FTP server with vsftpd: configuring SSL/TLS

ssl ftp raspberry-pi filezilla vsftpd
PrStirling picture PrStirling · Aug 2, 2015 · Viewed 8.4k times · Source

I am setting up my own FTP server on a Raspberry Pi (OS : debian wheezy). I have installed vsftpd, and I wanted to secure it with SSL/TLS (it worked well when ssl is disabled).

[following sections were edited]

I followed the tutorial here: http://crunchtools.com/vsftpd-ssl/. I tried a connection with FileZilla, but I had the error:

Status: Connecting to 192.168.1.17:21... Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 2.3.5)
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Error: Received TLS alert from the server: Handshake failed (40)
Error: Could not connect to server

My Raspberry Pi and my PC are on the same LAN: I typed

ftpes://192.168.1.17 in the FTP field in FileZilla. This is the RaspPi local IP address.

A solution might be sftp (it works), but I don't want to use the ssh port for that.

Edit: I tried WinSCP, and it worked. So the problem comes from FileZilla. I typed the following command to generate the cert file:
openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
and it seems to be secure. I am checking the encryption algorithms supported by FileZilla.

Thank you

Answer

Shi picture Shi · Aug 2, 2015

Have a look at the description about the difference between FTPS and FTPES (this applies to servers and to clients). I do not know vsftpd, but it might be using implicit FTPS, so you should prefix the host with ftps:// when using FileZilla.

If in doubt, use netstat -a on your Raspberry Pi and check for the listening ports and for the interfaces they are bound to. You can give an explicit port in FileZilla as well, in case you have a non-standard setup.

If vsftpd is not listening on any port, have a look at /var/log/syslog on your Raspberry Pi. Error messages usually are logged there. In case vsftpd has an own log file, check that one as well.

The error Received TLS alert from the server: Handshake failed (40) means that FileZilla and the server cannot agree on an encryption (algorithm and/or strength). FileZilla refuses to use weak encryption, so the server has to be updated to use strong encryption. In FileZilla, you can enable debug output in the settings. You then will see the list of algorithm the server proposes.

The changelog of FileZilla contains some hints on this topic:

  • Disable insecure RC4 algorithm in FTP over TLS
  • Reject Diffie-Hellman Groups smaller than 1024 bits when using FTP over TLS to protect against the Logjam attack

Related questions

How to connect to FTP over TLS/SSL (FTPS) server in Java

I'm stuck in connecting to FTP over TLS/SSL (FTPS) server. I am using SimpleFTP library through am able to connect FTP server without SSL but could not connect FTPS. It is giving me this error at line 2 (ftp.connect), …

Read More
Python FTP implicit TLS connection issue

I have a need to connect to FTPS server to which I am able to connect successfully using lftp. However, when I try with Python ftplib.FTP_TLS, it times out, the stack trace shows that it is waiting for …

Read More
Connecting to FTPS (FTP over SSL) with FluentFTP

I am using IIS in my local machine for testing FTP with SSL connection. I am using the FluentFTP library for connecting to the FTP. I am using the following code to connect to the Server. FtpClient conn = new FtpClient(); …

Read More