Mike Leone on 22 Jan 2010 16:53:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Implicit SSL with vsftpd?

George A. Theall had this to say:
> On Fri, Jan 22, 2010 at 12:49:00PM -0500, Mike Leone wrote:
>> I need to set up a secure FTP server for our DMZ. So I set up vsftpd and 
>> activated SSL, and enforced only SSL connections. And that all works 
>> well. I used Filezilla (on Windows), and specified a FTP over explicit 
>> SSL connection.
> ...
>> What that means is that the client connects on port 21. And my firewall 
>> guy doesn't want to leave port 21 open, he wants 990 (which is implicit 
>> SSL). So I changed the vsftpd config to
> You seem to be mixing explicit and implicit FTP. 

I'm not mixing; I wanted explicit, which worked with minimal config 
changes, either to the firewall or the FTP server config. He wanted 
implicit, which isn't working as easily. My client (Filezilla) can do 

> The former requires
> that you explicitly request the connect continue over TLS (eg, with an
> 'AUTH TLS' command) after connecting over an unencrypted channel; the
> latter that you handle SSL / TLS negotiation from the get-go. 

Right. And the former works without fail every time, and the latter does 
not. Not for me, anyway.

>> listen_port=990
>> and restarted it. And tried connecting again, this time specifying FTP 
>> over implicit SSL (which defaults to using port 990 to connect to).
> Doesn't that just tell vsftpd to listen on a specific port? Have you
> actually enabled SSL support and defined certs?

Yes; explicit SSL connections works perfectly. So SSL support is enabled 
in the FTP server (in fact, SSL is required) and a cert is defined.

We eventually decided to just use explicit SSL. Since the SSL encryption 
takes place before logging into the FTP server, the ID and password are 
encrypted, as is the data stream. And the client is chrooted, and 
downloads are disabled. This is pretty good security, for our needs. So 
this has now become a moot point.

Thanks everyone.

> George

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug