[LEFT]I am trying to enable SSL to my vsftpd server, only this error is occurring on the client GnuTLS error -15: An unexpected TLS packet was received. follows my vsftpd.conf, which works perfectly in SLE 12, but does not work in Leap 15>:(.
I put these parameters in my file and vsftpd.conf and gives this
error
vsftpd
500 OOPS: unrecognised variable in config file: ssl_tlsv1_1
500 OOPS: unrecognised variable in config file: ssl_tlsv1_2
rpm -qa | grep vsftpd
vsftpd-3.0.3-lp150.5.3.1.x86_64
Hi
OK, just use the first variable then… you might have to see what
options are available for version 3.0.3. I’m sure it will be related to
the changes on June 30th.
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
I suspect you tried to simply re-use the vsftpd config from your SLES on your LEAP.
That might work, might not.
If you did that,
I recommend instead that you use the config file provided in a regular LEAP install, and then modify it line by line as necessary based on what your SLES file.
Am thinking there is a small detail missing in there somewhere,
In particular your thrown error which suggests that you’re passing a setting in an unrecognized way.
Well,
I doubt that SSL/TLS can work if all versions are disabled in the config you just posted…
Testing might also be helped if you know what your client(s) supports…
Personally, I always use command like FTP for first testing, because documentation is usually better and more accurate than using GUI apps… Once it’s working, then test the GUI clients.
Also,
Note that you’re setting up PASV.
Of course, make sure that everything related to PASV is configured properly (firewall, maybe even drop while setting up to simplify), client configuration. Unless you’re configuring an enormous FTP server (high hundreds of concurrent connections transferring very large files) PASV is probably unnecessary, Active is in most cases fine. Most clients will support Active by default, but YMMV… So again, know everything about both your clients and server when setting up. PASV can be an unnecessary complication when Active requires configuring only 2 ports on the Server.
I’ve tried all possible combinations of SSL / TLS enabled and it still does not work.
This server needs to be PASV, otherwise it will not work for me.
I already tested with GUI clients and with ftp command line and both happen the same thing. As I said before, I have this server in production in SLE 12 SP3 running perfectly, it just does not work in Leap 15.
Would anyone have an example of a vsftpd.conf file that works on Leap 15 with SSL / TLS to get me through?
[LEFT]I’m testing with FileZilla 3.34.0 linking to wxWidgets 3.0.5 GnuTLS 3.5.18 SQLite 3.22.0 and, windows 10 64-bit and also with WinSCP 5.13.3 Build 8565 and have no way of working.
I changed the configuration and tested again
[/LEFT]
Hi
Why not consider using ssh/sftp? It’s available out of the box, for windows clients use winscp/putty/reflection etc. Then just look at ACL’s and the like for access?
Hi (again)
Perhaps you need to review the ciphers in use with repect to ssl_ciphers=HIGH which I don’t think is an option?
vsftp.conf man page says;
ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will allow for encrypted SSL connections. See the ciphers man page for further details. Note that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with.
Default: DES-CBC3-SHA
Tried local login with root: sftp localhost worked fine.
Tried connecting with FileZilla and received:
Status: Connecting to 10.0.1.24:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to 10.0.1.24:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to blah FTP service.
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server
You can generally see what cyphers are supported on a system using nmap. As an example if your server IP is 192.168.1.50 then:
nmap --script ssl-enum-ciphers -p 21 192.168.1.50
I am pulling that command from memory, and hope it will work for you since I removed the virtual server running vsftp after looking at your issue.
it is probably always a good idea to make sure an encrypted connection is actually giving you encrypted communications. My apologies for not including that test in my original solution.