LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-06-2012, 08:35 AM   #1
durst_fred
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Rep: Reputation: Disabled
VSFTPD with SSL - timeouts


Hi,

Trying to set up an FTP server with virtual users and SSL (users will connect from outside the LAN) on CentOS. Everything else is working fine, but when I enable SSL (just TLS), my client starts experiencing difficulties with directory listing and general connectivity.

I can join the server without issue, but when I refresh or change directories, my client (FireFTP firefox plugin) works and works and more often than not drops me from the server. It can reconnect in less than one second, but the same problem will occur when I try to do anything.

When I create/modify a file or directory, the client starts spinning, trying to do its work. It will almost always disconnect before it shows that the file/dir was created/modified successfully, but when I actually look at the ftp directory in CentOS, I can see the change was successful even before the client drops.

here's my vsftpd.conf: http://pastebin.com/cQTdwqAP


The purpose of the server is to allow remote users to upload large video files, so intermittent connectivity is not an option.

When I comment out ssl_enable, the problem disappears.

I'm normally connecting using my WAN IP since thats what the regular clients will use, but when I use localhost or the LAN IP the same problem happens

Thanks in advance.

Last edited by durst_fred; 12-07-2012 at 09:36 AM.
 
Old 12-07-2012, 03:14 AM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Anything in the logs? I'm not a Centos user so not sure which logs; but you can do a grep for your ip-address or for vsftp in /var/log in an attempt to find the correct log.
 
Old 12-07-2012, 09:33 AM   #3
durst_fred
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
This is the content of the /var/log/vsftpd.log file with ssl_debug enabled in vsftpd.conf

Code:
Fri Dec  7 10:33:16 2012 [pid 9441] [virtualuser] OK LOGIN: Client "xxx.xxx.xxx.xxx"
Fri Dec  7 10:49:49 2012 [pid 9769] CONNECT: Client "xxx.xxx.xxx.xxx"
Fri Dec  7 10:49:49 2012 [pid 9769] DEBUG: Client "xxx.xxx.xxx.xxx", "SSL version: TLSv1/SSLv3, SSL cipher: DES-CBC3-SHA, not reused, no cert"
Where "xxx.xxx.xxx.xxx" is the WAN IP

I've deleted vsftpd.pem and regenerated it. Same problem
 
Old 12-07-2012, 09:52 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,305
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
Did your vsftpd.conf work OK without SSL? Are you sure it's not a firewall / port issue wrt FTP vs FTPS (TCP 21 vs 990)? Is this a self-signed certificate? If client-side allows for debugging, what does its debug log say? If not try 'lftp' and check trace / debug settings.
 
Old 12-07-2012, 10:21 AM   #5
durst_fred
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Did your vsftpd.conf work OK without SSL? Are you sure it's not a firewall / port issue wrt FTP vs FTPS (TCP 21 vs 990)? Is this a self-signed certificate? If client-side allows for debugging, what does its debug log say? If not try 'lftp' and check trace / debug settings.
everything works perfectly when I comment out ssl_enable, but having a plaintext password is not acceptable for my case.

I was thinking it might have been a port forwarding issue, since WAN FTP traffic gets forwarded from modem to router and router to server, but the same problem happens when I use localhost or the server internal IP instead of the WAN IP. I've also taken the router out of the equation, connected the server right to the modem, and forwarded FTP traffic directly from modem to server and nothing changes.

The cert is self-signed. I created it using this command:
Code:
 [root@vps] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
 -keyout /etc/vsftpd/vsftpd.pem \
 -out /etc/vsftpd/vsftpd.pem
not familiar with ftp vs ftps port usage, but I'll make sure both are accepted on server firewall and port forwarding

I don't think FireFTP has a debug tool. At least I can't find it. I'm very inexperienced with lftp but I'll read up and give it a shot.

Here is the FireFTP log from the time I open it to the time it keeps trying and failing to list the directory: http://pastebin.com/24QMdp2d

Last edited by durst_fred; 12-07-2012 at 10:24 AM.
 
Old 12-07-2012, 11:41 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,305
Blog Entries: 54

Rep: Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857Reputation: 2857
OK, so apparently you're not ready or done testing with lftp. Bummer.
Add these two lines to vsftpd.conf, restart, try again:
pasv_addr_resolve=no
listen_port=990
 
Old 12-12-2012, 09:00 AM   #7
durst_fred
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Update:

Tried the process with lftp. It's the same problem as any other client: with SSL enabled, I can connect to the server but can't issue any commands. Trying to get the directory listing usually just hangs up on "Making data connection" until it times out or I abort it.

The problem does not happen when I connect using localhost or the LAN IP even with SSL enabled. Only with the WAN IP, which leads me to believe it's a port forwarding issue with SSL, but I've forwarded and opened everything I can think of that might help.

Here's the vsftpd.log after trying to connect: http://pastebin.com/F8HWwqwf
Here's what LFTP outputs as it experiences the problem: http://pastebin.com/uVvusbS0
Here's what my vsftpd.conf looks like right now: http://pastebin.com/w1LNqtbV

Last edited by durst_fred; 12-12-2012 at 09:06 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting vsftpd for vsftpd: 500 OOPS: SSL: cannot load RSA certificate MisterTickle Linux - Server 2 02-11-2011 07:41 PM
vsftpd SSL problem (522 SSL connection failed) stringZ Linux - Server 8 05-05-2009 02:27 PM
vsFTPd - SSL connection and dynamic SSL ports toxoplasme Linux - Server 11 08-22-2008 10:50 PM
Vsftpd+ssl SBN Linux - Server 7 11-15-2007 02:34 PM
vsftpd & ssl - how do I tell if it's actually vsftpd maintaining the connections?? hunterhunter Linux - General 0 03-27-2006 04:41 PM


All times are GMT -5. The time now is 03:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration