# Connection failed in vsftpd with SSL

## punkid

Hi all,

I just followed the wiki's instruction, trying to secure my vsftpd server with SSL, but it failed to connect, it used to work without SSL encryption.

here's the gftp error log:

```

521 Data connections must be encrypted.

Invalid response '5' received from server.

```

and here's the SSL section of the vsftpd.conf.

```

ssl_enable=YES

#choose what you like, if you accept anon-connections

# you may want to enable this

allow_anon_ssl=NO

#choose what you like,

# it's a matter of performance i guess

#force_local_data_ssl=NO

#choose what you like

force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...

ssl_tlsv1=YES

#choose what you like

ssl_sslv2=YES

#choose what you like

ssl_sslv3=YES

#give the correct path to your currently generated *.pem file

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

#the *.pem file contains both the key and cert

rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

```

Can anyone tell me what's the problem?

----------

## bunder

silly question, was it working before you tried turning on ssl?

----------

## punkid

yes, it did work.

----------

## bunder

vsftp logs say anything than what gftp isn't reporting?   :Confused: 

----------

## punkid

the vsftpd log shows these below, looks like i had succeed to connect to the ftp server, but actually i dont.

```
Thu Oct 25 13:24:19 2007 [pid 18643] CONNECT: Client "myip"

Thu Oct 25 13:24:19 2007 [pid 18642] [ftp] OK LOGIN: Client "myip"
```

----------

## transient

The server is working fine, it's gftp that's having problems.

The server wants an encrypted data line as well as an encrypted command line, and gftp isn't doing that.

----------

## bunder

 *transient wrote:*   

> The server is working fine, it's gftp that's having problems.
> 
> The server wants an encrypted data line as well as an encrypted command line, and gftp isn't doing that.

 

if that is true, other clients should work... have you tried others?

cheers

----------

## punkid

I tried kftpgrabber and the command tool lftp, they all failed to connect.

So if

 *Quote:*   

> The server wants an encrypted data line as well as an encrypted command line

 

Is there anything i need to do for the client side?

----------

## punkid

Finally i get things work by enabling only one of the ssl_tlsv1, ssl_sslv2 and ssl_sslv3.

----------

## punkid

 *punkid wrote:*   

> Finally i get things work by enabling only one of the ssl_tlsv1, ssl_sslv2 and ssl_sslv3.

 

Oops, looks like i was wrong.

I re-configure my vsftpd.conf, disable force_local_data_ssl, then it works with kftpgrabber, but not lftp. lftp always tells me to reconnect it.

Here's my new vsftpd.conf ssl section

```

#this is important

ssl_enable=YES

#choose what you like, if you accept anon-connections

# you may want to enable this

allow_anon_ssl=NO

#choose what you like,

# it's a matter of performance i guess

force_local_data_ssl=NO

#choose what you like

force_local_logins_ssl=YES

#you should at least enable this if you enable ssl...

ssl_tlsv1=YES

#choose what you like

ssl_sslv2=YES

#choose what you like

ssl_sslv3=YES

#give the correct path to your currently generated *.pem file

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

#the *.pem file contains both the key and cert

rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

```

----------

## transient

Only enable the TLS1 option, it's better than the SSL ones.

Also, are you using anonymous logins?

----------

## punkid

 *transient wrote:*   

> Only enable the TLS1 option, it's better than the SSL ones.
> 
> Also, are you using anonymous logins?

 

I did what you said, but lftp still failed.

I'm using local user, disable the whole anonymous things.

----------

## transient

Well, all I can tell you is that vsftpd is working correctly...

Are you telling lftp to use a ftps:// URL rather than a ftp:// one?

And what error is it giving you?

Apart from that I'm starting to run out of ideas -_-

----------

## punkid

I'm running lftp with this command

```
lftp ftps://ftp@myftpserver
```

But still doesnt work  :Sad: 

----------

## transient

 *transient wrote:*   

> And what error is it giving you?

 

----------

## punkid

here's what i get

```
lftp ftp@myftpserver:~> ls

`ls' at 0 [Delaying before reconnect: 52]
```

----------

