≡ Menu

CentOS / RHEL: Vsftpd SSL / TLS FTP Server Configuration

Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.

VSFTPD: Create SSL Certificate on a CentOS / RHEL Server

Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Sample outputs:

Generating a 1024 bit RSA private key
writing new private key to '/etc/vsftpd/vsftpd.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra 
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in

Edit the vsftpd configuration file, enter:
# vi vsftpd.conf

Add or correct the following configuration option:

# Turn on SSL
# Allow anonymous users to use secured SSL connections
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
# permit SSL v3 protocol connections. TLS v1 connections are preferred
# Specifies the location of the RSA certificate to use for SSL encrypted connections

Restart the vsftpd ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21

Test SSL Aware FTP Server With ftp-ssl command

ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl

Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:

Connected to ftp.nixcraft.net.in.
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in

List of SSL Aware FTP Client

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 10 comments… add one }

  • mrf February 10, 2010, 12:40 pm

    hi mr vivek,
    is there any problem if im using secure connection plus quota tools to limit the disk capacity on users account on vsftp ?? example like, slow connection to upload or download data –maybe,


  • Matthew August 10, 2010, 10:57 pm

    I love the guide, but i have this problem, using WinSCP or even Filezilla and setting them to use Implicit TLS /SSL wont let me connect

    16:53:43 Status: Connection established, waiting for welcome message…
    16:53:43 Response: 220-NOTICE TO USERS
    16:53:43 Response: 220-
    16:53:43 Response: 220-Use of this system constitutes consent to security monitoring and testing.
    16:53:43 Response: 220-All activity is logged with your host name and IP address.
    16:53:43 Response: 220
    16:53:43 Command: AUTH TLS
    16:53:43 Response: 234 Proceed with negotiation.
    16:53:43 Status: Initializing TLS…
    16:53:43 Status: Verifying certificate…
    16:53:43 Command: USER ***************
    16:53:43 Status: TLS/SSL connection established.
    16:53:43 Response: 331 Please specify the password.
    16:53:43 Command: PASS ************
    16:53:43 Response: 230 Login successful.
    16:53:43 Command: SYST
    16:53:43 Response: 215 UNIX Type: L8
    16:53:43 Command: FEAT
    16:53:43 Response: 211-Features:
    16:53:43 Response: AUTH SSL
    16:53:43 Response: AUTH TLS
    16:53:43 Response: EPRT
    16:53:43 Response: EPSV
    16:53:43 Response: MDTM
    16:53:43 Response: PASV
    16:53:43 Response: PBSZ
    16:53:43 Response: PROT
    16:53:43 Response: REST STREAM
    16:53:43 Response: SIZE
    16:53:43 Response: TVFS
    16:53:43 Response: 211 End
    16:53:43 Command: PBSZ 0
    16:53:43 Response: 200 PBSZ set to 0.
    16:53:43 Command: PROT P
    16:53:43 Response: 200 PROT now Private.
    16:53:43 Status: Connected
    16:53:43 Status: Retrieving directory listing…
    16:53:43 Command: PWD
    16:53:43 Response: 257 “/”
    16:53:43 Command: TYPE I
    16:53:43 Response: 200 Switching to Binary mode.
    16:53:43 Command: PASV
    16:53:43 Response: 227 Entering Passive Mode (10,0,7,1,184,39)
    16:53:43 Status: Server sent passive reply with unroutable address. Using server address instead.
    16:53:43 Command: LIST

    That is with Active mode on in Filezilla, it still tries passive, but, using FlashFXP and choosing option Use ‘STAT -L’ to list directory it works perfectly.. is there something i can do to make this work with Filezilla or even dreamweaver, i want a secure connection to our server but i have 2 outside people who need access to this server and prefer to use Filezilla or dreamweaver built in ftp client.

  • Matthew August 10, 2010, 11:15 pm

    I took the easy way out and just enabled passive mode adding the various passive_ options instead of trying to make it work under active mode.

    • Dave November 12, 2010, 12:03 am

      The various passive_options you mention….are they enabled in the vsftpd.conf file? I’m not real familiar with vsftpd but I also need to use Filezilla as an ftp client. Thanks!

  • Maxime May 11, 2011, 1:15 pm

    I also had a problem with selinux !
    It just wouldn’t start with error : Starting vsftpd for vsftpd: 500 OOPS: SSL: cannot load RSA certificate
    My certificate is in /etc/vsfptd/vsftpd.pem
    so just allow the ftp service to read files in /etc/vsftpf

    semanage fcontext -a -t public_content_t "/etc/vsftpd(/.*)?"
    restorecon -F -R -v /etc/vsftpd
  • eriik October 24, 2011, 4:23 pm

    this won’t work because FTPS (vsftpd supports this) and SFTP (vsftpd doesn’t) are completely different protocols. There’s a lot of confusion on the net about this. I don’t think vsftpd can be used on port 22 at an SFTP client.

  • Nicholas January 6, 2013, 10:53 pm

    VSFTPD definitely supports SFTP and has for many years.

  • Keith April 2, 2013, 4:10 pm

    The certificate creation command should disambiguate the -keyout and -out parameter values. For example:
    /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd_privkey.pem -out vsftpd_cert.pem

    Then add the following in vsftpd.conf:

    • Andreas June 18, 2013, 7:01 pm

      This FINALLY made mine work. I’m using the latest SLES 11 SP2 and turning on SSL did not allow vsftpd to start. I split the cert + key as you suggested and changed the conf file to have rsa_ lines instead of dsa_ ones and it finally runs

      Thanks for this info!

  • BB June 14, 2013, 2:29 pm

    I’m running Debian (old-Sarge) and I’m using lftp to connect to a UNIX FTP server via ftps. In trying to get or put, i receive: get/put: Fatal Error: SSL_READ Wrong Version Number. I’ve tried self signing a certificate (although I’m not sure I did it right), and all of the other really scarce information I’ve found on this subject. The server isn’t mine, it belongs to a customer, so I have no insight into their configuration. Can someone give me an idea of where to go here?

    Thank you,

Leave a Comment