[CentOS] FTPS setup problem
John R Pierce
pierce at hogranch.com
Fri Dec 19 23:22:24 UTC 2008
Guy Boisvert wrote:
> Bob Hoffman wrote:
>>> When i try, i get this error message:
>>> SSL/TLS client handshake failed (Error = 0x80090308)
>>> Does anybody could give me a pointer on this?
>> I really hope you post the end fulfillment of this problem as I want to do
>> ssl with my vsftp and have not gotten around to it.
>> Have you tried just restarting vsftp?
>> I also find that I had to play with the user list allow/deny to get mine to
>> work right.
>> Can you, if you take out the ssl stuff, access it via ftp normally?
> Hi Bob,
> Just to put all this in perspective, i'm not a "green" on CentOS and i
> restarted vsftpd each time i modified my test server (it's very ok that
> you asked!). I don't consider myself an expert but i'm pretty
> confortable with CentOS.
> I can reach easily the server by regular FTP, check my previously
> posted config file and you'll see that i don't force local users to use
> SSL. For the remote users, i'll redirect port 990 on our firewall to
> port 21 on the server. I read that vsftpd can't use different ports for
> regular FTP and FTPS so i let it be on port 21, which we use internally.
I don't know if you can do that with FTPS... FTP uses a seperate
dynamic port for the data socket, and the mode this port is assigned is
at the whim of the *client* software, it can either be PORT or PASSIVE
mode, this makes NAT address translation of FTP a real mess. AFAIK,
FTPS (ftp over ssl) does much the same.
I quote from Wikipedia...
The firewall problem
Because FTP <http://en.wikipedia.org/wiki/File_Transfer_Protocol> is a
port-hopping protocol (i.e. data channels use a random port chosen
during the communication), many firewalls
<http://en.wikipedia.org/wiki/Firewall_%28networking%29> are designed to
understand FTP protocol messages to determine what secondary data
connections they need to allow. However, if the control connection is
encrypted using TLS/SSL (or any other method for that matter), the
firewall is not able to get the port numbers of the data connections
from the control connection (since it is encrypted and the firewall
cannot decrypt it). Therefore, in many firewalled networks, clear FTP
connections will work while FTPS connections will either completely fail
or require the use of passive mode (assuming all ports >= 1024 to the
server are unfiltered).
More information about the CentOS