CentOS / RHEL: Vsftpd SSL / TLS FTP Server Configuration

by on January 21, 2009 · 10 comments· LAST UPDATED January 8, 2014

in , ,

Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.

VSFTPD: Create SSL Certificate on a CentOS / RHEL Server

Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Sample outputs:

Generating a 1024 bit RSA private key
.......++++++
........................................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra 
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in

Edit the vsftpd configuration file, enter:
# vi vsftpd.conf

Add or correct the following configuration option:

# Turn on SSL
ssl_enable=YES
 
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
 
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
 
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
 
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
 
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem
 

Restart the vsftpd ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21

Test SSL Aware FTP Server With ftp-ssl command

ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl

Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:

Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in

List of SSL Aware FTP Client

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 10 comments… read them below or add one }

1 mrf February 10, 2010 at 12:40 pm

hi mr vivek,
is there any problem if im using secure connection plus quota tools to limit the disk capacity on users account on vsftp ?? example like, slow connection to upload or download data –maybe,

thx

Reply

2 Matthew August 10, 2010 at 10:57 pm

I love the guide, but i have this problem, using WinSCP or even Filezilla and setting them to use Implicit TLS /SSL wont let me connect

16:53:43 Status: Connection established, waiting for welcome message…
16:53:43 Response: 220-NOTICE TO USERS
16:53:43 Response: 220-
16:53:43 Response: 220-Use of this system constitutes consent to security monitoring and testing.
16:53:43 Response: 220-All activity is logged with your host name and IP address.
16:53:43 Response: 220
16:53:43 Command: AUTH TLS
16:53:43 Response: 234 Proceed with negotiation.
16:53:43 Status: Initializing TLS…
16:53:43 Status: Verifying certificate…
16:53:43 Command: USER ***************
16:53:43 Status: TLS/SSL connection established.
16:53:43 Response: 331 Please specify the password.
16:53:43 Command: PASS ************
16:53:43 Response: 230 Login successful.
16:53:43 Command: SYST
16:53:43 Response: 215 UNIX Type: L8
16:53:43 Command: FEAT
16:53:43 Response: 211-Features:
16:53:43 Response: AUTH SSL
16:53:43 Response: AUTH TLS
16:53:43 Response: EPRT
16:53:43 Response: EPSV
16:53:43 Response: MDTM
16:53:43 Response: PASV
16:53:43 Response: PBSZ
16:53:43 Response: PROT
16:53:43 Response: REST STREAM
16:53:43 Response: SIZE
16:53:43 Response: TVFS
16:53:43 Response: 211 End
16:53:43 Command: PBSZ 0
16:53:43 Response: 200 PBSZ set to 0.
16:53:43 Command: PROT P
16:53:43 Response: 200 PROT now Private.
16:53:43 Status: Connected
16:53:43 Status: Retrieving directory listing…
16:53:43 Command: PWD
16:53:43 Response: 257 “/”
16:53:43 Command: TYPE I
16:53:43 Response: 200 Switching to Binary mode.
16:53:43 Command: PASV
16:53:43 Response: 227 Entering Passive Mode (10,0,7,1,184,39)
16:53:43 Status: Server sent passive reply with unroutable address. Using server address instead.
16:53:43 Command: LIST

That is with Active mode on in Filezilla, it still tries passive, but, using FlashFXP and choosing option Use ‘STAT -L’ to list directory it works perfectly.. is there something i can do to make this work with Filezilla or even dreamweaver, i want a secure connection to our server but i have 2 outside people who need access to this server and prefer to use Filezilla or dreamweaver built in ftp client.

Reply

3 Matthew August 10, 2010 at 11:15 pm

I took the easy way out and just enabled passive mode adding the various passive_ options instead of trying to make it work under active mode.

Reply

4 Dave November 12, 2010 at 12:03 am

The various passive_options you mention….are they enabled in the vsftpd.conf file? I’m not real familiar with vsftpd but I also need to use Filezilla as an ftp client. Thanks!

Reply

5 Maxime May 11, 2011 at 1:15 pm

I also had a problem with selinux !
It just wouldn’t start with error : Starting vsftpd for vsftpd: 500 OOPS: SSL: cannot load RSA certificate
My certificate is in /etc/vsfptd/vsftpd.pem
so just allow the ftp service to read files in /etc/vsftpf

semanage fcontext -a -t public_content_t "/etc/vsftpd(/.*)?"
restorecon -F -R -v /etc/vsftpd

Reply

6 eriik October 24, 2011 at 4:23 pm

this won’t work because FTPS (vsftpd supports this) and SFTP (vsftpd doesn’t) are completely different protocols. There’s a lot of confusion on the net about this. I don’t think vsftpd can be used on port 22 at an SFTP client.

Reply

7 Nicholas January 6, 2013 at 10:53 pm

@eriik
VSFTPD definitely supports SFTP and has for many years.

Reply

8 Keith April 2, 2013 at 4:10 pm

The certificate creation command should disambiguate the -keyout and -out parameter values. For example:
/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd_privkey.pem -out vsftpd_cert.pem

Then add the following in vsftpd.conf:
rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

Reply

9 Andreas June 18, 2013 at 7:01 pm

This FINALLY made mine work. I’m using the latest SLES 11 SP2 and turning on SSL did not allow vsftpd to start. I split the cert + key as you suggested and changed the conf file to have rsa_ lines instead of dsa_ ones and it finally runs

Thanks for this info!

Reply

10 BB June 14, 2013 at 2:29 pm

Hello,
I’m running Debian (old-Sarge) and I’m using lftp to connect to a UNIX FTP server via ftps. In trying to get or put, i receive: get/put: Fatal Error: SSL_READ Wrong Version Number. I’ve tried self signing a certificate (although I’m not sure I did it right), and all of the other really scarce information I’ve found on this subject. The server isn’t mine, it belongs to a customer, so I have no insight into their configuration. Can someone give me an idea of where to go here?

Thank you,
BB

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: