wiki:FTPSConfigVSFTPD

Configure VSFTPD For FTP/SSL

NOTES:

  • Intermediate certificates were incorporated in VSFTPD vers. 2.0.5

http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=307498

  • Version 2.0.7 solved TLS disconnect problems experienced by FileZilla users

http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688
http://forum.filezilla-project.org/viewtopic.php?t=7580&f=2
http://forums.proftpd.org/smf/index.php?topic=3501.0

  • VSFTPD 2.2.x requires OpenSSL 0.9.8

Configure FTP/SSL server

  1. Update default configuration.
# rpm -q vsftpd openssl
vsftpd-2.2.2-8.el4
openssl-0.9.8n-1.el4
#
# cd /etc/vsftpd
# cp -a vsftpd.conf vsftpd.conf.orig
# vi vsftpd.conf
#
# diff vsftpd.conf.orig vsftpd.conf
110a111,120
> 
> ssl_enable=YES
> ssl_sslv2=NO
> ssl_sslv3=YES
> ssl_tlsv1=YES
> ssl_ciphers=HIGH:!MD5:!ADH
> rsa_cert_file=/etc/vsftpd/server.pem
> force_local_logins_ssl=YES
> force_local_data_ssl=YES
> require_ssl_reuse=NO
#
  1. Combine private key and public SSL certificate, that were created for Apache web server, into a PEM file.
# ls -lg /etc/httpd/conf/ssl.???/server.???
-rw-r--r--  1 root 1151 Oct 16  2009 /etc/httpd/conf/ssl.crt/server.crt
-rw-------  1 root  887 Oct 16  2009 /etc/httpd/conf/ssl.key/server.key
#
# cat /etc/httpd/conf/ssl.key/server.key \
      /etc/httpd/conf/ssl.crt/server.crt > /etc/vsftpd/server.pem
# chmod 400 /etc/vsftpd/server.pem
# ls -lg /etc/vsftpd/server.pem
-r--------  1 root 2038 Jun 10  2010 /etc/vsftpd/server.pem
#
#

NOTE:

  • If intermediate (chain) certificate is involved, it should be added to the server.pem file as well.
  1. Start the service.
# chkconfig vsftpd on
# service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]
#

Test from a client

$ openssl s_client -connect punkts.org:ftp -starttls ftp -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org
verify return:1
---
Certificate chain
 0 s:/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDJjCCAo+gAwIBAgIDDW7zMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMDE2MDczMzMxWhcNMTAxMDE3MTgyNDQ3
WjCBsDELMAkGA1UEBhMCVVMxEzARBgNVBAoTCnB1bmt0cy5vcmcxEzARBgNVBAsT
CkdUOTY1NzkwODIxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291
cmNlcy9jcHMgKGMpMDkxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRl
ZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDEwpwdW5rdHMub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDVTLBP4XpLQWbKhSr/7m4IgQNf9EdYYMvTtwGHIoGA
I76H71PbQJJTXTvcgJS4ypVQJdfsU7dIEr9vgHn11KxFP7qzxeEiGmcKZWLoaDEm
3orhFT3+bVgL8XEH4/6shPqB2+fhK12jrqxVwZL4dGzoi2c7qyiVzvEMRNM5+1tp
8wIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUn0DBj7z9DbuM
Z5whzEVPLqg9bTMwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVz
dC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3
DQEBBQUAA4GBAKxpvZglrhYCYWasqWLKdYmb2Ir7Vtt4HQCGAa7Vv57QRY+PpuDj
iI62ld9KBz31P7jxVoKwwU+6BfbVEpQdLQkWmHgHkk/4EhhQSdk/CtnIdwI3HeYH
NScmKfiFZFRnesnzCXCpcJE28riv2QqtO4acPPZF75YYHvW5iYhmLx93
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/O=punkts.org/OU=GT96579082/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=punkts.org
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1039 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 6C9C5C8D9C8339C4AE44E59F9B10AE977858F9D02B87C6C9E9F9F425B33C1CFB
    Session-ID-ctx: 
    Master-Key: ADEF2203EC51D84E6F023AF7C958C17F4D0953109618BB9D2970F9CC26452AE5A581324A63106DE481D811DBF7EA497A
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1276197181
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 (vsFTPd 2.2.2)
QUIT
DONE
$
Last modified 14 years ago Last modified on Jun 16, 2010 10:09:15 PM