LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-21-2009, 10:35 AM   #1
stringZ
Member
 
Registered: Dec 2006
Posts: 42

Rep: Reputation: 15
vsftpd SSL problem (522 SSL connection failed)


Hey there,

I have a problem with vsftpd (latest version available, 2.1.0pre3) SSL. I've configured it to a nonstandard port, 65440, disabled connect_from_port_20 and run it as a normal user, from home directory. I can't use the SSL feature, every time I connect, it only reaches the login process. After logging in, I get the following error (when data transfer would start for LIST command):

522 SSL connection failed; session reuse required

My vsftpd.conf looks like this
Code:
local_enable=NO
write_enable=YES
secure_email_list_enable=YES
email_password_file=/home/stringz/vsftpd/logins

# local_umask=022
dirmessage_enable=NO

vsftpd_log_file=/dev/null
xferlog_file=/dev/null
xferlog_enable=NO

connect_from_port_20=NO
idle_session_timeout=3600
data_connection_timeout=120
run_as_launching_user=YES

anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
anon_world_readable_only=NO

async_abor_enable=YES
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=Welcome!

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# chroot_list_enable=YES
# (default follows)
# chroot_list_file=/etc/vsftpd.chroot_list

ls_recurse_enable=NO
listen=YES
listen_address=<myipaddress>
listen_port=65440
listen_ipv6=NO

pasv_enable=YES
pasv_min_port=65441
pasv_max_port=65480


# chroot_local_user=YES

ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/home/stringz/vsftpd/vsftpd.pem
The client side is a Total Commander 7.02, there hasn't been any problem with its SSL yet and this only occurs when trying to connect to my vsftpd.
What could be the problem?

Thanks
stringZ

Last edited by stringZ; 01-21-2009 at 10:37 AM.
 
Old 01-22-2009, 06:15 AM   #2
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Hello,

I had exactly the same problem when setting up VSFTPD with SSL.

After a LOT of messing around I tracked it down to a problem with our firewall.

The firewall was running PIX which was inspecting the FTP traffic. The login was fine (running over port 21), but when it tried to transfer data (over the PASV port range) the firewall couldn't read the encrypted data and therefore couldn't open the correct PASV port.

Try temporarily putting the FTP server in your DMZ and see if it fixes the problem... If it does, you know you're on the right track!

Hope this is useful.
 
Old 01-22-2009, 08:54 AM   #3
stringZ
Member
 
Registered: Dec 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rizhun View Post
Hello,

I had exactly the same problem when setting up VSFTPD with SSL.

After a LOT of messing around I tracked it down to a problem with our firewall.

The firewall was running PIX which was inspecting the FTP traffic. The login was fine (running over port 21), but when it tried to transfer data (over the PASV port range) the firewall couldn't read the encrypted data and therefore couldn't open the correct PASV port.

Try temporarily putting the FTP server in your DMZ and see if it fixes the problem... If it does, you know you're on the right track!

Hope this is useful.
Hey, thanks for your answer. The client side had a firewall, I turned it off now for testing, but no success. There's no firewall at the server side, the iptables looks like this
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Is it possible that vsftpd tries to open a port for secure data transfer below 1024 (e.g. 20 or something), because it can't because of Unix socket permissions (non-root).
 
Old 01-22-2009, 12:17 PM   #4
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Hmmm...

Well it's obviously not the problem I experienced.

Your iptables look fine...

I found this on the web:

Quote:
Should the server not like the TLS negotiation then it will close the data port immediately and follow the 150 command with a 522 reply indicating that the TLS negotiation failed or was unacceptable.
Source -- http://tools.ietf.org/html/draft-murray-auth-ftp-ssl-04

Try using WinSCP to connect and crank up the logging, see if you can't find a more helpful error!
 
Old 01-23-2009, 05:13 AM   #5
stringZ
Member
 
Registered: Dec 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rizhun View Post
Try using WinSCP to connect and crank up the logging, see if you can't find a more helpful error!
Unfortunately I can't do it with WinSCP. This would be a password-secured anonymous FTP (take a look at the config) that is used by more than 1 people without knowing each-other's passwords. In this case WinSCP would be unsecure, because it'd grant them full SSH access to my account. That's why I must stick to this kind of FTP solution.
 
Old 01-27-2009, 04:53 AM   #6
stringZ
Member
 
Registered: Dec 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Anyone here?
 
Old 02-25-2009, 07:00 AM   #7
ash_sids
LQ Newbie
 
Registered: Feb 2009
Posts: 1

Rep: Reputation: 0
I had the same issue with vsftpd 2.1.0

When compiling vsftpd there is a parameter "tunable_require_ssl_reuse" in tunables.c file, this should be turned to '0' if u do not want to enable this option. In vsftpd.conf there is a parameter as well "require_ssl_reuse" which is by default set to YES, this should also be set to NO to disable this.

Restart vsftpd and see.

I had another wierd issue,I used Glub Tech ftp client to test ftps. Initially it would not let me logon via ftps.
But when I logged using ftp and then disconnected, I was able to logon via ftps as well.
 
Old 04-28-2009, 12:34 AM   #8
mjjzr
LQ Newbie
 
Registered: Sep 2006
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by ash_sids View Post
I had the same issue with vsftpd 2.1.0

In vsftpd.conf there is a parameter as well "require_ssl_reuse" which is by default set to YES, this should also be set to NO to disable this.

Hi That's solved my problem.thanks a lot.

before I set require_ssl_reuse=NO,
my client always said:
Error: Failed to retrieve directory listing
and server always said :
No SSL session reuse on data channel.
 
Old 05-05-2009, 03:27 PM   #9
stringZ
Member
 
Registered: Dec 2006
Posts: 42

Original Poster
Rep: Reputation: 15
Thanks for the reply ash_sids, this helped me a lot.
 
  


Reply

Tags
error, failed, ftp, server, ssl, vsftpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsFTPd - SSL connection and dynamic SSL ports toxoplasme Linux - Server 11 08-22-2008 11:50 PM
VSFTPD+SSL Connection Problem SBN Linux - Server 0 11-16-2007 02:06 AM
Vsftpd over SSL connection problem georgiozoze Linux - Networking 0 09-30-2006 12:59 PM
vsftpd + SSL = problem? Supernoobs Linux - Software 2 06-26-2006 06:23 AM
apache2 - ssl : connection via ssl interrupted ldp Linux - Software 0 10-02-2005 10:07 AM


All times are GMT -5. The time now is 09:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration