Am 20.09.2016 um 20:17 schrieb Marc Chamberlin:
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc...
hello marc, i think you said it works without SSL/TLS? then there's something wrong with your SSL/TLS setup. i had a look at your tutorial -> https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/ perhaps there's an error in the tutorial as the cert & private key both point to the same file? rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem in my setups i used to have 2 different files, a private key and a certificate. your SSL/TLS setup both points to the same file? sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem have a look in the other tutorial i used before ... http://www.thatsgeeky.com/2011/01/configuring-vsftpd-to-use-tls/ here the command creates 2 different files ... a private key and a certificate openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem i think that's your problem ... follow the steps in the tutorial above and create new certificates and see what happens? thanks & greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org