[opensuse] vsftpd and SSL failure
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.) The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at: https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/ The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server? Thanks in advance for any and all helpful replies... Marc... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc, to check if your vsftpd has SSL support build in you can run the following command: ldd /usr/sbin/vsftpd | grep ssl perhaps fist check where your vsftpd is via which vsftpd perhaps this might help? greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 20.09.2016 um 20:17 schrieb Marc Chamberlin:
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc...
hello marc, i think you said it works without SSL/TLS? then there's something wrong with your SSL/TLS setup. i had a look at your tutorial -> https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/ perhaps there's an error in the tutorial as the cert & private key both point to the same file? rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem in my setups i used to have 2 different files, a private key and a certificate. your SSL/TLS setup both points to the same file? sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem have a look in the other tutorial i used before ... http://www.thatsgeeky.com/2011/01/configuring-vsftpd-to-use-tls/ here the command creates 2 different files ... a private key and a certificate openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem i think that's your problem ... follow the steps in the tutorial above and create new certificates and see what happens? thanks & greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/20/2016 11:51 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 20:17 schrieb Marc Chamberlin:
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc...
hello marc,
i think you said it works without SSL/TLS?
then there's something wrong with your SSL/TLS setup. i had a look at your tutorial -> https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
perhaps there's an error in the tutorial as the cert & private key both point to the same file?
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
in my setups i used to have 2 different files, a private key and a certificate. your SSL/TLS setup both points to the same file?
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
have a look in the other tutorial i used before ... http://www.thatsgeeky.com/2011/01/configuring-vsftpd-to-use-tls/
here the command creates 2 different files ... a private key and a certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem
i think that's your problem ...
follow the steps in the tutorial above and create new certificates and see what happens?
thanks & greetings becki
Thanks again Becki, I gave it a shot but still no joy! I followed the steps in the tutorial that you pointed me to for creating two separate files as best as I could. Didn't fully understand the part about chaining certificates but did manage to create the separate key and pem files. After re-configuring the vsftpd.conf file to use them, I still get the same error message about an invalidargument when I restart the vsftpd server. I am guessing that you and others are also running vsftpd under openSuSE 42.1 without problems? Got any more ideas? Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 20.09.2016 um 22:11 schrieb Marc Chamberlin:
On 9/20/2016 11:51 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 20:17 schrieb Marc Chamberlin:
On 9/20/2016 9:40 AM, Admin Beckspaced wrote:
Am 20.09.2016 um 01:48 schrieb Marc Chamberlin:
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
hello marc,
to check if your vsftpd has SSL support build in you can run the following command:
ldd /usr/sbin/vsftpd | grep ssl
perhaps fist check where your vsftpd is via
which vsftpd
perhaps this might help?
greetings becki
Thanks Becki for your response, this is what I got and it looks like vsftpd was built with support for SSL/TLS if I am reading this right.. So I am still in the dark as to why vsftpd is not working when I enable SSL for it...
bigbang:/etc ldd /usr/sbin/vsftpd | grep ssl libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fa5be3e0000) bigbang:/etc # which vsftpd /usr/sbin/vsftpd
Marc...
hello marc,
i think you said it works without SSL/TLS?
then there's something wrong with your SSL/TLS setup. i had a look at your tutorial -> https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
perhaps there's an error in the tutorial as the cert & private key both point to the same file?
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
in my setups i used to have 2 different files, a private key and a certificate. your SSL/TLS setup both points to the same file?
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
have a look in the other tutorial i used before ... http://www.thatsgeeky.com/2011/01/configuring-vsftpd-to-use-tls/
here the command creates 2 different files ... a private key and a certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem
i think that's your problem ...
follow the steps in the tutorial above and create new certificates and see what happens?
thanks & greetings becki
Thanks again Becki, I gave it a shot but still no joy! I followed the steps in the tutorial that you pointed me to for creating two separate files as best as I could. Didn't fully understand the part about chaining certificates but did manage to create the separate key and pem files. After re-configuring the vsftpd.conf file to use them, I still get the same error message about an invalidargument when I restart the vsftpd server. I am guessing that you and others are also running vsftpd under openSuSE 42.1 without problems? Got any more ideas?
Marc...
