1
I'm trying to set up an internet-accessible FTP server with encryption, using VSFTPD as the server program, on Fedora 25. Despite seemingly setting everything up correctly, I can never connect to the server from outside my LAN when encryption is enabled. However, connecting is possible if I disable encryption or if I connect from within my LAN.
The issue I'm having is that the VSFTPD server can't complete the SSL handshake after receiving the AUTH command from a client. Using Wireshark, I can see that the server is trying to send what looks like the handshake response several times.
If it helps, here is Wireshark's report of a client attempting to connect to the server:
From Info
------ ----
Client 64423 → 21 [ACK] Seq=1 Ack=1 Win=13952 Len=0 TSval=996262 TSecr=3062736173
Server Response: 220 (vsFTPd 3.0.3)
Client 64423 → 21 [ACK] Seq=1 Ack=21 Win=13952 Len=0 TSval=996281 TSecr=3062736371
Client Request: AUTH TLS
Server 21 → 64423 [ACK] Seq=21 Ack=11 Win=29056 Len=0 TSval=3062736436 TSecr=996282
Server Response: 234 Proceed with negotiation.
Server [TCP Retransmission] 21 → 64423 [PSH, ACK] Seq=21 Ack=11 Win=29056 Len=31 TSval=3062736822 TSecr=996282
Server [TCP Retransmission] 21 → 64423 [PSH, ACK] Seq=21 Ack=11 Win=29056 Len=31 TSval=3062737214 TSecr=996282
Server [TCP Retransmission] 21 → 64423 [PSH, ACK] Seq=21 Ack=11 Win=29056 Len=31 TSval=3062737214 TSecr=996282
Server [TCP Retransmission] 21 → 64423 [PSH, ACK] Seq=21 Ack=11 Win=29056 Len=31 TSval=3062737214 TSecr=996282
...
Other info: I have VSFTPD configured to use TLSv1 or higher, to work in passive mode & with explicit FTPS, and with a self-signed RSA certificate. I don't think there's a problem with my certificate, since I am able to use the same certificate to host an https server with httpd, which I can access from outside my LAN just fine. So the problem must be related to VSFTPD somehow.
I have also set my router & firewall to forward & accept port 21 for ftp control port connections. I also set VSFTPD to have port 2048 as the only PASV data port, but for some reason I didn't need to forward that port on my router to let unencrypted FTP connections work...and besides, the failure I'm having is happening before the data port gets involved, anyway.
Does anyone have any idea for how to fix this? Is there something obvious that I'm missing here?
1
Suggest turning on debug log on VSFTPD and seek for the reason there. For the reference: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-ftp-vsftpd-conf.html
– Oleg – 2017-06-04T05:46:13.690Thanks. When I turn on logging & SSL debugging, my vsftpd.log file adds these lines whenever a connection is attempted & fails:
CONNECT: Client "::ffff:<client-ip>" DEBUG: Client "::ffff:<client-ip>", "SSL_accept failed: error:00000000:lib(0):func(0):reason(0)"
– mr_johnson22 – 2017-06-05T00:58:51.123