LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   VSFTPD with SSL - timeouts (http://www.linuxquestions.org/questions/linux-server-73/vsftpd-with-ssl-timeouts-4175440271/)

durst_fred 12-06-2012 08:35 AM

VSFTPD with SSL - timeouts
 
Hi,

Trying to set up an FTP server with virtual users and SSL (users will connect from outside the LAN) on CentOS. Everything else is working fine, but when I enable SSL (just TLS), my client starts experiencing difficulties with directory listing and general connectivity.

I can join the server without issue, but when I refresh or change directories, my client (FireFTP firefox plugin) works and works and more often than not drops me from the server. It can reconnect in less than one second, but the same problem will occur when I try to do anything.

When I create/modify a file or directory, the client starts spinning, trying to do its work. It will almost always disconnect before it shows that the file/dir was created/modified successfully, but when I actually look at the ftp directory in CentOS, I can see the change was successful even before the client drops.

here's my vsftpd.conf: http://pastebin.com/cQTdwqAP


The purpose of the server is to allow remote users to upload large video files, so intermittent connectivity is not an option.

When I comment out ssl_enable, the problem disappears.

I'm normally connecting using my WAN IP since thats what the regular clients will use, but when I use localhost or the LAN IP the same problem happens

Thanks in advance.

Wim Sturkenboom 12-07-2012 03:14 AM

Anything in the logs? I'm not a Centos user so not sure which logs; but you can do a grep for your ip-address or for vsftp in /var/log in an attempt to find the correct log.

durst_fred 12-07-2012 09:33 AM

This is the content of the /var/log/vsftpd.log file with ssl_debug enabled in vsftpd.conf

Code:

Fri Dec  7 10:33:16 2012 [pid 9441] [virtualuser] OK LOGIN: Client "xxx.xxx.xxx.xxx"
Fri Dec  7 10:49:49 2012 [pid 9769] CONNECT: Client "xxx.xxx.xxx.xxx"
Fri Dec  7 10:49:49 2012 [pid 9769] DEBUG: Client "xxx.xxx.xxx.xxx", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert"

Where "xxx.xxx.xxx.xxx" is the WAN IP

I've deleted vsftpd.pem and regenerated it. Same problem

unSpawn 12-07-2012 09:52 AM

Did your vsftpd.conf work OK without SSL? Are you sure it's not a firewall / port issue wrt FTP vs FTPS (TCP 21 vs 990)? Is this a self-signed certificate? If client-side allows for debugging, what does its debug log say? If not try 'lftp' and check trace / debug settings.

durst_fred 12-07-2012 10:21 AM

Quote:

Originally Posted by unSpawn (Post 4844607)
Did your vsftpd.conf work OK without SSL? Are you sure it's not a firewall / port issue wrt FTP vs FTPS (TCP 21 vs 990)? Is this a self-signed certificate? If client-side allows for debugging, what does its debug log say? If not try 'lftp' and check trace / debug settings.

everything works perfectly when I comment out ssl_enable, but having a plaintext password is not acceptable for my case.

I was thinking it might have been a port forwarding issue, since WAN FTP traffic gets forwarded from modem to router and router to server, but the same problem happens when I use localhost or the server internal IP instead of the WAN IP. I've also taken the router out of the equation, connected the server right to the modem, and forwarded FTP traffic directly from modem to server and nothing changes.

The cert is self-signed. I created it using this command:
Code:

[root@vps] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
 -keyout /etc/vsftpd/vsftpd.pem \
 -out /etc/vsftpd/vsftpd.pem

not familiar with ftp vs ftps port usage, but I'll make sure both are accepted on server firewall and port forwarding

I don't think FireFTP has a debug tool. At least I can't find it. I'm very inexperienced with lftp but I'll read up and give it a shot.

Here is the FireFTP log from the time I open it to the time it keeps trying and failing to list the directory: http://pastebin.com/24QMdp2d

unSpawn 12-07-2012 11:41 AM

OK, so apparently you're not ready or done testing with lftp. Bummer.
Add these two lines to vsftpd.conf, restart, try again:
pasv_addr_resolve=no
listen_port=990

durst_fred 12-12-2012 09:00 AM

Update:

Tried the process with lftp. It's the same problem as any other client: with SSL enabled, I can connect to the server but can't issue any commands. Trying to get the directory listing usually just hangs up on "Making data connection" until it times out or I abort it.

The problem does not happen when I connect using localhost or the LAN IP even with SSL enabled. Only with the WAN IP, which leads me to believe it's a port forwarding issue with SSL, but I've forwarded and opened everything I can think of that might help.

Here's the vsftpd.log after trying to connect: http://pastebin.com/F8HWwqwf
Here's what LFTP outputs as it experiences the problem: http://pastebin.com/uVvusbS0
Here's what my vsftpd.conf looks like right now: http://pastebin.com/w1LNqtbV


All times are GMT -5. The time now is 11:28 PM.