Setup TLS for vsftpd

Installing and Using OpenWrt
1

Looking for command set needed to setup TLS security for use with vsftpd-tls. Do I need to create private, public key etc for use with vsftpd. I've already succesfully setup vsftp (no TLS), uninstalled it then replaced that with vsftpd-tls. My /etc/vsftpd.conf is below.

The service vsftpd is stopped since I keep getting an error whenever I restart service.

root@OpenWrt:~# service vsftpd restart
500 OOPS: SSL: cannot load RSA certificate

My /etc/vsftpd.conf file, I noticed it includes an exampe key generation cmd but I'm not sure what to do with it.

background=YES                                                                                                                                                                                             
listen=YES                                                                                                                                                                                                 
anonymous_enable=NO                                                                                                                                                                                        
local_enable=YES                                                                                                                                                                                           
write_enable=YES                                                                                                                                                                                           
local_umask=022                                                                                                                                                                                            
check_shell=NO                                                                                                                                                                                             
chroot_local_user=YES                                                                                                                                                                                      
#dirmessage_enable=YES                                                                                                                                                                                     
#ftpd_banner=Welcome to blah FTP service.                                                                                                                                                                  
session_support=NO                                                                                                                                                                                         
#syslog_enable=YES                                                                                                                                                                                         
userlist_enable=YES                                                                                                                                                                                        
userlist_deny=NO                                                                                                                                                                                           
userlist_file=/etc/vsftpd/vsftpd.users                                                                                                                                                                     
#xferlog_enable=YES                                                                                                                                                                                        
#xferlog_file=/var/log/vsftpd.log                                                                                                                                                                          
#xferlog_std_format=YES                                                                                                                                                                                    
###                                                                                                                                                                                                        
### TLS/SSL options                                                                                                                                                                                        
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt" 
ssl_enable=YES                                                                                                                                                                                             
#allow_anon_ssl=NO                                                                                                                                                                                         
force_local_data_ssl=YES                                                                                                                                                                                   
force_local_logins_ssl=YES                                                                                                                                                                                 
ssl_tlsv1=YES                                                                                                                                                                                              
ssl_sslv2=NO                                                                                                                                                                                               
ssl_sslv3=NO                                                                                                                                                                                               
listen_port=990                                                                                                                                                                                            
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem                                                                                                                                                                 
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem                                                                                                                                                       
pasv_enable=Yes                                                                                                                                                                                            
pasv_max_port=31000                                                                                                                                                                                        
pasv_min_port=30000
2

Oh wait, I issued the example command from the vsftpd.conf file which appear to generate a key. I un-commented the location of the rsa_cert and rsa_private then I get no error when I start the vsftpd service. The service status says that vsftpd is stopped though instead of running when setup if OK.

Also opened firewall port 990, closed port 21 (unsecure FTP).

Edit this post, added a FileZilla pic below of response.

Capture

3

Wow, I uncommented the allow_anon_ssl line then I was able to login using FileZilla but it directs me into the the root / folder. Successful login using WinSCP too and same result.

Capture

When I used vsftpd without TLS, my login directed me to the the path in the /etc/passwd file, for example "ftpuser:x:1000:65534:ftpuser:/mnt/Music:/bin/false". I would be directed into /mnt/Music when logged in but with TLS I'm dumped into root / folder. How do fix this?

Here's my configuration file that I can connect but login goes to /root folder.

background=YES
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
chroot_local_user=YES
#dirmessage_enable=YES
ftpd_banner=Welcome to MyOwn FTP service.
session_support=NO
#syslog_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
listen_port=990
rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem
pasv_enable=Yes
pasv_max_port=31000
pasv_min_port=30000
4

Hooraaaay !!! My 3 HDD were not mounted, I mounted them from command line because LuCI/OpenWrt 22 does not mount them and I'm in the proper directory! Took me months to get this working...

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.