0

I have FTP server on Raspberry PI with Raspbian. I use vsftpd, port 990 and GreenLock cetificate.

When I try connect from android device I get a message about the wrong version of the certificate.

Before GreenLock I used ssl-cert-snakeoil, but for some time I couldn't connect to ftp.

I haven't idea where is problem. On android device I tested ftps connection and have that same error. Notepad++ and Goodsync normal connecting to FTPS.

Error message: error message

My vsftpd.conf:

listen=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES

allow_writeable_chroot=YES
chroot_local_user=YES

local_umask=0002
anon_upload_enable=NO
anon_mkdir_write_enable=NO
file_open_mode=0777
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log

#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
#This is a welcome message responce from your server
ftpd_banner=Welcome to my FTP
#
# SSL
ssl_enable=YES
#this selects the cipher type
ssl_ciphers=HIGH

rsa_cert_file=/home/pi/.acme.sh/domain.com/domain.com.cer
rsa_private_key_file=/home/pi/.acme.sh/domain.com/domain.com.key


#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

implicit_ssl=YES
listen_port=990
#
#choose according to your preference
force_local_data_ssl=YES
#
#choose according to your preference
force_local_logins_ssl=YES
#
#enable this if you enable ssl.
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

#
#give the correct path to your currently generated *.pem file
#rsa_cert_file=/etc/ssl/private/vsftpd.pem
#rsa_private_key_file=/etc/ssl/private/vsftpd.pem 
#the *.pem file contains both the key and cert
#rsa_private_key_file=/etc/vsftpd/vsftpd.pem
#
pasv_enable=YES
pasv_min_port=3000
pasv_max_port=3009
pasv_addr_resolve=YES
pasv_address=domain.com
#
#Some mobile clients require this
require_ssl_reuse=NO

user_sub_token=$USER

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

EDIT:

Now I have that configuration (I did it again for better transparency):

listen=YES
listen_port=990

allow_anon_ssl=NO
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO

force_anon_data_ssl=NO
force_anon_logins_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

file_open_mode=0777
local_umask=0002

ssl_enable=YES
ssl_ciphers=HIGH
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO

rsa_cert_file=/home/pi/.acme.sh/domain.com/domain.com.cer
rsa_private_key_file=/home/pi/.acme.sh/domain.com/domain.com.key

pasv_enable=YES
pasv_min_port=3000
pasv_max_port=3009
pasv_addr_resolve=YES
pasv_address=domain.com

local_enable=YES
user_sub_token=$USER
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

write_enable=YES
allow_writeable_chroot=YES
chroot_local_user=YES
user_sub_token=$USER

xferlog_std_format=NO
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
log_ftp_protocol=YES
debug_ssl=YES

and after try connect to ftps via FileZilla, in program I have logs:

Status: Connecting to XX.XX.XX.170:990...
Status: Connection established, initializing TLS...
Error:  GnuTLS error -15: An unexpected TLS packet was received.
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error:  Could not connect to server
Status: Waiting to retry...
Status: Resolving address of domain.com
Status: Connecting to XX.XX.XX.170:990...
Status: Connection established, initializing TLS...
Error:  GnuTLS error -15: An unexpected TLS packet was received.
Status: Connection attempt failed with "ECONNABORTED - Connection aborted".
Error:  Could not connect to server

vsftpd log:

Fri Dec 20 11:19:15 2019 [pid 2051] CONNECT: Client "XX.XXX.XXX.10"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "220 (vsFTPd 3.0.3)"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP command: Client "XX.XXX.XXX.10", "????????}??DM#M???):??????"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:15 2019 [pid 2051] FTP command: Client "XX.XXX.XXX.10", "+????????EC?}Z?<??:?????????,???"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:15 2019 [pid 2051] FTP command: Client "XX.XXX.XXX.10", "???+?????0?????/?????5?????/???????9?????3????????????????"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:15 2019 [pid 2051] FTP command: Client "XX.XXX.XXX.10", "??????????????????????????????? ?????"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:15 2019 [pid 2051] FTP command: Client "XX.XXX.XXX.10", "???????????????????????????????????#???3???????A???<4?.P?J?D?T???V???1?=/L9X^????????T???D?06                                         ????K???R??????????+>~???/???G???"
Fri Dec 20 11:19:15 2019 [pid 2051] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:20 2019 [pid 2056] CONNECT: Client "XX.XXX.XXX.10"
Fri Dec 20 11:19:20 2019 [pid 2056] FTP response: Client "XX.XXX.XXX.10", "220 (vsFTPd 3.0.3)"
Fri Dec 20 11:19:20 2019 [pid 2056] FTP command: Client "XX.XXX.XXX.10", "????????}???:??L??O??M%???8??Y/B[6????????L??:?????????,???"
Fri Dec 20 11:19:20 2019 [pid 2056] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:20 2019 [pid 2056] FTP command: Client "XX.XXX.XXX.10", "???+?????0?????/?????5?????/???????9?????3????????????????"
Fri Dec 20 11:19:20 2019 [pid 2056] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."
Fri Dec 20 11:19:20 2019 [pid 2056] FTP command: Client "XX.XXX.XXX.10", "??????????????????????????????? ?????"
Fri Dec 20 11:19:20 2019 [pid 2056] FTP response: Client "XX.XXX.XXX.10", "530 Please login with USER and PASS."

I think that this is problem with implict/explict. I want t connect with server without install certificates on devices. I understand that it will be explict mode?

Peter
  • 499
  • 10
  • 30
  • *"I get a message about the wrong version of the certificate."* - you don't. You get a message about a protocol problem and not about a certificate problem. This is usually an indicator that you are trying to connect with TLS to a port which does not support direct TLS. Check the error log of your FTP server for details which might help to debug the problem. *"Notepad++ and Goodsync normal connecting to FTPS."* - does this mean that these work and only ftps from Android does not? – Steffen Ullrich Dec 19 '19 at 13:15
  • @SteffenUllrich That means I have a problem in the tls protocol settings, not the ssl certificate itself? – Peter Dec 19 '19 at 14:07
  • The error message does not indicate any problems with the certificate. It can be problems in the TLS configuration or it can be problems on how you access the site. If other applications work (I still don't know this, see my last comment) then it is likely a misconfiguration in your client. If no applications work it is either a misconfiguration in the server or a mismatch between your configuration in all clients and what you've configured in the server. – Steffen Ullrich Dec 19 '19 at 17:30
  • @SteffenUllrich I update question with new information. I think than on explict mode must set port 21, but after set port 21 on android device I have again problem with ssl version, but on secnd app is: ```FTP response: Client "XX.XXX.XXX.10", "530 Non-anonymous sessions must use encryption."``` On prt 21 Filezilla and Notepad++ connecting correctly, but Android not. – Peter Dec 20 '19 at 10:53
  • With the current config you have no `implicit_ssl` but still port 990 which means that it expects explicit SSL on port 990 (i.e. plain connect, SSL after `AUTH TLS` command) but the client will try implicit SSL (SSL directly after TCP connect). That's why you see these strange message in the log file. As for port 21: you don't show any config for this but assuming that you've just changed the port I suspect that your Android client either does not understand explicit SSL with FTPS or you did not configure it to use it. – Steffen Ullrich Dec 20 '19 at 11:14
  • Thread to close. The problem was on the file permissions side when mounting the disk. I changed the mount point to a different location and the problem resolved. I didn't change anything in the vsftpd configuration, I only changed the location of home directories in user settings. – Peter Dec 21 '19 at 23:06

0 Answers0