[CentOS] FTPS setup problem

Fri Dec 19 23:22:24 UTC 2008
John R Pierce <pierce at hogranch.com>

Guy Boisvert wrote:
> Bob Hoffman wrote:
>   
>>> When i try, i get this error message:
>>>
>>> SSL/TLS client handshake failed (Error = 0x80090308)
>>>
>>>
>>>
>>> Does anybody could give me a pointer on this?
>>>
>>>
>>>       
>> I really hope you post the end fulfillment of this problem as I want to do
>> ssl with my vsftp and have not gotten around to it.
>>
>> Have you tried just restarting vsftp?
>> I also find that I had to play with the user list allow/deny to get mine to
>> work right.
>>
>> Can you, if you take out the ssl stuff, access it via ftp normally?
>>
>>     
>
>
> Hi Bob,
>
> 	Just to put all this in perspective, i'm not a "green" on CentOS and i 
> restarted vsftpd each time i modified my test server (it's very ok that 
> you asked!).  I don't consider myself an expert but i'm pretty 
> confortable with CentOS.
>
> 	I can reach easily the server by regular FTP, check my previously 
> posted config file and you'll see that i don't force local users to use 
> SSL.  For the remote users, i'll redirect port 990 on our firewall to 
> port 21 on the server.  I read that vsftpd can't use different ports for 
> regular FTP and FTPS so i let it be on port 21, which we use internally.
>   

I don't know if you can do that with FTPS...    FTP uses a seperate 
dynamic port for the data socket, and the mode this port is assigned is 
at the whim of the *client* software, it can either be PORT or PASSIVE 
mode, this makes NAT address translation of FTP a real mess.    AFAIK, 
FTPS (ftp over ssl) does much the same.


I quote from Wikipedia...


    The firewall problem

Because FTP <http://en.wikipedia.org/wiki/File_Transfer_Protocol> is a 
port-hopping protocol (i.e. data channels use a random port chosen 
during the communication), many firewalls 
<http://en.wikipedia.org/wiki/Firewall_%28networking%29> are designed to 
understand FTP protocol messages to determine what secondary data 
connections they need to allow. However, if the control connection is 
encrypted using TLS/SSL (or any other method for that matter), the 
firewall is not able to get the port numbers of the data connections 
from the control connection (since it is encrypted and the firewall 
cannot decrypt it). Therefore, in many firewalled networks, clear FTP 
connections will work while FTPS connections will either completely fail 
or require the use of passive mode (assuming all ports >= 1024 to the 
server are unfiltered).