Date: 2007dec14
Q. How do I make TLS/SSL work with vsftpd?
A. Here's what to do on a RedHat/Fedora box.
Create a self-signed certificate:
cd /etc/pki/tls/certs
make vsftpd.pem
Add this to your /etc/vsftpd/vsftpd.conf file:
# Enable SSL/TLS
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
# Doesn't have to be these port number but needs to be some range.
# Usually in the high end.
pasv_min_port=40000
pasv_max_port=40100
Restart vsftpd:
service vsftpd restart
Then you need to tweak your firewall. For non-encrypted ftp connections the
ip_conntrack_ftp module keeps track of passive connections and options the needed
port but now the session is encrypted it can't spy. So we'll need
to open the port range we specified above:
iptables -A block -m state --state NEW -p TCP --dport 40000:40100 -j ACCEPT
Finally, test it with FileZilla or other modern ftp client.
This setup works for me.
Add a comment
Sign in to add a comment