LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   vsftpd very slow when using encryption (http://www.linuxquestions.org/questions/linux-software-2/vsftpd-very-slow-when-using-encryption-696174/)

ichrispa 01-09-2009 04:11 PM

vsftpd very slow when using encryption
 
Hi everyone.

I downloaded, compiled and installed vsftpd 2.0.7 on my machine running a strongly modified FC8 (kernel version 2.6.28).

I am facing a rather strange problem. The server runs in passive mode only (i'm behind a firewall, port forwarding is enabled). Further on, I am using a forced-ssl login and forced-ssl-data policy for user logins.

vsftpd seems to be running ok and the encryption works as well (no errors in the log files). I am using fireFTP to test the server. However the server is awefully slow - listings take up to 1 Minute, file transfers can take hours for a couple of MB. On the other hand, data transfers, such as MOTD transmissions or commands are responded to almost immediately. Shutting down encryption solved the problem, but is not an option.

Before you go on to sugest that I test my network subsystems - they work. I ran the tests both over the net and over the loopback adapter, the serve always showed the same symptoms.

Just to complete the picture, here's the config file:

Code:

#/etc/vsftpd/vsftpd.conf
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#

## USER OPTIONS ##
#User listet in the user list are permitted login unless
userlist_file=/etc/vsftpd/user_list
userlist_enable=YES
userlist_deny=NO
anonymous_enable=YES
no_anon_password=YES
local_enable=YES
chroot_local_user=YES

#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=NO
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
anon_mkdir_write_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_file=/var/log/vsftpd.log
xferlog_enable=YES
log_ftp_protocol=YES
no_log_lock=YES
syslog_enable=NO
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=NO
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=500
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftp
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to Providence FTP service
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
tcp_wrappers=NO

## SSL relevant options  ##
ssl_enable=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/cert_rsa.pem
rsa_private_key_file=/etc/vsftpd/key_rsa
#dsa_private_key_file=/etc/vsftpd/key_dsa
#dsa_cert_file=/etc/vsftpd/cert_dsa.pem
force_anon_logins_ssl=NO
force_anon_data_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Thanks for any ideas of yours in advance :)

Electro 01-09-2009 04:44 PM

You have something wrong with your system if it takes a minute to do a listing. When I setup one my computers with vsftpd, listings are fast. Also downloading files in over megabyte in size takes an instant. I use Gentoo. I tested using SmartFTP and Internet Explorer in Vista. Yes, I created an SSL certificate for vsftpd.

FireFTP could be doing on the fly file hashing while it is doing file and directory listings. Also it could be doing file integrity checks while downloading or uploading. Try running Mozilla Firefox in debug mode while using FireFTP.

thasp 02-15-2009 04:33 AM

Hi,

You're not crazy, it's a vsftpd issue.

With 2.0.7-r1, if I have passive enabled and SSL disabled, listing is instant. filezilla clients will be allowed to log in.

With 2.0.7-r1, if I have passive enabled and SSL enabled, listing takes a minute or two.

With 2.0.5 if I have passive enabled and SSL enabled, listing is still instant, but filezilla clients are denied access.

It's like this for me on debian etch, lenny, and gentoo.

If you don't have a userbase highly populated with filezilla clients, I recommend reverting to 2.0.5. If you do, do what I did, switch to proftpd. It's more work in the conf file to get it to do the same thing, but it is worth it because everything works.

ichrispa 02-15-2009 09:35 AM

hey, thx thasp. Did't really expect anyone to reply to this anymore. Meanwhile, I am already running proftpd ;)

But again, thx for the good advice.

Electro 02-15-2009 01:04 PM

Again if you have speed problems with vsftpd then you have configure something wrong. Switching to something else like proftpd is not a good fix and you do not learn anything. I suggest play around with different encryption process. You need to also think about upload bandwidth of your connection because encryption provides a lot of over head.

thasp 02-15-2009 01:56 PM

Quote:

Originally Posted by Electro (Post 3444451)
Again if you have speed problems with vsftpd then you have configure something wrong. Switching to something else like proftpd is not a good fix and you do not learn anything. I suggest play around with different encryption process. You need to also think about upload bandwidth of your connection because encryption provides a lot of over head.

Why should I have to change encryption when going from 2.0.5 to 2.0.7? Does the encryption type suddenly become slower with an update? What would make things so fundamentally different?

I've upgraded proftpd for 3 years and never had to even change the conf file, much less my entire passive/ssl setup when a new version came out.

ichrispa 02-16-2009 06:42 AM

@Electro: In general terms, I agree with you. If I wanted to learn the internals of vstftps, I should not give it a rest and keep trying. But there is a point with every software, at which the overhead in error seeking (be the error my own or the softwares) overcomes the benefits. Consider the following:

Quote:

I ran the tests both over the net and over the loopback adapter, the server always showed the same symptoms.
So the network itself (noise ratios or bandwiths) are not a subject. This is, if any, a machine internal problem.

Quote:

(no errors in the log files)
The program itself denies me further information or does not detect an error.

Subsequently, I would have to start working with the code. Considering the fact that vsftpd is quite capable and popular, it is possible that the problem is located in the underlying dependencies. And some point, a filezilla client reported that "challenge not properly formulated", so I suspect a problem in connection with OpenSSL. However, starting to dig into OpenSSL code for getting 2 or 3 files a week uploaded (this is not a production environment, just a private project), is not worth the effort. Apart from that, getting OpenSUSE's root partition encrypted seemes a much more productive project for the time being.


But again: if I wanted to learn a lot about how OpenSSL and vsftpd implement encryption protocols, you are quite right - just switching software is not a solution.


All times are GMT -5. The time now is 06:59 PM.