vsftp with ssl error GnuTLS erro -15: An unexpected TLS packet was received.

[LEFT]I am trying to enable SSL to my vsftpd server, only this error is occurring on the client GnuTLS error -15: An unexpected TLS packet was received. follows my vsftpd.conf, which works perfectly in SLE 12, but does not work in Leap 15>:(.

[/LEFT]
write_enable=YES
dirmessage_enable=YES
nopriv_user=ftpsecure
ftpd_banner=“FTP Secure Server - Systemar Informatica (by Eliel Silverio)”
local_enable=YES
local_umask=022
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
anonymous_enable=NO
anon_world_readable_only=NO
anon_mkdir_write_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=300
ascii_upload_enable=YES
pam_service_name=vsftpd
listen=YES
listen_ipv6=NO
pasv_min_port=30000
pasv_max_port=31000
max_clients=100
use_localtime=YES
anon_root=/srv/ftp
anon_upload_enable=NO
max_per_ip=15
pasv_enable=YES
ssl_enable=YES
rsa_cert_file=/etc/letsencrypt/live/systemar.com.br/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/systemar.com.br/privkey.pem
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
force_dot_files=YES
hide_ids=YES
debug_ssl=YES

Hi and welcome to the Forum :slight_smile:
You might need to tweak your SSL since 1.0 is gone…


ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES

Thanks

[LEFT]I put these parameters in my file and vsftpd.conf and gives this error
[/LEFT]

vsftpd

500 OOPS: unrecognised variable in config file: ssl_tlsv1_1
500 OOPS: unrecognised variable in config file: ssl_tlsv1_2

rpm -qa | grep vsftpd

vsftpd-3.0.3-lp150.5.3.1.x86_64

On Tue 03 Jul 2018 06:16:03 PM CDT, elielsilverio wrote:

malcolmlewis;2872242 Wrote:
> Hi and welcome to the Forum :slight_smile:
> You might need to tweak your SSL since 1.0 is gone…
> >
Code:

> >
> ssl_tlsv1=NO
> ssl_tlsv1_1=NO
> ssl_tlsv1_2=YES
>

> >

Thanks

I put these parameters in my file and vsftpd.conf and gives this
error

vsftpd

500 OOPS: unrecognised variable in config file: ssl_tlsv1_1
500 OOPS: unrecognised variable in config file: ssl_tlsv1_2

rpm -qa | grep vsftpd

vsftpd-3.0.3-lp150.5.3.1.x86_64

Hi
OK, just use the first variable then… you might have to see what
options are available for version 3.0.3. I’m sure it will be related to
the changes on June 30th.


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

the same problem occurs

I suspect you tried to simply re-use the vsftpd config from your SLES on your LEAP.
That might work, might not.

If you did that,
I recommend instead that you use the config file provided in a regular LEAP install, and then modify it line by line as necessary based on what your SLES file.

Am thinking there is a small detail missing in there somewhere,
In particular your thrown error which suggests that you’re passing a setting in an unrecognized way.

HtH,
TSU

[LEFT]I reinstalled vsftp again, re-set all configuration in /etc/vsftpd.conf and continue the error. Below is my vsftpd.conf

[/LEFT]

cat /etc/vsftpd.conf | grep -v #

write_enable=YES
dirmessage_enable=YES
nopriv_user=ftpsecure
ftpd_banner=“FTP Secure Server - Systemar Informatica (by Eliel Silverio)”
local_enable=YES
local_umask=022
chroot_local_user=YES
chroot_list_enable=YES
allow_writeable_chroot=YES
anonymous_enable=NO
anon_world_readable_only=NO
anon_mkdir_write_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=300
ascii_upload_enable=YES
pam_service_name=vsftpd
listen=YES
listen_ipv6=NO
pasv_min_port=30000
pasv_max_port=31000
max_clients=100
use_localtime=YES
anon_root=/srv/ftp
anon_upload_enable=NO
max_per_ip=15
pasv_enable=YES
ssl_enable=YES
rsa_cert_file=/etc/letsencrypt/live/systemar.com.br/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/systemar.com.br/privkey.pem
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
force_dot_files=YES
hide_ids=YES
debug_ssl=YES

Well,
I doubt that SSL/TLS can work if all versions are disabled in the config you just posted… :slight_smile:

Testing might also be helped if you know what your client(s) supports…
Personally, I always use command like FTP for first testing, because documentation is usually better and more accurate than using GUI apps… Once it’s working, then test the GUI clients.