hello marc, actually i used to run vsftpd on my opensuse box but as i no longer got any clients using FTP service i switched to WINSCP via SSH. this way i don't need to run a FTP server on my suse box ... to further debug the issue ... i would comment out all SSL/TLS config settings and restart vsftpd then enable each SSL/TLS config setting one by one to see which one throws the error? also ... check permission on the cert & private key file. as far as i remember they need to be 400 / 600 so only root can read / write it ... on my suse 13.1 its 0400 also ... did you setup a password on the cert / private key? normally you should not! as it would require vsftpd to enter the password which it can't! another thing that comes up in my mind ... check for typos in the config file? something little stupid as a comma , could mess up your config file i will copy my last working vsftpd config file below which was running on a opensuse 13.1 without any problems. also ... do you start vsftpd as standalone or via inetd? best of luck & greetings becki VSFTPD CONFIG # Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # If you do not change anything here you will have a minimum setup for an # anonymus FTP server. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # ################ # General Settings # ################ # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. nopriv_user=ftpsecure # # You may fully customise the login banner string: ftpd_banner=Welcome to FTP service. # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # If enabled, all user and group information in # directory listings will be displayed as "ftp". #hide_ids=YES # # ####################### # Local FTP user Settings # ####################### # # Uncomment this to allow local users to log in. local_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # Performs chroot with original (non-root) credentials. This is usefull on nfs with squash_root, # where root becomes nobody and would need -x access. #allow_root_squashed_chroot=YES # # The maximum data transfer rate permitted, in bytes per second, for # local authenticated users. The default is 0 (unlimited). #local_max_rate=7200 # # ########################## # Anonymus FTP user Settings # ########################## # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # The maximum data transfer rate permitted, in bytes per second, for anonymous # authenticated users. The default is 0 (unlimited). #anon_max_rate=7200 # # Anonymous users will only be allowed to download files which are # world readable. anon_world_readable_only=YES # # Default umask for anonymus users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #anon_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Uncomment this to enable anonymus FTP users to perform other write operations # like deletion and renaming. #anon_other_write_enable=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # ############ # Log Settings # ############ # # Log to the syslog daemon instead of using an logfile. syslog_enable=NO # # Uncomment this to log all FTP requests and responses. log_ftp_protocol=YES # # Activate logging of uploads/downloads. #xferlog_enable=YES xferlog_enable=YES # # You may override where the log file goes if you like. The default is shown # below. # vsftpd_log_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES xferlog_std_format=NO # # You may override where the log file goes if you like. The default is shown # below. xferlog_file=/var/log/vsftpd.log # # Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log. #dual_log_enable=YES # # Uncomment this to enable session status information in the system process listing. #setproctitle_enable=YES # # ################# # Transfer Settings # ################# # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. ascii_upload_enable=YES #ascii_download_enable=YES # # Set to NO if you want to disallow the PASV method of obtaining a data # connection. #pasv_enable=NO # # PAM setting. Do NOT change this unless you know what you do! pam_service_name=vsftpd # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! listen_ipv6=NO # # Set to ssl_enable=YES if you want to enable SSL ssl_enable=YES # # Limit passive ports to this range to assis firewalling pasv_min_port=30000 pasv_max_port=30100 ### security features that are incompatible with some other settings. ### # isolate_network ensures the vsftpd subprocess is started in own network # namespace (see CLONE_NEWNET in clone(2)). It however disables the # authentication methods needs the network access (LDAP, NIS, ...). #isolate_network=NO # seccomp_sanbox add an aditional security layer limiting the number of a # syscalls can be performed via vsftpd. However it might happen that a # whitelist don't allow a legitimate call (usually indirectly triggered by # third-party library like pam, or openssl) and the process is being killed by kernel. # # Therefor if your server dies on common situations (file download, upload), # uncomment following line and don't forget to open bug at # https://bugzilla.novell.com seccomp_sandbox=NO #choose what you like, if you accept anon-connections # you may want to enable this #allow_anon_ssl=NO #choose what you like, # it's a matter of performance i guess force_local_data_ssl=YES #choose what you like force_local_logins_ssl=YES #you should at least enable this if you enable ssl... #TLSv1 ssl_tlsv1=YES #choose what you like #SSLv2 ssl_sslv2=NO #choose what you like #SSLv3 ssl_sslv3=NO #give the correct path to your currently generated *.pem file rsa_cert_file=/etc/ssl/certs/vsftpd-mycert.pem #the *.pem file contains both the key and cert rsa_private_key_file=/etc/ssl/certs/vsftpd-mykey.key #If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. #This override excludes the "." and ".." entries.. force_dot_files=YES #The number of seconds to pause prior to reporting a failed login. delay_failed_login=30 #After this many login failures, the session is killed. max_login_fails=3 #If set to yes, all SSL data connections are required to exhibit SSL session reuse (which proves that they know the same master secret as the control channel). #Although this is a secure default, it may break many FTP clients, so you may want to disable it. require_ssl_reuse=YES #debug_ssl=YES ssl_ciphers=HIGH -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Admin Beckspaced
Am 20.09.2016 um 22:11 schrieb Marc Chamberlin:
On 9/20/2016 11:51 AM, Admin Beckspaced wrote:
458 lines later.
#debug_ssl=YES
ssl_ciphers=HIGH
Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting? please read: http://mailformat.dan.info/quoting/ -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/21/2016 05:10 AM, Patrick Shanahan wrote:
Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting?
This problem goes away if everyone top posts! :-) Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
i always thought top posting is a no-go on mailing lists? Am 21.09.2016 um 16:01 schrieb Lew Wolfgang:
On 09/21/2016 05:10 AM, Patrick Shanahan wrote:
Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting?
This problem goes away if everyone top posts! :-)
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-21 16:01, Lew Wolfgang wrote:
On 09/21/2016 05:10 AM, Patrick Shanahan wrote:
Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting?
This problem goes away if everyone top posts! :-)
It doesn't. The old text is still there, where every one is forced to download. You may not see it, but it is there, taking space on transmissions and storage. Wasted. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 09/21/2016 03:34 PM, Carlos E. R. wrote:
It doesn't. The old text is still there, where every one is forced to download. You may not see it, but it is there, taking space on transmissions and storage. Wasted.
Yabut those bits are recycled! ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-21 21:42, James Knott wrote:
On 09/21/2016 03:34 PM, Carlos E. R. wrote:
transmissions and storage. Wasted.
Yabut those bits are recycled! ;-)
X'-) Nay, some of there are using rust storage. :-P -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
458 lines later.
#debug_ssl=YES
ssl_ciphers=HIGH Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting?
please read: http://mailformat.dan.info/quoting/
actually i wasn't aware that this would cause that much trouble? i always thought it's a good thing to have all the info in that single email, instead of searching for the info bits in all the emails before? i also do have a nice scrolling wheel on my mouse which lets me scroll down pretty quick. or should i top post? and in the previous mail 458 lines later ... i wanted to send the vsftpd config so marc can have a look at the whole config. again, i wasn't aware that this would cause any trouble? greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-21 16:24, Admin Beckspaced wrote:
458 lines later.
