# Vsftpd + ssl

## Thavian

Hey guys, I have VSFTPD up and running with local accounts and all is working correctly without any SSL. I'm now tryign to add in SSL support (it is already compiled in I'm just enabling it in the config).

```
root:ldd /usr/sbin/vsftpd 

        linux-gate.so.1 =>  (0xffffe000)

        libwrap.so.0 => /lib/libwrap.so.0 (0xb7f48000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7f33000)

        libpam.so.0 => /lib/libpam.so.0 (0xb7f2b000)

        libdl.so.2 => /lib/libdl.so.2 (0xb7f27000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb7f14000)

        libutil.so.1 => /lib/libutil.so.1 (0xb7f10000)

        libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7edf000)

        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7dda000)

        libc.so.6 => /lib/libc.so.6 (0xb7cbc000)

        /lib/ld-linux.so.2 (0xb7f55000)

```

I have followed the howto on the gentoo-wiki http://gentoo-wiki.com/HOWTO_vsftpd#Using_SSL_to_Secure_FTP

The problem I get is when I put in the SSL config 

```

#this is important

ssl_enable=YES                          

#choose what you like, if you accept anon-connections

# you may want to enable this

# allow_anon_ssl=NO                     

#choose what you like,                                         

# it's a matter of performance i guess

# force_local_data_ssl=NO               

#choose what you like            

force_local_logins_ssl=YES              

#you should at least enable this if you enable ssl...

ssl_tlsv1=YES                           

#choose what you like

ssl_sslv2=YES                           

#choose what you like

ssl_sslv3=YES                           

#give the correct path to your currently generated *.pem file

rsa_cert_file=/etc/ssl/certs/vsftpd.pem 

#the *.pem file contains both the key and cert

rsa_private_key_file=/etc/ssl/certs/vsftpd.pem 

```

The init script fails to start at that point. openssl says the pem file is fine. I have tried taking out all the ssl config data and leaving only ssl_enable=YES and it still fails. I see nothing in my /var/log/vsftpd.log

Any ideas on why this might be failing or why I see nothing in the log?

Here is the config file aswell.

```

listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

ftpd_banner=FTP server

chroot_local_user=YES

ls_recurse_enable=YES

chmod_enable=NO

# FAILS TO START WHEN THIS CONFIG BLOCK IS UNCOMMENTED

#ssl_enable=YES                          

#allow_anon_ssl=NO                     

## force_local_data_ssl=NO                 

#force_local_logins_ssl=YES              

#ssl_tlsv1=YES                           

#ssl_sslv2=YES                           

#ssl_sslv3=YES                           

#rsa_cert_file=/etc/ssl/certs/vsftpd.pem 

#rsa_private_key_file=/etc/ssl/certs/vsftpd.pem                                           

```

Thanks for any help!

----------

## meka

Same HOWTO used but different problem. Gftp says:

```
Error 18:self signed certificate
```

 It sounds crazy but is vsftpd supposed to work only with certificates signed by thawte and similar?

----------

## baeksu

http://www.brennan.id.au/14-FTP_Server.html has a walkthrough towards the end of the page to enabling and creating an ssl certificate for vsftpd.

Since it's a self-signed certificate, connection will be iffy, as the client should support not only ssl, but also accept self-signed certificates.

According to the same page, gftp should have an option to disable "Verify SSL Peer", which would make it accept self-signed certificates.

----------

## think4urs11

 *meka wrote:*   

> Same HOWTO used but different problem. Gftp says:
> 
> ```
> Error 18:self signed certificate
> ```
> ...

 

No it just tells you that gftp isn't able to verify the certificate of the server because it doesn't know the CA who signed it.

Import the CA certificate on your box and it should work (if gftp supports this).

----------