Also,
Note that you’re setting up PASV.
Of course, make sure that everything related to PASV is configured properly (firewall, maybe even drop while setting up to simplify), client configuration. Unless you’re configuring an enormous FTP server (high hundreds of concurrent connections transferring very large files) PASV is probably unnecessary, Active is in most cases fine. Most clients will support Active by default, but YMMV… So again, know everything about both your clients and server when setting up. PASV can be an unnecessary complication when Active requires configuring only 2 ports on the Server.

TSU

I’ve tried all possible combinations of SSL / TLS enabled and it still does not work.
This server needs to be PASV, otherwise it will not work for me.
I already tested with GUI clients and with ftp command line and both happen the same thing. As I said before, I have this server in production in SLE 12 SP3 running perfectly, it just does not work in Leap 15.
Would anyone have an example of a vsftpd.conf file that works on Leap 15 with SSL / TLS to get me through?

[LEFT]I’m testing with FileZilla 3.34.0 linking to wxWidgets 3.0.5 GnuTLS 3.5.18 SQLite 3.22.0 and, windows 10 64-bit and also with WinSCP 5.13.3 Build 8565 and have no way of working.

I changed the configuration and tested again
[/LEFT]

Hi
Why not consider using ssh/sftp? It’s available out of the box, for windows clients use winscp/putty/reflection etc. Then just look at ACL’s and the like for access?

Hi (again)
Perhaps you need to review the ciphers in use with repect to ssl_ciphers=HIGH which I don’t think is an option?

vsftp.conf man page says;


ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for encrypted SSL connections. See the ciphers man page for further details. Note that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with.

Default: DES-CBC3-SHA

So on SLE 12 SP3 I see;


openssl ciphers -v | grep DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

On SLE 15 GMC2 (Leap 15.0 base) I see;


openssl ciphers -v | grep DES-CBC3-SHA

Zero output…

Maybe it’s a red herring, not sure…

  1. Fresh install of Leap 15 server
  2. Fully patched
  3. Installed vsftp server
  4. modified the configuration as close as I could to yours.
  5. Ran this command for the certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

  1. Added the 2 certificate lines to the config file.

Tried local login with root: sftp localhost worked fine.

Tried connecting with FileZilla and received:


Status:    Connecting to 10.0.1.24:21...
Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Error:    GnuTLS error -15: An unexpected TLS packet was received.
Error:    Could not connect to server
Status:    Waiting to retry...
Status:    Connecting to 10.0.1.24:21...
Status:    Connection established, waiting for welcome message...
Response:    220 Welcome to blah FTP service.
Command:    AUTH TLS
Response:    234 Proceed with negotiation.
Status:    Initializing TLS...
Error:    GnuTLS error -15: An unexpected TLS packet was received.
Error:    Could not connect to server


My configuration file:
https://susepaste.org/61811727

I did a wireshark capture on the traffic. Uncomment:

seccomp_sandbox=NO

That will resolve your issue.

I had to comment out these as well:

#chroot_local_user=YES
#chroot_list_enable=YES

If I wanted to instead chroot my user I did:
chroot_local_user=YES
#chroot_list_enable=YES

And then did a chmod 555 on the users home directory.

allow_writeable_chroot=YES
Is not in the new configuration file, but it still seems to work instead of my chmod 555 hack.

[LEFT]I did what you said and now it worked, the only thing I found strange, was this debug log below[/LEFT]

Wed Jul 11 14:48:09 2018 [pid 260264] DEBUG: Client “192.168.0.11”, “SSL version: TLSv1.2, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, not reused, no cert”

You can generally see what cyphers are supported on a system using nmap. As an example if your server IP is 192.168.1.50 then:


nmap --script ssl-enum-ciphers -p 21 192.168.1.50

I am pulling that command from memory, and hope it will work for you since I removed the virtual server running vsftp after looking at your issue.

it is probably always a good idea to make sure an encrypted connection is actually giving you encrypted communications. My apologies for not including that test in my original solution.

Now everything worked, thank you all, problem solved