#debug_ssl=YES
ssl_ciphers=HIGH Do either of you realize that repeatedly adding text to an email renders that email to little/no value and a quick delete to many list readers who *might* be able to help but have little interest in re-reading endless quoting?
please read: http://mailformat.dan.info/quoting/
actually i wasn't aware that this would cause that much trouble? i always thought it's a good thing to have all the info in that single email, instead of searching for the info bits in all the emails before?
You just need the required info from in the quoted material, trim the res.
i also do have a nice scrolling wheel on my mouse which lets me scroll down pretty quick.
Six seconds more.
or should i top post?
No, that's evil here.
and in the previous mail 458 lines later ... i wanted to send the vsftpd config so marc can have a look at the whole config. again, i wasn't aware that this would cause any trouble?
Some are more sensitive than others ;-) About configs. Another way is to upload the file to susepaste.org, for example, where there is no issue of line wrappings, and in the mail just add the link to the paste. This method is welcomed when the file is large, so that you don't force everybody to download it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 9/20/2016 11:26 PM, Admin Beckspaced wrote:
hello marc,
Hi again Becki and OpenSuSE mail list readers - I am going to intersperse my replies this time within your last set of questions. Hope I don't get in trouble with group etiquette rules... (and to those of you who are complaining about my breaking the rules, every mail list seems to have it's own set of etiquette rules and I apologize for breaking this group's. My intent was to make it easier for folks to follow along by not deleting past posts, but I will change my behavior. Perhaps the mail list server could append a link to the openSuSE etiquette rules so we can find them easily, though, like EULA's I doubt most will bother to read em..)
actually i used to run vsftpd on my opensuse box but as i no longer got any clients using FTP service i switched to WINSCP via SSH. this way i don't need to run a FTP server on my suse box ...
to further debug the issue ... i would comment out all SSL/TLS config settings and restart vsftpd then enable each SSL/TLS config setting one by one to see which one throws the error? Yes, I have tried this several times. If I un-comment out any of the SSL/TLS settings I get the error, doesn't matter which ones. In fact I un-commented out all the SSL/TLS settings except the /ssl_enable=YES/ and the two specifying the cert and key files figuring those were the minimum mandatory ones. The others have built in default values, according to the man pages, so I thought I would try it with just a minimal set of configurations. No joy...
also ... check permission on the cert & private key file. as far as i remember they need to be 400 / 600 so only root can read / write it ... on my suse 13.1 its 0400
Yep, done this, both were set to 600, tried 400 but still no joy....
also ... did you setup a password on the cert / private key? normally you should not! as it would require vsftpd to enter the password which it can't!
I guess that was the case, but tried it both with and without a password... No joy....
another thing that comes up in my mind ... check for typos in the config file? something little stupid as a comma , could mess up your config file
Again, am ahead of you, been staring at the file a lot to see if it is something stupid like that, but I sure don't see anything wrong... If there is something mucked up with the syntax I would think it has to be within one of the three SSL configuration lines that I left in un-commented, but nothing appears to be wrong with them...
i will copy my last working vsftpd config file below which was running on a opensuse 13.1 without any problems.
It appears ours are very similar although I have a few other features enabled such as allowing anonymous FTP access as we need that also. (very limited though and well restricted. I will continue to play with it and see if trying your version will solve anything and let you know if it does.
also ... do you start vsftpd as standalone or via inetd?
On this question I am a bit confused... I believe I am running it with inetd as I am using the commands rcvsftpd start and rcvsftpd stop to start and stop the service. And I can see it in YaST2 Service Manager as being enabled and active when it is running. (My understanding is that this is where all the inetd services are shown.) However, the documentation on vsftpd and the comments that came with the default configuration say this - /# Set listen=YES if you want vsftpd to run standalone// //#// //listen=YES// / So my initial thought was that I should set listen=NO since I am wanting it to run as an inetd service, but if I set it to NO then I get the INVALIDARGUMENT error when I issue the command - /rcvsftpd start/ - regardless of whether I am trying to use SSL/TLS or not... Hmmm I decided to give it a shot and run it as standalone and issued the command - vsftpd as root. Without enabling SSL it came up fine. However, when I tried to enable SSL/TLS I got a bit more info - /vsftpd// //500 OOPS: SSL: cannot load RSA certificate// / which is a new interesting clue! I looked at the contents of the certificate file, seems OK AFAIK, and the path specified in the vsftpd.conf file is correct. I tried both versions of the certificate and key files that I have generated, as separate files and as a combined file, neither of which can be loaded... I could post the exact sequence of commands (minus sensitive info) that I issued to create these files, if you think that will be helpful but I think I pretty much followed the instructions for creating them verbatim. And I didn't experience any difficulties when I created the certificate and key files either. Thanks again, Marc...
best of luck & greetings becki
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-22 00:20, Marc Chamberlin wrote:
On 9/20/2016 11:26 PM, Admin Beckspaced wrote:
hello marc,
Hi again Becki and OpenSuSE mail list readers - I am going to intersperse my replies this time within your last set of questions. Hope I don't get in trouble with group etiquette rules...
You are doing it perfect :-) Yes, it is true, each list has its rules and ways.
also ... do you start vsftpd as standalone or via inetd?
On this question I am a bit confused... I believe I am running it with inetd as I am using the commands rcvsftpd start and rcvsftpd stop to start and stop the service. And I can see it in YaST2 Service Manager as being enabled and active when it is running. (My understanding is that this is where all the inetd services are shown.)
