# vsftpd - SSL_read or login incorrect [SOLVED, finally ]

## salmonix

Hi there, 

I have a vsftpd server. All went fine, but after an upgrade I receive complains about connection. The traffic is low so the problem occured sometimes after some upgrade. I can't recall. We are behind a firewall but that is opened for us properly.

The vsftpd.conf:

 *Quote:*   

> listen=YES
> 
> nopriv_user=ftpsecure
> 
> connect_from_port_20=YES
> ...

 

The /etc/pam.d/vsftpd file is

 *Quote:*   

> auth     required  pam_listfile.so item=user sense=allow file=/etc/vsftpd/vsftp_users  onerr=succeed
> 
> auth     include   system-auth
> 
> account  include   system-auth
> ...

 

The users are listed in /etc/vsftpd/vsftp_users file.

If I attempt connection with a regular user that has shell 'nologin' and not chrooted, I receive the following error from vsftpd:

 *Quote:*   

> Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "220 Welcome to MY service"
> 
> Sat May 12 08:16:02 2012 [pid 5240] FTP command: Client "****", "FEAT"
> 
> Sat May 12 08:16:02 2012 [pid 5240] FTP response: Client "****", "211-Features:"
> ...

 

lftp say this:

 *Quote:*   

> ---- Connecting to SERVERIP
> 
> <--- 220 Welcome to MY service
> 
> ---> FEAT
> ...

 

Now, commenting pam service out in vsftpd ( or removing the pam.d/vsftpd file ) the end of the error message changes - lpft:

 *Quote:*   

> <--- 200 Always in UTF8 mode.
> 
> ---> USER test
> 
> <--- 331 Please specify the password.
> ...

 

- vsftpd.log:

 *Quote:*   

> Sat May 12 08:27:28 2012 [pid 5323] [test] FTP response: Client "87.97.59.12", "331 Please specify the password."
> 
> Sat May 12 08:27:28 2012 [pid 5323] [test] FTP command: Client "87.97.59.12", "PASS <password>"
> 
> Sat May 12 08:27:28 2012 [pid 5322] [test] OK LOGIN: Client "87.97.59.12"
> ...

 

So, it seems that connection is ok for vsftpd. Lftp has  *Quote:*   

> set ssl:verify-certificate off

  due to the self-signed cerificate we use.

Unfortunately, no other clients can connect.

----------

## salmonix

Well, I have not gotten closer to anything. From an ArchLinux ( x86_64 ) lftp I have this error:

 *Quote:*   

> ls: Fatal error: gnutls_record_recv: An unexpected TLS packet was received.

 

I have found a  blog entry  with similar problem perhaps, but I have the same error removing gnutls from the server. ( Nothing depends on it. ) And unfortunately I am not that expert with openssl issues.

Any idea?

----------

## salmonix

Now, the error message is absolutely misleading. On filezilla I received 

 *Quote:*   

> Error:    GnuTLS error -8: A record packet with illegal version was received.
> 
> Error:    Could not connect to servere

 

and googling this line I ended up with the idea of testing vsftpd without ssl. This dropped me the real problem: vsftpd could no find chroot_list file. According to the man page it is in /etc/ by default - I have not changed it with chroot_list_file option -, but vsftpd was looking for it in /etc/vsftpd/ directory.

Creating the file the error is gone and ssl goes again.

Conclusion: Do not trust the error message. Go w/o ssl and see what is happening.

----------

## lanthruster

Run into the same problem, the misleading client's messages and absence of information in vsftpd.log are still there with vsftpd 3.0.2-r2

Thanks for finding it out.

 *salmonix wrote:*   

> Now, the error message is absolutely misleading. On filezilla I received 
> 
>  *Quote:*   Error:    GnuTLS error -8: A record packet with illegal version was received.
> 
> Error:    Could not connect to servere 
> ...

 

----------

## archenroot

I faced:

Error:	GnuTLS error -15: An unexpected TLS packet was received.

Error:	Could not connect to server

with solution to:

https://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/

In general, any issue reported as GnuTLS error in the client should be examined first by trying to disable SSL as it seems like it is hiding all standard faults.

Strange is that with different underlaying root causes there is different specific GnuTLS error reported, I am happy it is working, but would like to see the packet content for these issues....

----------

