Date: 2007dec14 OS: Linux Q. How do I make TLS/SSL work with vsftpd? A. Here's what to do on a RedHat/Fedora/CentOS box. Create a self-signed certificate:

cd /etc/pki/tls/certs make vsftpd.pem

Add this to your /etc/vsftpd/vsftpd.conf file:

# Enable SSL/TLS ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES

ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

# Doesn't have to be these port number but needs to be some range. # Usually in the high end. pasv_min_port=40000 pasv_max_port=40100

Restart vsftpd:

systemctl restart vsftpd

Then you need to tweak your firewall. For non-encrypted ftp connections the ip_conntrack_ftp module keeps track of passive connections and options the needed port but now the session is encrypted it can't spy. So we'll need to open the port range we specified above:

iptables -A block -m state --state NEW -p TCP --dport 40000:40100 -j ACCEPT

Finally, test it with FileZilla or other modern ftp client. This setup works for me.