No, that's "standalone". You are starting it as a standalone service. inetd, or rather xinetd, is a daemon that watchs ports, and in this case would start the configured ftp server as soon as some one attempts to connect to it. You are confusing inetd with init.d :-) Have a look at ls /etc/xinetd.d/ init.d has been replaced with systemd in openSUSE. It is possible that systemd also takes over the role of xinetd.
However, the documentation on vsftpd and the comments that came with the default configuration say this -
/# Set listen=YES if you want vsftpd to run standalone// //#// //listen=YES// /
So my initial thought was that I should set listen=NO since I am wanting it to run as an inetd service, but if I set it to NO then I get the INVALIDARGUMENT error when I issue the command - /rcvsftpd start/ - regardless of whether I am trying to use SSL/TLS or not...
Well, I guess that you want it set to YES. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfjDIIACgkQja8UbcUWM1wZuQD+LXZ5rQZmPrS6JkJW1FPMLoNA 9WkpW4/JGQR8k7uuz64BAJfei+l/sqSXfSwB5HKzFVyHSFo8dKUIEQYCHYG2g50U =0tYL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
However, the documentation on vsftpd and the comments that came with the default configuration say this -
/# Set listen=YES if you want vsftpd to run standalone// //#// //listen=YES// / So my initial thought was that I should set listen=NO since I am wanting it to run as an inetd service, but if I set it to NO then I get the INVALIDARGUMENT error when I issue the command - /rcvsftpd start/ - regardless of whether I am trying to use SSL/TLS or not...
Hmmm I decided to give it a shot and run it as standalone and issued the command - vsftpd as root. Without enabling SSL it came up fine. However, when I tried to enable SSL/TLS I got a bit more info -
/vsftpd// //500 OOPS: SSL: cannot load RSA certificate// / which is a new interesting clue! I looked at the contents of the certificate file, seems OK AFAIK, and the path specified in the vsftpd.conf file is correct. I tried both versions of the certificate and key files that I have generated, as separate files and as a combined file, neither of which can be loaded... I could post the exact sequence of commands (minus sensitive info) that I issued to create these files, if you think that will be helpful but I think I pretty much followed the instructions for creating them verbatim. And I didn't experience any difficulties when I created the certificate and key files either.
Thanks again, Marc... yes, mailing list and proper formats ;)
ok ... i would say use listen=YES and run vsftpd as standalone to start / stop / restart / status the vsftpd daemon systemctl start vsftpd.service systemctl stop vsftpd.service systemctl restart vsftpd.service systemctl status vsftpd.service to debug error log vsftpd journalctl -f or just look into journal for vsftpd user journalctl -u vsftpd.service -f i think there's also a vsftpd error log in /var/log/vsftpd.log? but this depends up on the logging service on your suse box about this error //500 OOPS: SSL: cannot load RSA certificate// what's the path of the cert & key who owns the cert & key can vsftpd access the cert & key are there proper folder permissions on the directories up to where the cert & key files live? to minor the error about your self created cert & key files ... perhaps you want to generate a test cert & key online http://www.selfsignedcertificate.com/ this way you can be sure that the cert & key are setup properly :) please report back and let us know how it goes. greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks Becki and Carlos, I guess I understand what "Standalone" really means but find it confusing terminology. I just assumed "Standalone" meant to run vsftpd like an ordinary application, not as any sort of service that will be handled by the OS. I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things. As an aside, I can't say I am all that impressed with the quality of programming that has gone into vsftpd. To simply report that there is an invalid argument within a config file and not convey more information about what argument or why, is poor error handling and very user unfriendly. And to not remove trailing whitespace during the parsing of statements is the kind of mistake that I would expect out of beginner programmers, not in an robust application released for production environments. Anywise, I can now start vsftpd with SSL enabled, but am running into another problem compounded yet again by poor error reporting. To test the SSL/TLS connection I started up FileZilla on my laptop and tried to connect to the vsftpd service using "Explicit FTP over TLS if available". When I do this I get this dumb error message -
19:51:24 Status: Resolving address of ftp.mydomain.com 19:51:24 Status: Connecting to 192.168.10.100:21... 19:51:24 Status: Connection established, waiting for welcome message... 19:51:24 Response: 220 "Welcome to the VSFTPD FTP server." 19:51:24 Command: AUTH TLS 19:51:24 Response: 234 Proceed with negotiation. 19:51:24 Status: Initializing TLS... 19:51:24 Error: GnuTLS error -15: An unexpected TLS packet was received. 19:51:24 Error: Could not connect to server
which doesn't tell me a whole lot. Google searches are revealing that this too is a very generic error message that can be caused by a lot of things, and there are lots of different solutions reported. But so far I have been unable to find one that works for me or is even applicable. The reason I am saying this is that, for example, a lot of people report it happens after getting much further, i.e. after the FTP client requests a directory listing. But I am seeing it during the initial phase of TLS negotiation between the client and the server. On the suspicion that this could be a FileZilla bug, I tried a different FTP client, the FireFTP addon for Firefox, and it too fails during the initial phase of TLS (or SSL) negotiations, before the user name or passwords are asked for. So this leads me back to thinking I still got a problem with vsftpd. The log file for vsftpd tell me nothing either, all I get is this. -
Thu Sep 22 10:15:51 2016 [pid 16694] CONNECT: Client "192.168.10.15" Thu Sep 22 10:15:51 2016 [pid 16694] FTP response: Client "192.168.10.15", "220 "Welcome to the VSFTPD FTP server."" Thu Sep 22 10:15:51 2016 [pid 16694] FTP command: Client "192.168.10.15", "AUTH TLS" Thu Sep 22 10:15:51 2016 [pid 16694] FTP response: Client "192.168.10.15", "234 Proceed with negotiation."
