Thursday, 22 November 2012

VSFTPD with SSL/TLS

## VSFTPD with SSL
Encryption of FTP:
1. Control channel
2. Data channel

Implicit SSL >> TCP:990
Explicit SSL >> TCP:21

##use LFTP client to force SSL connection
lftp -u user localhost | 192.168.10.1
lftp :~> set -a | grep ssl

'nano ~/.lftprc'
## add below lines
'debug'
'set ftp:ssl-force yes'
'set ftp:ssl-protect-data yes'

## setup VSFTPD ssl support
'ssl_enable=yes'
'ssl_tlsv1=yes'   Default
'rsa_cert_file=/etc/pki/tls/certs/myftpssl.crt'
 

##if private is in separate file then use below
'rsa_private_key_file=/etc/pki/tls/certs/private/myftpssl.key'


Optional for without ssl:
force_local_login_ssl=no
force_local_data_ssl=no
 

'genkey myftpssl'

NOTE: certificate name must be as the hostname

service vsftpd stop

service vsftpd start

'openssl ciphers -v'    - to view all the ciphers types

'openssl ciphers -v | grep 'DES-CBC3-SHA'

Default VSFTPD Cipher: DES-CBC3-SHA

No comments:

Post a Comment