Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-21-2009, 09:35 AM
|
#1
|
Member
Registered: Dec 2006
Posts: 42
Rep:
|
vsftpd SSL problem (522 SSL connection failed)
Hey there,
I have a problem with vsftpd (latest version available, 2.1.0pre3) SSL. I've configured it to a nonstandard port, 65440, disabled connect_from_port_20 and run it as a normal user, from home directory. I can't use the SSL feature, every time I connect, it only reaches the login process. After logging in, I get the following error (when data transfer would start for LIST command):
522 SSL connection failed; session reuse required
My vsftpd.conf looks like this
Code:
local_enable=NO
write_enable=YES
secure_email_list_enable=YES
email_password_file=/home/stringz/vsftpd/logins
# local_umask=022
dirmessage_enable=NO
vsftpd_log_file=/dev/null
xferlog_file=/dev/null
xferlog_enable=NO
connect_from_port_20=NO
idle_session_timeout=3600
data_connection_timeout=120
run_as_launching_user=YES
anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
anon_world_readable_only=NO
async_abor_enable=YES
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=Welcome!
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# chroot_list_enable=YES
# (default follows)
# chroot_list_file=/etc/vsftpd.chroot_list
ls_recurse_enable=NO
listen=YES
listen_address=<myipaddress>
listen_port=65440
listen_ipv6=NO
pasv_enable=YES
pasv_min_port=65441
pasv_max_port=65480
# chroot_local_user=YES
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/home/stringz/vsftpd/vsftpd.pem
The client side is a Total Commander 7.02, there hasn't been any problem with its SSL yet and this only occurs when trying to connect to my vsftpd.
What could be the problem?
Thanks
stringZ
Last edited by stringZ; 01-21-2009 at 09:37 AM.
|
|
|
01-22-2009, 05:15 AM
|
#2
|
Member
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268
Rep:
|
Hello,
I had exactly the same problem when setting up VSFTPD with SSL.
After a LOT of messing around I tracked it down to a problem with our firewall.
The firewall was running PIX which was inspecting the FTP traffic. The login was fine (running over port 21), but when it tried to transfer data (over the PASV port range) the firewall couldn't read the encrypted data and therefore couldn't open the correct PASV port.
Try temporarily putting the FTP server in your DMZ and see if it fixes the problem... If it does, you know you're on the right track!
Hope this is useful.
|
|
|
01-22-2009, 07:54 AM
|
#3
|
Member
Registered: Dec 2006
Posts: 42
Original Poster
Rep:
|
Quote:
Originally Posted by rizhun
Hello,
I had exactly the same problem when setting up VSFTPD with SSL.
After a LOT of messing around I tracked it down to a problem with our firewall.
The firewall was running PIX which was inspecting the FTP traffic. The login was fine (running over port 21), but when it tried to transfer data (over the PASV port range) the firewall couldn't read the encrypted data and therefore couldn't open the correct PASV port.
Try temporarily putting the FTP server in your DMZ and see if it fixes the problem... If it does, you know you're on the right track!
Hope this is useful.
|
Hey, thanks for your answer. The client side had a firewall, I turned it off now for testing, but no success. There's no firewall at the server side, the iptables looks like this
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Is it possible that vsftpd tries to open a port for secure data transfer below 1024 (e.g. 20 or something), because it can't because of Unix socket permissions (non-root).
|
|
|
01-22-2009, 11:17 AM
|
#4
|
Member
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268
Rep:
|
Hmmm...
Well it's obviously not the problem I experienced.
Your iptables look fine...
I found this on the web:
Quote:
Should the server not like the TLS negotiation then it will close the data port immediately and follow the 150 command with a 522 reply indicating that the TLS negotiation failed or was unacceptable.
|
Source -- http://tools.ietf.org/html/draft-murray-auth-ftp-ssl-04
Try using WinSCP to connect and crank up the logging, see if you can't find a more helpful error!
|
|
|
01-23-2009, 04:13 AM
|
#5
|
Member
Registered: Dec 2006
Posts: 42
Original Poster
Rep:
|
Quote:
Originally Posted by rizhun
Try using WinSCP to connect and crank up the logging, see if you can't find a more helpful error!
|
Unfortunately I can't do it with WinSCP. This would be a password-secured anonymous FTP (take a look at the config) that is used by more than 1 people without knowing each-other's passwords. In this case WinSCP would be unsecure, because it'd grant them full SSH access to my account. That's why I must stick to this kind of FTP solution.
|
|
|
01-27-2009, 03:53 AM
|
#6
|
Member
Registered: Dec 2006
Posts: 42
Original Poster
Rep:
|
Anyone here?
|
|
|
02-25-2009, 06:00 AM
|
#7
|
LQ Newbie
Registered: Feb 2009
Posts: 1
Rep:
|
I had the same issue with vsftpd 2.1.0
When compiling vsftpd there is a parameter "tunable_require_ssl_reuse" in tunables.c file, this should be turned to '0' if u do not want to enable this option. In vsftpd.conf there is a parameter as well "require_ssl_reuse" which is by default set to YES, this should also be set to NO to disable this.
Restart vsftpd and see.
I had another wierd issue,I used Glub Tech ftp client to test ftps. Initially it would not let me logon via ftps.
But when I logged using ftp and then disconnected, I was able to logon via ftps as well.
|
|
|
04-27-2009, 11:34 PM
|
#8
|
LQ Newbie
Registered: Sep 2006
Posts: 1
Rep:
|
Quote:
Originally Posted by ash_sids
I had the same issue with vsftpd 2.1.0
In vsftpd.conf there is a parameter as well "require_ssl_reuse" which is by default set to YES, this should also be set to NO to disable this.
|
Hi That's solved my problem.thanks a lot.
before I set require_ssl_reuse=NO,
my client always said:
Error: Failed to retrieve directory listing
and server always said :
No SSL session reuse on data channel.
|
|
|
05-05-2009, 02:27 PM
|
#9
|
Member
Registered: Dec 2006
Posts: 42
Original Poster
Rep:
|
Thanks for the reply ash_sids, this helped me a lot.
|
|
|
All times are GMT -5. The time now is 09:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|