VSFTP ssl config for Red Hat 5

Latest response

Hi,

I'm trying to configure VSFTP on a Red Hat 5 server using our apache ssl certificates. When I try to connect with WinSCP and "SSL: Explicit encryption", I get an error that the server certificate is not known.

After googling this error and trying to understand why I'm getting this message, it seems that the issue is that the private key is not imported on the client side. Is that correct? That doesn't seem to work how I would have pictured it.

My config:

Turn on SSL

ssl_enable=YES

Allow anonymous users to use secured SSL connections

allow_anon_ssl=YES

Disable SSL reuse

require_ssl_reuse=NO

All non-anonymous logins are forced to use a secure SSL connection in order to

send and receive data on data connections.

force_local_data_ssl=NO

All non-anonymous logins are forced to use a secure SSL connection in order to send the password.

force_local_logins_ssl=NO

Permit TLS v1 protocol connections. TLS v1 connections are preferred

ssl_tlsv1=YES

Permit SSL v2 protocol connections. TLS v1 connections are preferred

ssl_sslv2=NO

permit SSL v3 protocol connections. TLS v1 connections are preferred

ssl_sslv3=NO

Specifies the location of the RSA certificate to use for SSL encrypted connections

rsa_cert_file=/etc/vsftpd/combined3.crt
rsa_private_key_file=/etc/httpd/conf/ksiresearch_com.key

combined3.crt was the result of concatenating the server certificate file and the intermediate.crt certificate.

Thanks!
Charles

Responses

I apologize for the bolded lines, that didn't show up during the copy and paste.

Hi Charles. The text entry here uses markup. You can get some tips on using it by clicking the "formatting help" link below the text box. The best option is to put a "~~~" above and below your comment lines so that they show up

like this

The bolded lines are actually comments.

After googling this error and trying to understand why I'm getting this message, it seems that the issue is that the private key is not imported on the client side. Is that correct? That doesn't seem to work how I would have pictured it.

The private key should be nowhere but on your server, it certainly should not be imported on your client or something.

Did you try debugging your ftps-server via

openssl s_client -host ... -port 990 

From my understanding it might be a problem of your WinSCP-Client not recognizing the CA which issued your certificate.

Yeah, that's what I figured that the private key should not leave the server which is why I was confused as to how to make this worked.

I did try debugging with openssl but I would get an error there as well and I think we won't need to go with a SSL FTP solution after all so I haven't spend more time on this since this was decided.

I might need to come back to this at which point I'll post more openssl attempts if I don't get anywhere.

Thank you, much appreciated!

Cheers,
Charles

You are welcome!

Maybe you also want to take a look into SFTP, which I personally highly prefer over FTPS in almost every scenario.

Kind Regards,
Andreas