0

I am setting up my own FTP server on a Raspberry Pi (OS : debian wheezy). I have installed vsftpd, and I wanted to secure it with SSL/TLS (it worked well when ssl is disabled).

[following sections were edited]

I followed the tutorial here: http://crunchtools.com/vsftpd-ssl/. I tried a connection with FileZilla, but I had the error:

Status: Connecting to 192.168.1.17:21... Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 2.3.5)
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Error: Received TLS alert from the server: Handshake failed (40)
Error: Could not connect to server

My Raspberry Pi and my PC are on the same LAN: I typed

ftpes://192.168.1.17 in the FTP field in FileZilla. This is the RaspPi local IP address.

A solution might be sftp (it works), but I don't want to use the ssh port for that.

Edit: I tried WinSCP, and it worked. So the problem comes from FileZilla. I typed the following command to generate the cert file:
openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
and it seems to be secure. I am checking the encryption algorithms supported by FileZilla.

Thank you

Alfred Huang
  • 17,654
  • 32
  • 118
  • 189
PrStirling
  • 51
  • 1
  • 7

1 Answers1

3

Have a look at the description about the difference between FTPS and FTPES (this applies to servers and to clients). I do not know vsftpd, but it might be using implicit FTPS, so you should prefix the host with ftps:// when using FileZilla.

If in doubt, use netstat -a on your Raspberry Pi and check for the listening ports and for the interfaces they are bound to. You can give an explicit port in FileZilla as well, in case you have a non-standard setup.

If vsftpd is not listening on any port, have a look at /var/log/syslog on your Raspberry Pi. Error messages usually are logged there. In case vsftpd has an own log file, check that one as well.

The error Received TLS alert from the server: Handshake failed (40) means that FileZilla and the server cannot agree on an encryption (algorithm and/or strength). FileZilla refuses to use weak encryption, so the server has to be updated to use strong encryption. In FileZilla, you can enable debug output in the settings. You then will see the list of algorithm the server proposes.

The changelog of FileZilla contains some hints on this topic:

  • Disable insecure RC4 algorithm in FTP over TLS
  • Reject Diffie-Hellman Groups smaller than 1024 bits when using FTP over TLS to protect against the Logjam attack
Shi
  • 4,178
  • 1
  • 26
  • 31
  • According to the tuto, it should be ftpes. But I tried ftps too. But, interesting thing, `netstat -tulpn` tells me that vsftp is not listening anything if SSL is enabled, even if I add "listen_port=21" in my conf file. – PrStirling Aug 02 '15 at 00:05
  • When SSL is enabled, vsftpd doesn't start. `syslog` contains nothing about vsftpd, and the vsftpd log files are about the connections to the server, not the program itself. These are empty, as expected. – PrStirling Aug 02 '15 at 04:56
  • After some research, I found this configuration: https://askubuntu.com/questions/412070/vsftpd-will-not-start-with-ssl-enabled. Now, vsftpd starts, but I have the error "handshake failed (40)" with FileZilla. – PrStirling Aug 02 '15 at 05:36
  • The handshake error is due to non-matching encryption. – Shi Aug 02 '15 at 21:59
  • OK, the problem was in the client (FileZilla). I used the command: – PrStirling Aug 02 '15 at 23:40
  • The default configuration of vsftpd is not working with FileZilla as client. All details are here: https://trac.filezilla-project.org/ticket/7873. The issue was adding `ssl_ciphers=HIGH` in `vsftpd.conf`. – PrStirling Aug 03 '15 at 13:41