Hi! I'm trying to figure out what's going wrong with a "simple" FTPS setup and VSFTPD. I saw references on Google and tried, and tried, and tried... without success. I'll start by explaining my situation: I have a WEB development server behind a firewall. It's currently only for the intranet. We now have an external company that will have to do a new website for us and we want them to access securely our development server. Internally, we access it with regular FTP (we use DreamWeaver 8). In the references i saw, i'd just add the following lines and it is supposed to work: ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem Here are the previous lines in my vsftpd config: anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/vsftpd.chroot_list pam_service_name=vsftpd userlist_enable=YES listen=YES tcp_wrappers=YES I generated the PEM cert with the following command: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem I tried to connect with FileZilla without luck. I heard that FileZilla may have a problem with vsftpd in FTPS mode so i downloaded SmartFTP which i read should be able to connect. When i try, i get this error message: SSL/TLS client handshake failed (Error = 0x80090308) Does anybody could give me a pointer on this? Thanks in advance and happy holidays to everybody! Guy Boisvert, ing IngTegration inc. _______________________________________________________________ Pre-Boxing Day Domain Sales: Hosting + Domain = US$4.95/year Offer Ends: Dec 31, 2008. http://www.doteasypromo.com
On Fri, Dec 19, 2008, Guy Boisvert wrote:>Hi! > > I'm trying to figure out what's going wrong with a "simple" FTPS setup >and VSFTPD. > > I saw references on Google and tried, and tried, and tried... without >success. > > I'll start by explaining my situation: I have a WEB development server >behind a firewall. It's currently only for the intranet. We now have >an external company that will have to do a new website for us and we >want them to access securely our development server. > > Internally, we access it with regular FTP (we use DreamWeaver 8). In >the references i saw, i'd just add the following lines and it is >supposed to work:As a rule, we require external developers to access our servers using OpenVPN which provides a simple means of getting secure access without having to deal with multiple server components. The OpenVPN clients for Windows and OS X are simple to set up, well within the capabilities of the average web developer (which often aren't extensive :-). Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Once at a social gathering, Gladstone said to Disraeli, I predict, Sir, that you will die either by hanging or of some vile disease. Disraeli replied, "That all depends upon whether I embrace your principles or your mistress".
> > When i try, i get this error message: > > SSL/TLS client handshake failed (Error = 0x80090308) > > > > Does anybody could give me a pointer on this? > >I really hope you post the end fulfillment of this problem as I want to do ssl with my vsftp and have not gotten around to it. Have you tried just restarting vsftp? I also find that I had to play with the user list allow/deny to get mine to work right. Can you, if you take out the ssl stuff, access it via ftp normally? -Bob
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guy Boisvert wrote:> Hi! > > I'm trying to figure out what's going wrong with a "simple" FTPS setup > and VSFTPD....> When i try, i get this error message: > > SSL/TLS client handshake failed (Error = 0x80090308)How are you trying to connect ? What is the address you are referring to access ? Can you use lftp with debug 9 and post the output ?> Does anybody could give me a pointer on this?please, take a lookt at: http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users I would like to hear if this is useful to you. Best Regards, - -- Alain Reguera Delgado <al at ciget.cienfuegos.cu> GnuPG : http://ciget.cienfuegos.cu/~al/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFJS+2HyXxCQEoXDZARAj74AKCcJgaImMbd44ytJtj9iYcTXb7xEQCbBO7h fwLT2nhqvniRAXpsRQTWkT8=MJ4o -----END PGP SIGNATURE-----
