CentOS / RHEL: Vsftpd SSL / TLS FTP Server Configuration

last updated in Categories CentOS, FTP Server, Linux, Networking, RedHat/Fedora Linux, Security

Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.

VSFTPD: Create SSL Certificate on a CentOS / RHEL Server

Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Sample outputs:

Generating a 1024 bit RSA private key
.......++++++
........................................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra 
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in

Edit the vsftpd configuration file, enter:
# vi vsftpd.conf

Add or correct the following configuration option:

# Turn on SSL
ssl_enable=YES
 
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
 
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
 
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
 
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
 
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem

Restart the vsftpd ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21

Test SSL Aware FTP Server With ftp-ssl command

ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl
Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:

Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in

List of SSL Aware FTP Client

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

10 comment

  1. hi mr vivek,
    is there any problem if im using secure connection plus quota tools to limit the disk capacity on users account on vsftp ?? example like, slow connection to upload or download data –maybe,

    thx

  2. I love the guide, but i have this problem, using WinSCP or even Filezilla and setting them to use Implicit TLS /SSL wont let me connect

    16:53:43 Status: Connection established, waiting for welcome message…
    16:53:43 Response: 220-NOTICE TO USERS
    16:53:43 Response: 220-
    16:53:43 Response: 220-Use of this system constitutes consent to security monitoring and testing.
    16:53:43 Response: 220-All activity is logged with your host name and IP address.
    16:53:43 Response: 220
    16:53:43 Command: AUTH TLS
    16:53:43 Response: 234 Proceed with negotiation.
    16:53:43 Status: Initializing TLS…
    16:53:43 Status: Verifying certificate…
    16:53:43 Command: USER ***************
    16:53:43 Status: TLS/SSL connection established.
    16:53:43 Response: 331 Please specify the password.
    16:53:43 Command: PASS ************
    16:53:43 Response: 230 Login successful.
    16:53:43 Command: SYST
    16:53:43 Response: 215 UNIX Type: L8
    16:53:43 Command: FEAT
    16:53:43 Response: 211-Features:
    16:53:43 Response: AUTH SSL
    16:53:43 Response: AUTH TLS
    16:53:43 Response: EPRT
    16:53:43 Response: EPSV
    16:53:43 Response: MDTM
    16:53:43 Response: PASV
    16:53:43 Response: PBSZ
    16:53:43 Response: PROT
    16:53:43 Response: REST STREAM
    16:53:43 Response: SIZE
    16:53:43 Response: TVFS
    16:53:43 Response: 211 End
    16:53:43 Command: PBSZ 0
    16:53:43 Response: 200 PBSZ set to 0.
    16:53:43 Command: PROT P
    16:53:43 Response: 200 PROT now Private.
    16:53:43 Status: Connected
    16:53:43 Status: Retrieving directory listing…
    16:53:43 Command: PWD
    16:53:43 Response: 257 “/”
    16:53:43 Command: TYPE I
    16:53:43 Response: 200 Switching to Binary mode.
    16:53:43 Command: PASV
    16:53:43 Response: 227 Entering Passive Mode (10,0,7,1,184,39)
    16:53:43 Status: Server sent passive reply with unroutable address. Using server address instead.
    16:53:43 Command: LIST

    That is with Active mode on in Filezilla, it still tries passive, but, using FlashFXP and choosing option Use ‘STAT -L’ to list directory it works perfectly.. is there something i can do to make this work with Filezilla or even dreamweaver, i want a secure connection to our server but i have 2 outside people who need access to this server and prefer to use Filezilla or dreamweaver built in ftp client.

  3. I took the easy way out and just enabled passive mode adding the various passive_ options instead of trying to make it work under active mode.

    1. The various passive_options you mention….are they enabled in the vsftpd.conf file? I’m not real familiar with vsftpd but I also need to use Filezilla as an ftp client. Thanks!

  4. I also had a problem with selinux !
    It just wouldn’t start with error : Starting vsftpd for vsftpd: 500 OOPS: SSL: cannot load RSA certificate
    My certificate is in /etc/vsfptd/vsftpd.pem
    so just allow the ftp service to read files in /etc/vsftpf

    semanage fcontext -a -t public_content_t "/etc/vsftpd(/.*)?"
restorecon -F -R -v /etc/vsftpd

  5. this won’t work because FTPS (vsftpd supports this) and SFTP (vsftpd doesn’t) are completely different protocols. There’s a lot of confusion on the net about this. I don’t think vsftpd can be used on port 22 at an SFTP client.

  7. The certificate creation command should disambiguate the -keyout and -out parameter values. For example:
    /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd_privkey.pem -out vsftpd_cert.pem

    Then add the following in vsftpd.conf:
    rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
    rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

    1. This FINALLY made mine work. I’m using the latest SLES 11 SP2 and turning on SSL did not allow vsftpd to start. I split the cert + key as you suggested and changed the conf file to have rsa_ lines instead of dsa_ ones and it finally runs

      Thanks for this info!

  8. Hello,
    I’m running Debian (old-Sarge) and I’m using lftp to connect to a UNIX FTP server via ftps. In trying to get or put, i receive: get/put: Fatal Error: SSL_READ Wrong Version Number. I’ve tried self signing a certificate (although I’m not sure I did it right), and all of the other really scarce information I’ve found on this subject. The server isn’t mine, it belongs to a customer, so I have no insight into their configuration. Can someone give me an idea of where to go here?

    Thank you,
    BB

    Have a question? Post it on our forum!

Tagged as: Tags , , , , , , , , , , , ,