Will continue to do more research, but perhaps someone on here as seen this problem and knows of a solution? I am also going to bring up Wireshark to see if that will show me anything interesting/understandable.... I will add this note, if I don't tell the client to use TLS or SSL, just make a plain unsecured connection, then the FTP connection works fine. Thanks again, Marc.. -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/22/2016 10:56 AM, Marc Chamberlin wrote:
Will continue to do more research, but perhaps someone on here as seen this problem and knows of a solution? I am also going to bring up Wireshark to see if that will show me anything interesting/understandable....
Well I don't think Wireshark was very helpful, but this is the summary of what it recorded... Maybe better eyes can make sense of this.. FYI bigbang is the name of my server where vsftpd is running. marcslaptop10 is my laptop from which I used a FTP client to make these tests.. 78 12.204969000 bigbang marcslaptop10.mydomain.com FTP 100 Response: 220 "Welcome to the VSFTPD FTP server." 79 12.206560000 marcslaptop10.mydomain.com bigbang FTP 64 Request: AUTH TLS 81 12.206733000 bigbang marcslaptop10.mydomain.com FTP 85 Response: 234 Proceed with negotiation. 82 12.208820000 marcslaptop10.mydomain.com bigbang FTP 305 Request: \026\003\001\000\366\001\000\000\362\003\003W\344$\242M\220\276;\000\037sR4g\200\tYt\207V\367\210\326\302\216\354\334\002\315K\270#\000\000d\300,\300\207\300$\300 83 12.209440000 bigbang marcslaptop10.mydomain.com FTP 64 Response: 500 OOPS: 84 12.209505000 bigbang marcslaptop10.mydomain.com FTP 64 Response: 500 OOPS: 85 12.209554000 bigbang marcslaptop10.mydomain.com FTP 106 Response: not a normal exit in vsf_sysutil_wait_get_exitcode
Thanks again, Marc..
-- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 22.09.2016 um 19:56 schrieb Marc Chamberlin:
Thanks Becki and Carlos, I guess I understand what "Standalone" really means but find it confusing terminology. I just assumed "Standalone" meant to run vsftpd like an ordinary application, not as any sort of service that will be handled by the OS.
I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things. yep ... told you earlier to check the config file for tiny typos ;) i've already spend hundreds of hours looking for tiny commas , or dot comma ; in config files ;) and yes ... some software is not that good in error reporting, but to catch all those tiny empty space and comma config typo mistake might also be a challenge? and come on ... vsftpd is for free!
so ... a good editor ... well you figured that one out by now ;)
As an aside, I can't say I am all that impressed with the quality of programming that has gone into vsftpd. To simply report that there is an invalid argument within a config file and not convey more information about what argument or why, is poor error handling and very user unfriendly. And to not remove trailing whitespace during the parsing of statements is the kind of mistake that I would expect out of beginner programmers, not in an robust application released for production environments.
Anywise, I can now start vsftpd with SSL enabled, but am running into another problem compounded yet again by poor error reporting. To test the SSL/TLS connection I started up FileZilla on my laptop and tried to connect to the vsftpd service using "Explicit FTP over TLS if available". When I do this I get this dumb error message -
19:51:24 Status: Resolving address of ftp.mydomain.com 19:51:24 Status: Connecting to 192.168.10.100:21... 19:51:24 Status: Connection established, waiting for welcome message... 19:51:24 Response: 220 "Welcome to the VSFTPD FTP server." 19:51:24 Command: AUTH TLS 19:51:24 Response: 234 Proceed with negotiation. 19:51:24 Status: Initializing TLS... 19:51:24 Error: GnuTLS error -15: An unexpected TLS packet was received. 19:51:24 Error: Could not connect to server
which doesn't tell me a whole lot. Google searches are revealing that this too is a very generic error message that can be caused by a lot of things, and there are lots of different solutions reported. But so far I have been unable to find one that works for me or is even applicable. The reason I am saying this is that, for example, a lot of people report it happens after getting much further, i.e. after the FTP client requests a directory listing. But I am seeing it during the initial phase of TLS negotiation between the client and the server.
On the suspicion that this could be a FileZilla bug, I tried a different FTP client, the FireFTP addon for Firefox, and it too fails during the initial phase of TLS (or SSL) negotiations, before the user name or passwords are asked for. So this leads me back to thinking I still got a problem with vsftpd. The log file for vsftpd tell me nothing either, all I get is this. -
Thu Sep 22 10:15:51 2016 [pid 16694] CONNECT: Client "192.168.10.15" Thu Sep 22 10:15:51 2016 [pid 16694] FTP response: Client "192.168.10.15", "220 "Welcome to the VSFTPD FTP server."" Thu Sep 22 10:15:51 2016 [pid 16694] FTP command: Client "192.168.10.15", "AUTH TLS" Thu Sep 22 10:15:51 2016 [pid 16694] FTP response: Client "192.168.10.15", "234 Proceed with negotiation."
Will continue to do more research, but perhaps someone on here as seen this problem and knows of a solution? I am also going to bring up Wireshark to see if that will show me anything interesting/understandable....
yes, i do remember this error too ;) also with filezilla ... i would first enable SSL debugging in vsftpd.conf debug_ssl=YES and check the error logs i would also try another FTP client, my personal choice is mostly WINSCP https://winscp.net/eng/download.php which finally also helped me to completely remove FTP from my servers. but only after i had no more customers in the need of using FTP if you don't have any customers, doing all that FTP stuff only for yourself, then simply just use WINSCP, which does SFTP over SSH, and works out of the box. but WINSCP can also connect via FTP and encrypted FTP so, give that one a try with vsftpd and tell us more about the TLS error also ... i do remember having errors when the directory had wrong owner or permissions what's the folder path you're trying to access via FTP and what are the permissions on that folder? best of luck & greetings becki
I will add this note, if I don't tell the client to use TLS or SSL, just make a plain unsecured connection, then the FTP connection works fine.
