vsftpd and tls, problems uploading file
by camerabambai from LinuxQuestions.org on (#5EWVX)
I want to use TLS with anonymous users(and not) on vsftpd.
This is the configuration file
Code:allow_anon_ssl=YES
anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_root=/var/ftp
anon_umask=022
anon_upload_enable=YES
ascii_download_enable=YES
ascii_upload_enable=YES
ca_certs_file=/etc/pki/tls/certs/giallo.priv.crt
chown_uploads=YES
chown_upload_mode=0644
chown_username=ftp
connect_from_port_20=YES
debug_ssl=YES
dirmessage_enable=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ftpd_banner=Welcome to blah FTP service.
listen=NO
listen_ipv6=YES
local_enable=YES
local_umask=022
log_ftp_protocol=YES
ls_recurse_enable=YES
nopriv_user=ftp
pam_service_name=vsftpd
require_ssl_reuse=YES
rsa_cert_file=/etc/pki/tls/certs/dhcp3.giallo.priv.crt
rsa_private_key_file=/etc/pki/tls/private/dhcp3.giallo.priv.key
ssl_ciphers=HIGH
ssl_enable=YES
ssl_request_cert=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
strict_ssl_read_eof=YES
strict_ssl_write_shutdown=YES
syslog_enable=YES
use_localtime=YES
validate_cert=NO
write_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
pasv_min_port=40000
pasv_max_port=50000I try to upload a file as authenticated user with lftp...
Code:
---- Connecting to dhcp3.giallo.priv (10.3.0.3) port 21
<--- 220 Welcome to blah FTP service.
---> FEAT
<--- 211-Features:
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- UTF8
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON
Certificate depth: 1; subject: ....
WARNING: Certificate verification: self signed certificate in certificate chain (6B:66:B5:6E:40:34:B3:30:95:E0:01:FF:0C:10:BE:DA:D7:01:5A:E9)
Certificate depth: 0; subject: ....
initialized translation from UTF-8 to ANSI_X3.4-1968
initialized translation from ANSI_X3.4-1968 to UTF-8
Certificate verification: common name: 'dhcp3.giallo.priv' matched
<--- 200 Always in UTF8 mode.
initialized translation from ANSI_X3.4-1968 to UTF-8
initialized translation from UTF-8 to ANSI_X3.4-1968//TRANSLIT
---> USER myuser
<--- 331 Please specify the password.
---> PASS myuserpass
<--- 230 Login successful.
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> TYPE I
<--- 200 Switching to Binary mode.
---> PASV
<--- 227 Entering Passive Mode (10,3,0,3,167,196).
---- Connecting data socket to (10.3.0.3) port 42948
---- Data connection established
---> STOR Lucio Battisti-Nessun Dolore.mp3
<--- 150 Ok to send data.
initialized translation from UTF-8 to ANSI_X3.4-1968
initialized translation from ANSI_X3.4-1968 to UTF-8
Certificate verification: common name: 'dhcp3.giallo.priv' matched
---- Closing data socket
<--- 426 Failure reading network stream.
---> QUIT
<--- 221 Goodbye.
---- Closing control socket
`musica/Lucio Battisti-Nessun Dolore.mp3' at 10593174 (100%) 1.05M/s eta:0s [Delaying before reconnect: 6]....This happen with authenticated users and also anonymous users, ls is ok, download is ok, but upload not.
What can it be? On firewall I use those rules(ftp server is under NAT)
Code:# FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 40000:50000 -j ACCEPT
This is the configuration file
Code:allow_anon_ssl=YES
anonymous_enable=YES
anon_mkdir_write_enable=YES
anon_root=/var/ftp
anon_umask=022
anon_upload_enable=YES
ascii_download_enable=YES
ascii_upload_enable=YES
ca_certs_file=/etc/pki/tls/certs/giallo.priv.crt
chown_uploads=YES
chown_upload_mode=0644
chown_username=ftp
connect_from_port_20=YES
debug_ssl=YES
dirmessage_enable=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ftpd_banner=Welcome to blah FTP service.
listen=NO
listen_ipv6=YES
local_enable=YES
local_umask=022
log_ftp_protocol=YES
ls_recurse_enable=YES
nopriv_user=ftp
pam_service_name=vsftpd
require_ssl_reuse=YES
rsa_cert_file=/etc/pki/tls/certs/dhcp3.giallo.priv.crt
rsa_private_key_file=/etc/pki/tls/private/dhcp3.giallo.priv.key
ssl_ciphers=HIGH
ssl_enable=YES
ssl_request_cert=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=YES
strict_ssl_read_eof=YES
strict_ssl_write_shutdown=YES
syslog_enable=YES
use_localtime=YES
validate_cert=NO
write_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
pasv_min_port=40000
pasv_max_port=50000I try to upload a file as authenticated user with lftp...
Code:
---- Connecting to dhcp3.giallo.priv (10.3.0.3) port 21
<--- 220 Welcome to blah FTP service.
---> FEAT
<--- 211-Features:
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- UTF8
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON
Certificate depth: 1; subject: ....
WARNING: Certificate verification: self signed certificate in certificate chain (6B:66:B5:6E:40:34:B3:30:95:E0:01:FF:0C:10:BE:DA:D7:01:5A:E9)
Certificate depth: 0; subject: ....
initialized translation from UTF-8 to ANSI_X3.4-1968
initialized translation from ANSI_X3.4-1968 to UTF-8
Certificate verification: common name: 'dhcp3.giallo.priv' matched
<--- 200 Always in UTF8 mode.
initialized translation from ANSI_X3.4-1968 to UTF-8
initialized translation from UTF-8 to ANSI_X3.4-1968//TRANSLIT
---> USER myuser
<--- 331 Please specify the password.
---> PASS myuserpass
<--- 230 Login successful.
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> TYPE I
<--- 200 Switching to Binary mode.
---> PASV
<--- 227 Entering Passive Mode (10,3,0,3,167,196).
---- Connecting data socket to (10.3.0.3) port 42948
---- Data connection established
---> STOR Lucio Battisti-Nessun Dolore.mp3
<--- 150 Ok to send data.
initialized translation from UTF-8 to ANSI_X3.4-1968
initialized translation from ANSI_X3.4-1968 to UTF-8
Certificate verification: common name: 'dhcp3.giallo.priv' matched
---- Closing data socket
<--- 426 Failure reading network stream.
---> QUIT
<--- 221 Goodbye.
---- Closing control socket
`musica/Lucio Battisti-Nessun Dolore.mp3' at 10593174 (100%) 1.05M/s eta:0s [Delaying before reconnect: 6]....This happen with authenticated users and also anonymous users, ls is ok, download is ok, but upload not.
What can it be? On firewall I use those rules(ftp server is under NAT)
Code:# FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 40000:50000 -j ACCEPT