How to configure vsftpd with SSL/TLS on Red Hat Enterprise Linux ?

Solution Verified - Updated -

Red Hat Insights can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 4
  • vsftpd

Issue

  • How to configure vsftpd with SSL/TLS on Red Hat Enterprise Linux to eliminate transferring data in plain text and to encrypt the entire transmission ?
  • How to bind a certificate to FTP service with SSL and TLS ?
  • How do I configure vsftpd to use SSL encryption on Red Hat Enterprise Linux?
  • How to Disable plaintext authentication methods or enable encryption for the FTP service ?

Resolution

In order to use SSL/TLS encryption, FTP server requires a certificate to be installed. Thus obtain a Certificate from a Certificate Authority or create a self signed (not recommended) certificate.

Configure using a CA signed certificate

Suppose that you obtained a certificate file "www.domain.com.crt" from CA and a private key file is placed in /etc/pki/tls/private/www.domain.com.key.

  1. Place a certificate in /etc/pki/tls/certs/www.domain.com.pem.

    # mv www.domain.com.crt /etc/pki/tls/certs/www.domain.com.pem

  2. Modify owner and permission it so that root is the only user that can read this file:

    # chmod 600 /etc/pki/tls/certs/www.domain.com.pem
# chown root:root /etc/pki/tls/certs/www.domain.com.pem

  3. Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf, append or modify the options as shown below:

    ssl_enable=YES

# To allow anonymous  users to use SSL
allow_anon_ssl=YES

# To force anonymous users to use SSL
force_anon_data_ssl=YES
force_anon_logins_ssl=YES

# To force local users to use SSL
force_local_data_ssl=YES
force_local_logins_ssl=YES

# The following option depend of the authentication mode you require
# for TLS Version 1
ssl_tlsv1=YES
# for SSL Version 2
ssl_sslv2=YES
# for SSL Version 3
ssl_sslv3=YES

# This values must be adjust according with you environment    
rsa_cert_file=/etc/pki/tls/certs/www.domain.com.pem
rsa_private_key_file=/etc/pki/tls/private/www.domain.com.key

    Note For IBM's zOS mainframe ftp client, the following options may need to be used. For further details refer to FTP client running on a mainframe fails when connecting via SSL.

    # Uncomment ssl_request_cert option if SSL/TLS connection is used by IBM's zOS ftp client
# read man vsftpd.conf for further information
# ssl_request_cert=no
# require_ssl_reuse=no

Note: IBM's zOS throws Bad mac error with recent VSFTPD vsftpd-2.2.2-21.el6 update.

Error: SSL_accept failed: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

Root Cause: Prior to this vsftpd-2.2.2-21.el6 version, DES-CBC3-SHA was default cipher but with latest update additional ciphers "AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA" were added to default parameter in tunables.c file.

  • vsftpd.conf
ssl_ciphers=DES-CBC3-SHA
ssl_tlsv1_1=yes
  • What would be the impact having all SSL_TLS_Version in VSFTPD.CONF?
ssl_tlsv1=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES

Answer: Enabling continuous range of TLS versions (v1 - v1.2) is fine. A bit complex but it represents the OpenSSL API closely.

Note: The above directives enable SSL for local users but disable SSL for anonymous connections and force SSL for data transfers and logins. For a more detailed description on the available directives, please check the man page of 'vsftpd.conf'. (man vsftpd.conf)

  1. Restart the vsftpd service.

    SysV init:
# service vsftpd restart
Systemd:
# systemctl restart vsftpd

Configure using a self signed certificate

  1. Generate a self signed certificate in /etc/vsftpd directory

    To Create a self signed certificate on Red Hat Enterprise Linux 4

    # cd /usr/share/ssl/certs
# make /etc/vsftpd/vsftpd.pem

    To Create a self signed certificate on Red Hat Enterprise Linux 5, 6

    # cd /etc/pki/tls/certs/
# make /etc/vsftpd/vsftpd.pem

    To Create a self signed certificate on Red Hat Enterprise Linux 7, 8

    # cd /etc/vsftpd/
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.key -out vsftpd.pem

  2. Modify permission it so that root is the only user that can read this file:

    # chmod 600 /etc/vsftpd/vsftpd.pem

  3. Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf, append or modify the options as shown below.

    ssl_enable=YES

# To allow anonymous  users to use SSL
allow_anon_ssl=YES

# To force anonymous users to use SSL
force_anon_data_ssl=YES
force_anon_logins_ssl=YES

# To force local users to use SSL
force_local_data_ssl=YES
force_local_logins_ssl=YES

# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/vsftpd/vsftpd.pem

    Note: For IBM's zOS mainframe ftp client, the following options may need to be used. For further details refer to FTP client running on a mainframe fails when connecting via SSL.

    # Uncomment ssl_request_cert option if SSL/TLS connection is used by IBM's zOS ftp client
# read man vsftpd.conf for further information
# ssl_request_cert=no
# require_ssl_reuse=no

    Note: The above directives enable SSL for local users but disable SSL for anonymous connections and force SSL for data transfers and logins. For a more detailed description on the available directives, please check vsftpd.conf man page. (man vsftpd.conf)

  4. Restart the vsftpd service.

    SysV init:
# service vsftpd restart
Systemd:
# systemctl restart vsftpd

Test

  • Use lftp from client to verify if ftps is well configured.
# lftp -d -u <username> -e 'set ssl:verify-certificate no' <IP address of ftps server>

For example,

# lftp -d -u anonymous -e 'set ssl:verify-certificate no' 192.168.xxx.xx

lftp anonymous@192.168.xxx.xx:~> ls    
---- Connecting to 192.168.xxx.xx (192.168.xxx.xx) port 21
<--- 220 (vsFTPd 2.2.2)
---> FEAT
<--- 211-Features:
<---  AUTH SSL
<---  AUTH TLS
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  PBSZ
<---  PROT
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> AUTH TLS   <====This request should pass.
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON

Comments

  • Use a client that supports the ftps protocol, for Linux, gftp does this quite well, however it initially rejects self-signed server certificates. This can be fixed by disabling the "Verify SSL Peer" setting in options. When making connections, be sure to select the FTPS protocol.

  • For Windows, the SmartFTP client is also capable of TLS/SSL connections. The FTP server firstly needs to be configured as a "Favourite Site", then the properties need to adjusted to use the "FTP over SSL Explicit" protocol. Save the changes and connect.

  • To Connect the ftp over TLS/SSL: Install the FireFTP plugin over FireFox, restart FireFox. Try to connect "ftps://IP".

  • To enable connections from FileZilla to RHEL-6 server adjust ssl_ciphers option.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments