Dave's Brain

Browse - Computer Tips - How do I make TLS/SSL work with vsftpd?

Date: 2007dec14 
OS: Linux

Q.  How do I make TLS/SSL work with vsftpd?

A.  Here's what to do on a RedHat/Fedora/CentOS box.

Create a self-signed certificate:

cd /etc/pki/tls/certs make vsftpd.pem
Add this to your /etc/vsftpd/vsftpd.conf file:
# Enable SSL/TLS ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
# Doesn't have to be these port number but needs to be some range. # Usually in the high end. pasv_min_port=40000 pasv_max_port=40100
Restart vsftpd:
systemctl restart vsftpd
Then you need to tweak your firewall. For non-encrypted ftp connections the ip_conntrack_ftp module keeps track of passive connections and options the needed port but now the session is encrypted it can't spy. So we'll need to open the port range we specified above:
iptables -A block -m state --state NEW -p TCP --dport 40000:40100 -j ACCEPT
Finally, test it with FileZilla or other modern ftp client. This setup works for me.

Add a comment

Sign in to add a comment
Copyright © 2008-2017, dave - Code samples on Dave's Brain is licensed under the Creative Commons Attribution 2.5 License. However other material, including English text has all rights reserved.