Thanks again, Marc..
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Admin Beckspaced wrote:
i would also try another FTP client, my personal choice is mostly WINSCP
It seems that Windows is prerequisite for that? Wrong mailing list me thinks. -- Per Jessen, Zürich (12.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 23.09.2016 um 08:35 schrieb Per Jessen:
Admin Beckspaced wrote:
i would also try another FTP client, my personal choice is mostly WINSCP
https://winscp.net/eng/download.php It seems that Windows is prerequisite for that? Wrong mailing list me thinks.
ups ... for servers using suse linux for clients using windows ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/22/2016 11:55 PM, Admin Beckspaced wrote:
Am 23.09.2016 um 08:35 schrieb Per Jessen:
Admin Beckspaced wrote:
i would also try another FTP client, my personal choice is mostly WINSCP
https://winscp.net/eng/download.php It seems that Windows is prerequisite for that? Wrong mailing list me thinks.
ups ... for servers using suse linux for clients using windows ...
Thanks again Beckie - WINSCP also failed, same problem... I am batting 0 for 3 now... And thanks for all the wonderful editor insights! I didn't mean to start an editor comparison contest. And my fingers are well trained for Emacs/XEmacs, don't think I want to train em for something else. It is nice to know that other editors are catching up, but IMHO Emacs is a tried and true trusty old war horse, love it's macro capabilities, and I still know how to program in Lisp! Now does that date me or what? Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks again Beckie - WINSCP also failed, same problem... I am batting 0 for 3 now...
ok ... did you enable debug_ssl=YES ... restart & look into the error log? what's the error log saying? also ... are these your self created certificate & private key? or did you get some test cert from http://www.selfsignedcertificate.com/ just to minimize errors and make sure there's nothing wrong with the certificate & key itself? not challenging your know-how, of course ;) greetings & best of luck becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/23/2016 10:42 PM, Admin Beckspaced wrote:
Thanks again Beckie - WINSCP also failed, same problem... I am batting 0 for 3 now...
ok ... did you enable debug_ssl=YES ... restart & look into the error log?
what's the error log saying?
also ... are these your self created certificate & private key?
or did you get some test cert from http://www.selfsignedcertificate.com/
just to minimize errors and make sure there's nothing wrong with the certificate & key itself?
not challenging your know-how, of course ;)
greetings & best of luck becki
Hello again Becki and OpenSuSE folks - Sorry for my delay in responding, I got sidelined this week on other problems.... Yes I am using self signed certificates and used a more nuanced approach in generating them starting with a self signed CA, and then using it to sign a certificate for my server. The process I followed is described at - http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-sign... I also followed all the steps to verify the certificates and nothing seems wrong with them. I even imported my CA certificate into Windows and it did not complain about it either and was willing to display the contents back to me after I had installed it. So I really don't get a feeling that anything is wrong with the certificates or with the keys... To do a bit of further testing I used openssl in its client mode to connect to my server and turned on debug messages as well. I got a different error message as can be seen in the following output, which seems suspicious to my untrained eyes but I really don't know what it means. Goggle is not providing me any joy either... Doing this on my OpenSuSE server -
openssl s_client -connect localhost:21 -state -nbio CONNECTED(00000003) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write R BLOCK SSL_connect:error in SSLv2/v3 read server hello A 139683917674128:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 261 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
And doing this on my Windows 10 laptop using the GNU tools -
c:\Program Files (x86)\GnuWin32\bin>openssl s_client -starttls ftp -connect bigbang:21 -state -nbio Loading 'screen' into random state - done CONNECTED(00000208) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A 7848:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/s23_clnt.c:585:
Anyone want to hazard a guess as to what this "unknown protocol" error means? Thanks again for any and all suggestions, I am kinda lost... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 02.10.2016 um 08:35 schrieb Marc Chamberlin:
Hello again Becki and OpenSuSE folks - Sorry for my delay in responding, I got sidelined this week on other problems.... Yes I am using self signed certificates and used a more nuanced approach in generating them starting with a self signed CA, and then using it to sign a certificate for my server. The process I followed is described at - http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-sign...
I also followed all the steps to verify the certificates and nothing seems wrong with them. I even imported my CA certificate into Windows and it did not complain about it either and was willing to display the contents back to me after I had installed it. So I really don't get a feeling that anything is wrong with the certificates or with the keys...
To do a bit of further testing I used openssl in its client mode to connect to my server and turned on debug messages as well. I got a different error message as can be seen in the following output, which seems suspicious to my untrained eyes but I really don't know what it means. Goggle is not providing me any joy either...
Doing this on my OpenSuSE server -
openssl s_client -connect localhost:21 -state -nbio CONNECTED(00000003) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write R BLOCK SSL_connect:error in SSLv2/v3 read server hello A 139683917674128:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 261 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
And doing this on my Windows 10 laptop using the GNU tools -
c:\Program Files (x86)\GnuWin32\bin>openssl s_client -starttls ftp -connect bigbang:21 -state -nbio Loading 'screen' into random state - done CONNECTED(00000208) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A 7848:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/s23_clnt.c:585:
Anyone want to hazard a guess as to what this "unknown protocol" error means?
