CentOS - May 2018 - Definitive guide to setting up FTPIS on vsftpd

I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been
struggling with in configuring vsftpd for FTPS Implicit (port 990).
(The latest instructions I've used are at:
https://www.unixmen.com/configure-vsftpd-ssltls-centos-7/)

Using Filezilla client, I get:

Error:              GnuTLS error -15: An unexpected TLS packet was received.
Error:              Could not connect to server

Using Core FTP LE:

SL/TLS error - 0, SSL error - 1, error:00000001:lib(0):func(0):reason(1)
SSL Connection not established

Using WinSCP:

TLS connect: error in SSLv2/v3 read server hello A
TLS connect: error in SSLv2/v3 read server hello A
Can't establish TLS connection
Disconnected from server

lftp from a remote Linux:

Fatal error: gnutls_handshake: An unexpected TLS packet was received.

Debugging, I get:

...
GNUTLS: EXT[0x2aa440f42d0]: sent signature algo (2.3) ECDSA-SHA1
GNUTLS: EXT[0x2aa440f42d0]: Sending extension SIGNATURE ALGORITHMS (22 bytes)
GNUTLS: HSK[0x2aa440f42d0]: CLIENT HELLO was queued [268 bytes]
GNUTLS: REC[0x2aa440f42d0]: Preparing Packet Handshake(22) with length: 268 and
min pad: 0
GNUTLS: ENC[0x2aa440f42d0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
GNUTLS: REC[0x2aa440f42d0]: Sent Packet[1] Handshake(22) in epoch 0 and length:
273
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: ASSERT: gnutls_buffers.c:588
GNUTLS: ASSERT: gnutls_buffers.c:1154
GNUTLS: REC[0x2aa440f42d0]: SSL 48.48 Unknown Packet packet received. Epoch 0,
length: 8271
GNUTLS: ASSERT: gnutls_record.c:572
GNUTLS: Received record packet of unknown type 53
GNUTLS: ASSERT: gnutls_record.c:1076
GNUTLS: ASSERT: gnutls_record.c:1158
GNUTLS: ASSERT: gnutls_buffers.c:1409
GNUTLS: ASSERT: gnutls_handshake.c:1446
GNUTLS: ASSERT: gnutls_handshake.c:2757
**** gnutls_handshake: An unexpected TLS packet was received.
GNUTLS: REC[0x2aa440f42d0]: Start of epoch cleanup
GNUTLS: REC[0x2aa440f42d0]: End of epoch cleanup
GNUTLS: REC[0x2aa440f42d0]: Epoch #0 freed
GNUTLS: REC[0x2aa440f42d0]: Epoch #1 freed
---- Closing control socket

TIA!

Frank M. Ramaekers Jr. | Systems Programmer | Information Technology | American
Income Life Insurance Company | 254-761-6649 (732-6649)

----------------------------------------------------------------------
This message contains information which is privileged and confidential and is
solely for the use of the intended recipient. If you are not the intended
recipient, be aware that any review, disclosure, copying, distribution, or use
of the contents of this message is strictly prohibited. If you have received
this in error, please destroy it immediately and notify us at PrivacyAct at
torchmarkcorp.com.

On 5/31/2018 8:01 AM, Frank M. Ramaekers wrote:
> I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been
struggling with in configuring vsftpd for FTPS Implicit (port 990).
> (The latest instructions I've used are
at:https://www.unixmen.com/configure-vsftpd-ssltls-centos-7/)
Here's what I'm using. The tutorial site I used is currently down with a
bandwidth exceeded warning, so I guess it must be quite popular.

I'm using LetsEncrypt certificates. My site domain is replaced with 
example.com. Use your own domain name there as registered with LetsEncrypt.

# see
# http://beginlinux.com/blog/2009/01/secure-ftp-with-ssl-on-centos/

rsa_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/example.com/privkey.pem
ssl_enable=YES
force_local_logins_ssl=NO
force_local_data_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

# limit pasv ports to range that iptables can check
pasv_min_port=6900
pasv_max_port=6969

# added 20120213 to deal with FileZilla 3.5.3 stricter cipher list
# see http://forum.filezilla-project.org/viewtopic.php?f=2&t=23275
ssl_ciphers=HIGH

dual_log_enable=YES

allow_writeable_chroot=YES
user_sub_token=$USER

Followup:

I gave up on the Implicit and configured vsftpd for Explicit, that revealed some
configuration errors (displayed on the client, Filezilla in my case).   I then
corrected these errors and switched back to Implicit and all is well.

Frank M. Ramaekers Jr.

-----Original Message-----
From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Kenneth Porter
Sent: Thursday, May 31, 2018 12:18 PM
To: centos at centos.org
Subject: Re: [CentOS] Definitive guide to setting up FTPIS on vsftpd

On 5/31/2018 8:01 AM, Frank M. Ramaekers wrote:
> I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been
struggling with in configuring vsftpd for FTPS Implicit (port 990).
> (The latest instructions I've used are 
> at:https://urldefense.proofpoint.com/v2/url?u=https-3A__www.unixmen.co
>
m_configure-2Dvsftpd-2Dssltls-2Dcentos-2D7_&d=DwICAg&c=laxeQK7vPmHfouI
> IPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdea
>
gcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=MIMN2O4U1bk8mfuZf
> mBjQkQ6zM-uOHJ2XrMyrqs_U3E&e=)
Here's what I'm using. The tutorial site I used is currently down with a
bandwidth exceeded warning, so I guess it must be quite popular.

I'm using LetsEncrypt certificates. My site domain is replaced with
example.com. Use your own domain name there as registered with LetsEncrypt.

# see
#
https://urldefense.proofpoint.com/v2/url?u=http-3A__beginlinux.com_blog_2009_01_secure-2Dftp-2Dwith-2Dssl-2Don-2Dcentos_&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=BtdOGrSrWbyXnhcXRGrpjCnjzIHLoKYhtVyCn7OhEWQ&e
rsa_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/example.com/privkey.pem
ssl_enable=YES
force_local_logins_ssl=NO
force_local_data_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

# limit pasv ports to range that iptables can check
pasv_min_port=6900
pasv_max_port=6969

# added 20120213 to deal with FileZilla 3.5.3 stricter cipher list # see
https://urldefense.proofpoint.com/v2/url?u=http-3A__forum.filezilla-2Dproject.org_viewtopic.php-3Ff-3D2-26t-3D23275&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=IKSWGNlSjgyMbNAv1TsKXFqj_bECF2hyTJWq54tUOhc&essl_ciphers=HIGH

dual_log_enable=YES

allow_writeable_chroot=YES
user_sub_token=$USER

_______________________________________________
CentOS mailing list
CentOS at centos.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=LtJPbS9khXrxKH7BPWHAXtuV3IuYDmFY4q_KSl7TaVI&e
----------------------------------------------------------------------
This message contains information which is privileged and confidential and is
solely for the use of the intended recipient. If you are not the intended
recipient, be aware that any review, disclosure, copying, distribution, or use
of the contents of this message is strictly prohibited. If you have received
this in error, please destroy it immediately and notify us at PrivacyAct at
torchmarkcorp.com.