Connection time out when logging on vsftp with SSL

jorgeraimundo · September 15, 2009, 5:34pm

Hello all,

I’ve got my vsftp server configured with SSL like this:

ssl_enable=YES

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

When I try to login I get:

Status: Connection established, initializing TLS...
Error:  Connection timed out

Any ideia why?
Without TLS everything worked fine.

user · September 15, 2009, 5:54pm

jorgeraimundo wrote:

> I’ve got my vsftp server configured with SSL like this:
>
> Code:
> --------------------
> ssl_enable=YES
>
> ssl_sslv2=NO
> ssl_sslv3=NO
> ssl_tlsv1=YES
> rsa_cert_file=/etc/vsftpd/vsftpd.pem
> rsa_private_key_file=/etc/vsftpd/vsftpd.pem
>
> allow_anon_ssl=NO
> force_local_data_ssl=YES
> force_local_logins_ssl=YES
> --------------------
>
>
> When I try to login I get:
>
> Code:
> --------------------
> Status: Connection established, initializing TLS…
> Error: Connection timed out
> --------------------
>
>
> Any ideia why?
> Without TLS everything worked fine.

Which client are you using to connect? As you disabled standard ftp logins
(clear passwords) only an ftp client configured with FTP/S sessions could
handle this.

Stop the firewall service and apparmor (rcSuSEfirewall2 stop; rcapparmor
stop) and try again.

And check the standard logs (messages and warn) and also vsftp logs.

Greetings,

–
Camaleón

jorgeraimundo · September 15, 2009, 6:06pm

Sorry again! My bad.

I’m using FileZilla.

I indicated the server type as “FTPS - FTP over implicit TLS/SSL” but it must be “FTPES - FTP over explicit TLS/SSL”.

Everything is working fine now… Finally…

Thank you very much for your patience.

Best regards,
Jorge

jorgeraimundo · September 15, 2009, 6:33pm

Just another thing I’ve discovered (thanks to this post):

Pay attention to the ports defined on pasv_min_port and pasv_max_port.

It is necessary to open/forward that port range on the firewall/router so that the client is able to do something, otherwise it’ll only be able to login.

Since the SSL usage forces the client to be passive, the client must use the pasv_*_ports, therefore we must make them available and properly routed.

Best regards,
Jorge