EECDH+AESGCM:EDH+AESGCM
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key

Also use the above ssl ciphers for email, nginx etc. maybe a couple of rules need changing but passes pci compliance test

[Bubblecatcher]

After some digging as i had this issue i found that in debian 9 using vsftpd 3.0.3-8+b1 the following settings are reductant, they are part of a RHL patch which do not work in debian version.

Code: Select all

#ssl_tlsv1_1=YES
#ssl_tlsv1_2=YES

If you remove them and set the following vsftpd will restart.

Code: Select all

ssl_ciphers=TLSv1.2

#Options: SSLv3, TLSv1.0, TLSv1.2, HIGH (see man ciphers)
ssl_ciphers=TLSv1.2

[lotric]

try all variants no result
same error

Code: Select all

ssl_enable=YES 
allow_anon_ssl=NO 
force_local_data_ssl=YES 
force_local_logins_ssl=YES 
ssl_ciphers=TLSv1.2 
ssl_tlsv1=NO 
ssl_sslv2=NO 
ssl_sslv3=NO 
require_ssl_reuse=YES 
ssl_ciphers=HIGH
listen_port=1000