Vsftpd ssl (original) (raw)

January 2, 2025, 6:20pm 1

There’s something wrong with my vsftpd ssl configuration which is-

rsa_cert_file=/etc/letsencrypt/live/iron.holtain.net/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/iron.holtain.net/privkey.pem
ssl_ciphers=HIGH
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
debug_ssl=YES

WinSCP logs this-

. 2025-01-02 14:45:40.739 --------------------------------------------------------------------------
. 2025-01-02 14:45:41.101 Connecting to iron.holtain.net …
. 2025-01-02 14:45:41.101 Connected with iron.holtain.net, negotiating TLS connection…
< 2025-01-02 14:45:41.101 220 (vsFTPd 3.0.5)

2025-01-02 14:45:41.101 AUTH TLS
< 2025-01-02 14:45:41.101 234 Proceed with negotiation.
. 2025-01-02 14:45:41.101 Verifying certificate for “Holtain Ltd” with fingerprint 1e:b6:f0:43:fb:d4:0d:26:7b:2c:7d:55:6e:99:c8:37:bf:3f:e2:07:ac:dd:9a:3e:be:37:7e:c3:d0:0c:e6:30 and 18 failures
. 2025-01-02 14:45:41.101 Certificate common name “iron.holtain.net” matches hostname
. 2025-01-02 14:45:41.101 Certificate for “Holtain Ltd” matches cached fingerprint and failures
. 2025-01-02 14:45:41.101 Using TLSv1.3, cipher TLSv1.3: TLS_AES_256_GCM_SHA384, 2048 bit RSA, TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
. 2025-01-02 14:45:41.136 TLS connection established. Waiting for welcome message…
2025-01-02 14:45:41.136 USER wwwupload
< 2025-01-02 14:45:41.136 331 Please specify the password.
2025-01-02 14:45:41.136 PASS ************
. 2025-01-02 14:45:41.648 SSL3 alert write: fatal: unexpected_message
. 2025-01-02 14:45:41.648 error:0A0001BB:SSL routines::bad record type
. 2025-01-02 14:45:41.648 bad record type
. 2025-01-02 14:45:41.648 error:0A000139:SSL routines::record layer failure
. 2025-01-02 14:45:41.648 record layer failure
. 2025-01-02 14:45:41.648 An established connection was aborted by the software in your host machine.

Filezilla reports-

Error: GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received.

Espionage724 (Espionage724) January 3, 2025, 1:58am 2

It’s been some years, but I did this for a self-generated cert:

Generate key:

sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout '/etc/ssl/certs/vsftpd.pem' -out '/etc/ssl/certs/vsftpd.pem' && sudo chmod '600' '/etc/ssl/certs/vsftpd.pem'

vsftpd conf:

sudo -e '/etc/vsftpd/vsftpd.conf' && sudo systemctl restart 'vsftpd'

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=YES

ssl_ciphers=AES128-SHA
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

I haven’t tried linking it to letsencrypt certs, but I guess it might generate certs incompatible with vsftpd.