Thanks again for any and all suggestions, I am kinda lost... Marc...
hello marc, still kind of lost? i know how it feels being stuck with software problems ... a few things that come to my mind. if you're not really a SSL/TLS certificate pro i would recommend to give a test certificate a try. this way you can narrow down errors or at least be sure that there's nothing wrong with the certificate. in my vsftpd config i have SSL version 2 and 3 disabled. please check yours, in the error log above it says sslv2/v3 error if you disable ssl v2/3 in vsftpd how should one be able to connect? make sure openssl allows self signed certificates. there must be another --param for that too? importing certificates into windows. also here some problems are possible. because with the certificate authority (CA) certificate you need to tell windows that this is a CA cert the 'normal' cert. the one that got signed by your CA, can be installed with the default settings another thing ... the permissions on the certificates for vsftpd must be very strict! 0600 / 0400 by root, otherwise vsftpd will complain also .... the 'home' folder of the system user, the folder which vsftpd is going to use, must also be owned by root if that is not the case i remember having some strange error messages ... have fun debugging and best of luck ;) greetings becki -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/3/2016 11:40 PM, Admin Beckspaced wrote:
hello marc,
still kind of lost? i know how it feels being stuck with software problems ... Yep, frustrating to say the least!
a few things that come to my mind.
if you're not really a SSL/TLS certificate pro i would recommend to give a test certificate a try. this way you can narrow down errors or at least be sure that there's nothing wrong with the certificate. OK, I tried a test certificate as well, got one from the site you recommended earlier, no joy! Same error messages when I use it.
in my vsftpd config i have SSL version 2 and 3 disabled. please check yours, in the error log above it says sslv2/v3 error if you disable ssl v2/3 in vsftpd how should one be able to connect?
I disabled both as well, no joy.
make sure openssl allows self signed certificates. there must be another --param for that too?
I cannot find any parameters for openssl that is used to allow/disallow self signed certificates.
importing certificates into windows. also here some problems are possible.
because with the certificate authority (CA) certificate you need to tell windows that this is a CA cert the 'normal' cert. the one that got signed by your CA, can be installed with the default settings
Understood, but I don't think the test certificate was a self signed one and Windows FTP clients still complained when I was trying to use the test cert as well.
another thing ...
the permissions on the certificates for vsftpd must be very strict! 0600 / 0400 by root, otherwise vsftpd will complain
I double checked the permissions on the certificates and tried both variations as you suggested. No joy.
also ....
the 'home' folder of the system user, the folder which vsftpd is going to use,
Yep it is....
have fun debugging and best of luck ;)
Oh I am having fun alright! LOL Kinda on the shady side of being bemused... Now where is Lady Luck hiding these days?
greetings becki
Ever onward... And thanks again for trying to help, this is a puzzler! Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, The error message you see is probably be caused by mismatch of support SSL protocol versions. Or the server/client sending us plaintext while we expect SSL. See if setting implicit_ssl=NO or implicit_ssl=YES in vsftpd.conf helps. Ciao, Marcus On Tue, Oct 04, 2016 at 05:17:32PM -0700, Marc Chamberlin wrote:
On 10/3/2016 11:40 PM, Admin Beckspaced wrote:
hello marc,
still kind of lost? i know how it feels being stuck with software problems ... Yep, frustrating to say the least!
a few things that come to my mind.
if you're not really a SSL/TLS certificate pro i would recommend to give a test certificate a try. this way you can narrow down errors or at least be sure that there's nothing wrong with the certificate. OK, I tried a test certificate as well, got one from the site you recommended earlier, no joy! Same error messages when I use it.
in my vsftpd config i have SSL version 2 and 3 disabled. please check yours, in the error log above it says sslv2/v3 error if you disable ssl v2/3 in vsftpd how should one be able to connect?
I disabled both as well, no joy.
make sure openssl allows self signed certificates. there must be another --param for that too?
I cannot find any parameters for openssl that is used to allow/disallow self signed certificates.
importing certificates into windows. also here some problems are possible.
because with the certificate authority (CA) certificate you need to tell windows that this is a CA cert the 'normal' cert. the one that got signed by your CA, can be installed with the default settings
Understood, but I don't think the test certificate was a self signed one and Windows FTP clients still complained when I was trying to use the test cert as well.
another thing ...
the permissions on the certificates for vsftpd must be very strict! 0600 / 0400 by root, otherwise vsftpd will complain
I double checked the permissions on the certificates and tried both variations as you suggested. No joy.
also ....
the 'home' folder of the system user, the folder which vsftpd is going to use,
Yep it is....
have fun debugging and best of luck ;)
Oh I am having fun alright! LOL Kinda on the shady side of being bemused... Now where is Lady Luck hiding these days?
greetings becki
Ever onward... And thanks again for trying to help, this is a puzzler! Marc...
-- "The Truth is out there" - Spooky
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real
On 10/5/2016 3:02 AM, Marcus Meissner wrote:
Hi,
The error message you see is probably be caused by mismatch of support SSL protocol versions.
Or the server/client sending us plaintext while we expect SSL.
See if setting implicit_ssl=NO or implicit_ssl=YES
in vsftpd.conf helps.
Ciao, Marcus
Thanks Marcus, that was a good idea but unfortunately still no joy. Gives me the same error messages when I try to connect... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 05.10.2016 um 17:02 schrieb Marc Chamberlin:
On 10/5/2016 3:02 AM, Marcus Meissner wrote:
Hi,
The error message you see is probably be caused by mismatch of support SSL protocol versions.
Or the server/client sending us plaintext while we expect SSL.
See if setting implicit_ssl=NO or implicit_ssl=YES
in vsftpd.conf helps.
