Frank M. Ramaekers
2018-May-31 15:01 UTC
[CentOS] Definitive guide to setting up FTPIS on vsftpd
I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been struggling with in configuring vsftpd for FTPS Implicit (port 990). (The latest instructions I've used are at: https://www.unixmen.com/configure-vsftpd-ssltls-centos-7/) Using Filezilla client, I get: Error: GnuTLS error -15: An unexpected TLS packet was received. Error: Could not connect to server Using Core FTP LE: SL/TLS error - 0, SSL error - 1, error:00000001:lib(0):func(0):reason(1) SSL Connection not established Using WinSCP: TLS connect: error in SSLv2/v3 read server hello A TLS connect: error in SSLv2/v3 read server hello A Can't establish TLS connection Disconnected from server lftp from a remote Linux: Fatal error: gnutls_handshake: An unexpected TLS packet was received. Debugging, I get: ... GNUTLS: EXT[0x2aa440f42d0]: sent signature algo (2.3) ECDSA-SHA1 GNUTLS: EXT[0x2aa440f42d0]: Sending extension SIGNATURE ALGORITHMS (22 bytes) GNUTLS: HSK[0x2aa440f42d0]: CLIENT HELLO was queued [268 bytes] GNUTLS: REC[0x2aa440f42d0]: Preparing Packet Handshake(22) with length: 268 and min pad: 0 GNUTLS: ENC[0x2aa440f42d0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GNUTLS: REC[0x2aa440f42d0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 273 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: ASSERT: gnutls_buffers.c:588 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: ASSERT: gnutls_buffers.c:588 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: ASSERT: gnutls_buffers.c:588 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: ASSERT: gnutls_buffers.c:588 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: REC[0x2aa440f42d0]: SSL 48.48 Unknown Packet packet received. Epoch 0, length: 8271 GNUTLS: ASSERT: gnutls_record.c:572 GNUTLS: Received record packet of unknown type 53 GNUTLS: ASSERT: gnutls_record.c:1076 GNUTLS: ASSERT: gnutls_record.c:1158 GNUTLS: ASSERT: gnutls_buffers.c:1409 GNUTLS: ASSERT: gnutls_handshake.c:1446 GNUTLS: ASSERT: gnutls_handshake.c:2757 **** gnutls_handshake: An unexpected TLS packet was received. GNUTLS: REC[0x2aa440f42d0]: Start of epoch cleanup GNUTLS: REC[0x2aa440f42d0]: End of epoch cleanup GNUTLS: REC[0x2aa440f42d0]: Epoch #0 freed GNUTLS: REC[0x2aa440f42d0]: Epoch #1 freed ---- Closing control socket TIA! Frank M. Ramaekers Jr. | Systems Programmer | Information Technology | American Income Life Insurance Company | 254-761-6649 (732-6649) ---------------------------------------------------------------------- This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct at torchmarkcorp.com.
Kenneth Porter
2018-May-31 17:17 UTC
[CentOS] Definitive guide to setting up FTPIS on vsftpd
On 5/31/2018 8:01 AM, Frank M. Ramaekers wrote:> I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been struggling with in configuring vsftpd for FTPS Implicit (port 990). > (The latest instructions I've used are at:https://www.unixmen.com/configure-vsftpd-ssltls-centos-7/)Here's what I'm using. The tutorial site I used is currently down with a bandwidth exceeded warning, so I guess it must be quite popular. I'm using LetsEncrypt certificates. My site domain is replaced with example.com. Use your own domain name there as registered with LetsEncrypt. # see # http://beginlinux.com/blog/2009/01/secure-ftp-with-ssl-on-centos/ rsa_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/example.com/privkey.pem ssl_enable=YES force_local_logins_ssl=NO force_local_data_ssl=NO ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES # limit pasv ports to range that iptables can check pasv_min_port=6900 pasv_max_port=6969 # added 20120213 to deal with FileZilla 3.5.3 stricter cipher list # see http://forum.filezilla-project.org/viewtopic.php?f=2&t=23275 ssl_ciphers=HIGH dual_log_enable=YES allow_writeable_chroot=YES user_sub_token=$USER
Frank M. Ramaekers
2018-Jun-06 14:08 UTC
[CentOS] Definitive guide to setting up FTPIS on vsftpd
Followup: I gave up on the Implicit and configured vsftpd for Explicit, that revealed some configuration errors (displayed on the client, Filezilla in my case). I then corrected these errors and switched back to Implicit and all is well. Frank M. Ramaekers Jr. -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Kenneth Porter Sent: Thursday, May 31, 2018 12:18 PM To: centos at centos.org Subject: Re: [CentOS] Definitive guide to setting up FTPIS on vsftpd On 5/31/2018 8:01 AM, Frank M. Ramaekers wrote:> I have a new CentOS 7.4 (recently upgraded to 7.5) system that I have been struggling with in configuring vsftpd for FTPS Implicit (port 990). > (The latest instructions I've used are > at:https://urldefense.proofpoint.com/v2/url?u=https-3A__www.unixmen.co > m_configure-2Dvsftpd-2Dssltls-2Dcentos-2D7_&d=DwICAg&c=laxeQK7vPmHfouI > IPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdea > gcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=MIMN2O4U1bk8mfuZf > mBjQkQ6zM-uOHJ2XrMyrqs_U3E&e=)Here's what I'm using. The tutorial site I used is currently down with a bandwidth exceeded warning, so I guess it must be quite popular. I'm using LetsEncrypt certificates. My site domain is replaced with example.com. Use your own domain name there as registered with LetsEncrypt. # see # https://urldefense.proofpoint.com/v2/url?u=http-3A__beginlinux.com_blog_2009_01_secure-2Dftp-2Dwith-2Dssl-2Don-2Dcentos_&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=BtdOGrSrWbyXnhcXRGrpjCnjzIHLoKYhtVyCn7OhEWQ&e rsa_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/example.com/privkey.pem ssl_enable=YES force_local_logins_ssl=NO force_local_data_ssl=NO ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES # limit pasv ports to range that iptables can check pasv_min_port=6900 pasv_max_port=6969 # added 20120213 to deal with FileZilla 3.5.3 stricter cipher list # see https://urldefense.proofpoint.com/v2/url?u=http-3A__forum.filezilla-2Dproject.org_viewtopic.php-3Ff-3D2-26t-3D23275&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=IKSWGNlSjgyMbNAv1TsKXFqj_bECF2hyTJWq54tUOhc&essl_ciphers=HIGH dual_log_enable=YES allow_writeable_chroot=YES user_sub_token=$USER _______________________________________________ CentOS mailing list CentOS at centos.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.centos.org_mailman_listinfo_centos&d=DwICAg&c=laxeQK7vPmHfouIIPNyCfbQd49eK3u00U8Jdo0RFvts&r=EOaM1MkMLG24_TOy4m7EdDoX0CP9-c0YJ2kTdeagcqQ&m=pOhXDNk2HbQgZLcLf-QR_SwfNLQr4nYWByJ7xBAEhzo&s=LtJPbS9khXrxKH7BPWHAXtuV3IuYDmFY4q_KSl7TaVI&e ---------------------------------------------------------------------- This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at PrivacyAct at torchmarkcorp.com.