I threw that configuration you posted on a working vsftpd (working without SSL) on CentOS 5 and can only confirm that it doesn't work. One obvious problem is port 990 as ftps wants to connect via port 990. In Filezilla you can choose to use FTPES which seems to connect to port 21 and force an SSL auth. This actually works as you get the certificate displayed to accept it and you can login. However, the directory listing fails. I tried changing to active, disallowing certain protocols etc. It all fails at the same stage. The link posted (http://bugs.proftpd.org/show_bug.cgi?id=3094) seems to apply exactly to this situation. So, you simply will not be able to work with a newer Filezilla client against a vsftpd server without this patch. Status: Connecting to 192.168.1.232:21... Status: Connection established, waiting for welcome message... Response: 220 FTP Command: AUTH TLS Response: 234 Proceed with negotiation. Status: Initializing TLS... Status: Verifying certificate... Command: USER kai Status: TLS/SSL connection established. Response: 331 Please specify the password. Command: PASS ******** Response: 230 Login successful. Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Features: Response: AUTH SSL Response: AUTH TLS Response: EPRT Response: EPSV Response: MDTM Response: PASV Response: PBSZ Response: PROT Response: REST STREAM Response: SIZE Response: TVFS Response: 211 End Command: PBSZ 0 Response: 200 PBSZ set to 0. Command: PROT P Response: 200 PROT now Private. Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" Command: TYPE I Response: 200 Switching to Binary mode. Command: PASV Response: 227 Entering Passive Mode (192,168,1,232,75,253) Command: LIST Response: 150 Here comes the directory listing. Status: Server did not properly shut down TLS connection Error: Transfer connection interrupted: ECONNABORTED - Connection aborted Response: 226 Directory send OK. Error: Failed to retrieve directory listing Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Guy Boisvert > Sent: Friday, December 19, 2008 12:43 PM > To: CentOS mailing list > Subject: [CentOS] FTPS setup problem > > Hi! > > I'm trying to figure out what's going wrong with a > "simple" FTPS setup > and VSFTPD. > > I saw references on Google and tried, and tried, and > tried... without > success. > > I'll start by explaining my situation: I have a WEB > development server > behind a firewall. It's currently only for the intranet. We > now have > an external company that will have to do a new website for us and we > want them to access securely our development server. > > Internally, we access it with regular FTP (we use > DreamWeaver 8). In > the references i saw, i'd just add the following lines and it is > supposed to work: > > ssl_enable=YES > allow_anon_ssl=NO > force_local_data_ssl=NO > force_local_logins_ssl=NO > ssl_tlsv1=YES > ssl_sslv2=YES > ssl_sslv3=NO > rsa_cert_file=/etc/vsftpd/vsftpd.pem > > > > Here are the previous lines in my vsftpd config: > > anonymous_enable=YES > local_enable=YES > write_enable=YES > local_umask=022 > dirmessage_enable=YES > xferlog_enable=YES > connect_from_port_20=YES > xferlog_std_format=YES > chroot_local_user=YES > chroot_list_enable=YES > chroot_list_file=/etc/vsftpd/vsftpd.chroot_list > pam_service_name=vsftpd > userlist_enable=YES > listen=YES > tcp_wrappers=YES > > > I generated the PEM cert with the following command: > > openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout > /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem > > > I tried to connect with FileZilla without luck. I heard that > FileZilla > may have a problem with vsftpd in FTPS mode so i downloaded SmartFTP > which i read should be able to connect. > > When i try, i get this error message: > > SSL/TLS client handshake failed (Error = 0x80090308) > > > > Does anybody could give me a pointer on this?--------------- Why are they not using using Dreamweaver to access the ftp site??? This can be done! Look at the top menus, Sites | Manage Sites | New | FTP or RDP | Then Choose SFTP in the Dropdown Box |. JohnStanley
>John wrote: >> He's testing it. Access with Dreamweaver may indeed work. >> ---- >> Ahh, DW will connect to my my ftp machine but I don't know about sftp. To me >> it is just easier to use DW or Visual Studio internal ftp tools to manage a >> site easier. I will try his config later on just to check it outwith DW. >> >> JohnStanley >> > >... and SFTP is not the same as FTPS. > >Actually, i tried with FileZilla (it seems to have an official bug with >vsftpd and FTPS) and SmartFTP and both had problems. > >So that's why i asked the question to the list. I dunno if i have >something wrong with the config, or any other subtility.Try using FileZilla 3.0.11.1 and it will work perfectly with VSFTPD. There is an update to TLS in the newer clients that has not caught up on the server side of VSFTPD yet. -- Dave Jones