Ciao, Marcus
Thanks Marcus, that was a good idea but unfortunately still no joy. Gives me the same error messages when I try to connect...
would you give SSH access on your suse box? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-22 19:56, Marc Chamberlin wrote:
I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things.
There are other editors that can highlight spaces. For instance, mcedit does. Also tabs. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Fri, Sep 23, 2016 at 7:53 AM, Carlos E. R.
On 2016-09-22 19:56, Marc Chamberlin wrote:
I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things.
There are other editors that can highlight spaces. For instance, mcedit does. Also tabs.
Too bad vi can't do that. Oh wait.... :set list (And no I didn't have to google it.) Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 23 Sep 2016 17:15, Greg Freemyer
On Fri, Sep 23, 2016 at 7:53 AM, Carlos E. R.
wrote: On 2016-09-22 19:56, Marc Chamberlin wrote:
I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things.
There are other editors that can highlight spaces. For instance, mcedit does. Also tabs.
Too bad vi can't do that.
Oh wait.... :set list
(And no I didn't have to google it.)
Using gvim and selecting a useful color-scheme is also helpful. Or more general using tools like grep:
grep -E '\s+$' <filename>
in vi / vim / gvim as search:
/[ \t][ \t]*$/e
as search/replace, add a 'c' to get a choice for every subst:
:%s/[ \t][ \t]*$//
But, to be honest, I was bitten by such erroneous whitespaces, too. - Yamaban -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Yamaban wrote:
On Fri, 23 Sep 2016 17:15, Greg Freemyer
wrote: On Fri, Sep 23, 2016 at 7:53 AM, Carlos E. R.
wrote: On 2016-09-22 19:56, Marc Chamberlin wrote:
I have made a breakthrough! But am not out of the woods yet. Thank the Gods for Emacs, still one of the best all time editors around IMHO! It was a dumb mistake after all, in the vsftpd.conf file, I had a trailing space on the end of the line specifying the path to the rsa_cert_file! Kinda hard to see without a good editor that can highlight such things.
There are other editors that can highlight spaces. For instance, mcedit does. Also tabs.
Too bad vi can't do that.
Oh wait.... :set list
(And no I didn't have to google it.)
Using gvim and selecting a useful color-scheme is also helpful.
Or more general using tools like grep:
grep -E '\s+$' <filename>
in vi / vim / gvim as search:
/[ \t][ \t]*$/e
as search/replace, add a 'c' to get a choice for every subst:
:%s/[ \t][ \t]*$//
But, to be honest, I was bitten by such erroneous whitespaces, too.
s/erroneous whitespaces/poor parsers/ -- Per Jessen, Zürich (19.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-09-23 17:36, Per Jessen wrote:
But, to be honest, I was bitten by such erroneous whitespaces, too.
s/erroneous whitespaces/poor parsers/
Yep. I remember an application that (silently?) balked at this /valid/ concoction: config_option[EOL] last_config_option[EOF] It had to be: config_option[EOL] last_config_option[EOL] [EOF] It did not tolerate the last line to end with end of file mark. It needed a clear end of line, then end of file. I do not remember what application did this. Some service, not an application. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Mon, 19 Sep 2016 16:48:06 -0700
Marc Chamberlin
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I don't know how to solve your problem, but is ssl_tlsv1 still secure?
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 19 Sep 2016 16:48:06 -0700
Marc Chamberlin
Hello - I am trying to configure the vsftpd server to use SSL on an openSuSE 42.1 (Leap) and running into troubles. I have the basic server running just fine, no firewall issues or anything like that. But when I configure vsftpd to enable SSL I get the following cryptic error messages -
bigbang: rcvsftpd restart bigbang: rcvsftpd status vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled) Active: failed (Result: exit-code) since Mon 2016-09-19 15:04:25 PDT; 5s ago Process: 27223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 27223 (code=exited, status=2)
Sep 19 15:04:24 bigbang systemd[1]: Starting Vsftpd ftp daemon... Sep 19 15:04:24 bigbang systemd[1]: Started Vsftpd ftp daemon. Sep 19 15:04:25 bigbang systemd[1]: vsftpd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 19 15:04:25 bigbang systemd[1]: Unit vsftpd.service entered failed state.
Who knows what the "INVALIDARGUMENT" is, my examination of log files reveal nothing, nor do GOOGLE searches. (I did find others having this problem as well, but no solutions.)
The parts of the vsftpd.conf file that are relevant to SSL configuration is:
ssl_enable=YES debug_ssl=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
I am pretty sure I created the certificate and private key files correctly, following the instructions at:
I don't know how to solve your problem, but is ssl_tlsv1 still secure?
https://www.unixmen.com/how-to-setup-ftp-server-on-opensuse-42-1/
The only possible hint I have found is in the FAQs for the vsftpd server which says -
Q) Does vsftpd support SSL / TLS based encryption? A) Yes, as of v2.0.0, this is supported for the control and data connections (hurrah). You need a build of vsftpd with this support enabled, and then you need to activate the ssl_enable setting. NOTE there are security considerations with this support. Please make sure to read the ssl_enable section in the vsftpd.conf.5 man page thoroughly before using.
I don't know how to determine whether the version of vsftpd released with opensuse42.1 was built with support for SSL/TLS or not, I would assume so... but consider me asking? Was it? Does anyone know if the vsftpd server is seriously broken as far as using SSL/TLS? If so, any recommendation on using a different server?
Thanks in advance for any and all helpful replies... Marc...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Admin Beckspaced
-
Carlos E. R.
-
Dave Howorth
-
Greg Freemyer
-
James Knott
-
Lew Wolfgang
-
Marc Chamberlin
-
Marcus Meissner
-
Patrick Shanahan
-
Per Jessen
-
Yamaban