vsftpd

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

 

ssl_enable=YES

rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem

force_local_data_ssl=No

force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

—–BEGIN CERTIFICATE—–

(your_domain_name.crt)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

(chaining certificate 3)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

(chaining certificate 2)

—–END CERTIFICATE KEY—–

—–BEGIN CERTIFICATE—–

(chaining certificate 1)

—–END CERTIFICATE KEY—–

—–BEGIN RSA PRIVATE KEY—–

(your_domain_name.key)

—–END RSA PRIVATE KEY—–

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e “debug;set ftp:ssl-protect-data true;ls;exit”

Password:

 

$

xferlog_file=/var/log/vsftpd.log
xferlog_enable=YES
dirmessage_enable=YES
data_connection_timeout=600
dual_log_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1_2=YES
ssl_ciphers=HIGH:-3DES:-aNULL
rsa_cert_file=/etc/vsftpd/rmohan.pem
pasv_min_port=28000
pasv_max_port=30000equire_ssl_reuse=NO