Definitive Guide To Setting Up FTPIS On Vsftpd
I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been struggling with in configuring vsftpd for FTPS Implicit (port 990).
(The latest instructions I’ve used are at: https://www.unixmen.com/configure-vsftpd-ssltls-CentOS-7/)
Using Filezilla client, I get:
Error: GnuTLS error -15: An unexpected TLS packet was received. Error: Could not connect to server
Using Core FTP LE:
SL/TLS error – 0, SSL error – 1, error:00000001:lib(0):func(0):reason(1)
SSL Connection not established
Using WinSCP:
TLS connect: error in SSLv2/v3 read server hello A
TLS connect: error in SSLv2/v3 read server hello A
Can’t establish TLS connection Disconnected from server
lftp from a remote Linux:
Fatal error: gnutls_handshake: An unexpected TLS packet was received.
Debugging, I get:
… GNUTLS: EXT[0x2aa440f42d0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x2aa440f42d0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x2aa440f42d0]: CLIENT HELLO was queued [268 bytes]
GNUTLS: REC[0x2aa440f42d0]: Preparing Packet Handshake(22) with length: 268 and min pad: 0
GNUTLS: ENC[0x2aa440f42d0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x2aa440f42d0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 273
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x2aa440f42d0]: SSL 48.48 Unknown Packet packet received. Epoch 0, length: 8271
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 53
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2757
**** gnutls_handshake: An unexpected TLS packet was received. GNUTLS: REC[0x2aa440f42d0]: Start of epoch cleanup GNUTLS: REC[0x2aa440f42d0]: End of epoch cleanup GNUTLS: REC[0x2aa440f42d0]: Epoch #0 freed GNUTLS: REC[0x2aa440f42d0]: Epoch #1 freed
—- Closing control socket
TIA!
Frank M. Ramaekers Jr. | Systems Programmer | Information Technology | American Income Life Insurance Company | 254-761-6649 (732-6649)
——————————————————————–
4 thoughts on - Definitive Guide To Setting Up FTPIS On Vsftpd
Here’s what I’m using. The tutorial site I used is currently down with a bandwidth exceeded warning, so I guess it must be quite popular.
I’m using LetsEncrypt certificates. My site domain is replaced with example.com. Use your own domain name there as registered with LetsEncrypt.
# see
# http://beginlinux.com/blog/2009/01/secure-ftp-with-ssl-on-CentOS/
rsa_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/example.com/privkey.pem ssl_enable=YES
force_local_logins_ssl=NO
force_local_data_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# limit pasv ports to range that iptables can check pasv_min_porti00
pasv_max_porti69
# added 20120213 to deal with FileZilla 3.5.3 stricter cipher list
# see http://forum.filezilla-project.org/viewtopic.php?f=2&t#275
ssl_ciphers=HIGH
dual_log_enable=YES
allow_writeable_chroot=YES
user_sub_token=$USER
Followup:
I gave up on the Implicit and configured vsftpd for Explicit, that revealed some configuration errors (displayed on the client, Filezilla in my case). I then corrected these errors and switched back to Implicit and all is well.
Frank M. Ramaekers Jr.
—–Original Message—
–Can you say what was wrong? That might help others who encounter the same problems or help improve the documentation on the settings.
Do you use etckeeper? It puts /etc under git revision control, so you easily check your configuration changes over time. It’s pretty easy to set up.
Well, it was a couple of parameters. chroot_username had an undefined user, and there was something else that I can’t seem to remember.
Best practice is to setup the Explicit FTPS first, get it working then add:
implicit_ssl=yes listen_port