vsftpd and SSL

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

ssl_enable=YES rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem force_local_data_ssl=NO force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

-----BEGIN CERTIFICATE----- (your_domain_name.crt) -----END CERTIFICATE KEY----- -----BEGIN CERTIFICATE----- (chaining certificate 3) -----END CERTIFICATE KEY----- -----BEGIN CERTIFICATE----- (chaining certificate 2) -----END CERTIFICATE KEY----- -----BEGIN CERTIFICATE----- (chaining certificate 1) -----END CERTIFICATE KEY----- -----BEGIN RSA PRIVATE KEY----- (your_domain_name.key) -----END RSA PRIVATE KEY-----

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit" Password: ---- Connecting to ftp.student.vu.nl (130.37.129.243) port 21 <--- 220 Welcome to the Storage FTP service. ---> FEAT <--- 211-Features: <--- AUTH SSL <--- AUTH TLS <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- PBSZ <--- PROT <--- REST STREAM <--- SIZE <--- TVFS <--- UTF8 <--- 211 End ---> AUTH TLS <--- 234 Proceed with negotiation. ---> OPTS UTF8 ON Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl Issued by: C=NL,O=TERENA,CN=TERENA SSL CA Checking against: C=NL,O=TERENA,CN=TERENA SSL CA Trusted Certificate: C=NL,O=TERENA,CN=TERENA SSL CA Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Trusted Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted <--- 200 Always in UTF8 mode. ---> USER xxx330 <--- 331 Please specify the password. ---> PASS XXXX <--- 230 Login successful. ---> PWD <--- 257 "/" ---> PBSZ 0 <--- 200 PBSZ set to 0. ---> PROT P <--- 200 PROT now Private. ---> PROT P <--- 200 PROT now Private. ---> PASV <--- 227 Entering Passive Mode (130,37,129,243,196,139). ---- Connecting data socket to (130.37.129.243) port 50315 ---- Data connection established ---> LIST <--- 150 Here comes the directory listing. Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl Issued by: C=NL,O=TERENA,CN=TERENA SSL CA Checking against: C=NL,O=TERENA,CN=TERENA SSL CA Trusted Certificate: C=NL,O=TERENA,CN=TERENA SSL CA Issued by: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Trusted Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root Trusted ---- Got EOF on data connection ---- Closing data socket drwxrwsr-x 3 72745 513 4096 Oct 23 14:28 public_html <--- 226 Directory send OK. ---> QUIT ---- Closing control socket $