Link to home
Start Free TrialLog in
Avatar of Dalexan
DalexanFlag for Afghanistan

asked on

cannot connect to ubuntu/vsftpd via ftps call from Filezilla

I have vsftpd set up on a Linux server running ubuntu and can connect from a WinXP client with FileZilla v. 3.5.1 using ftp and sftp.  However, ftps will not work...all we can get is Connection attempt failed with "ECONNREFUSED - Connection refused by server".  I've been through several postings on the web to get things configured properly, but nothing works.  Client and server are on a local network, firewalls are turned off, conf file is:

listen=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsftpd.log
ftpd_banner=Welcome to FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
setproctitle_enable=YES
session_support=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
Implicit_SSL=YES
listen_port=990

I'm at a loss as to what to try next...Can anyone please help?
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

SFTP normally connects on port 22.  ??
I didn't see that you had already checked that.  I can not find anything in the Filezilla or VSFTP docs that says either one supports FTPS.
Avatar of Dalexan

ASKER

Yes, I've looked over the wiki site...there are other blogs, etc, that define the steps to configure vsftpd for ftps transfers, so I assume it does in fact support this, and FileZilla has the option in the list for a site if you go into the menu options to manage sites.  Given all this, it appears it should be supported and should work; however, I have yet to get it to cooperate.
Avatar of Dalexan

ASKER

iptables is empty (iptables -F).  Windows Firewall is disabled.  Server and Client are on the same local network.
What do the logs on the server show for this?

Does /etc/ssl/certs/vsftpd.pem contain the private key as well?

Try turning debug_ssl on as well.
debug_ssl=YES

Open in new window

Avatar of Dalexan

ASKER

vsftpd.log, user.log and messages are empty.  vsftpd.pem has private key and certificate.  setting debug_ssl=YES made no difference in logs after restart.
Are you sure the server is running and listening on 21?
/etc/init.d/vsftpd status
netstat -an|grep :21

Open in new window

Avatar of Dalexan

ASKER

hmmm...looks like something is amiss...

root@PE860:/etc# start vsftpd
vsftpd start/running, process 8744
root@PE860:/etc#
root@PE860:/etc# status vsftpd
vsftpd stop/waiting
root@PE860:/etc# netstat -an|grep :21
root@PE860:/etc# netstat -an|grep :990
root@PE860:/etc#

appears that even though is says it started, it didn't.  Since I have the listen_port=990, I tried both...neither is showing.  ps -ef|vsftpd doesn't show anything either...now, with the log files empty, how do I figure out why it is not starting???
Avatar of Dalexan

ASKER

but then, if that is the case, why would sftp work?
Avatar of Dalexan

ASKER

openssh/sftp-server is running...??
Oh woops yeah it would be running on 990.


but then, if that is the case, why would sftp work?
sftp uses SSH

Which distro are you running?
Try splitting up your key and cert and adding the rsa_private_key_file option.

If the server still does not stay running after that, disable SSL and comment out listen_port and restart/test.
Avatar of Dalexan

ASKER

split the file...no go.
comment out listen_port and disable SSL...still won't stay running.
ASKER CERTIFIED SOLUTION
Avatar of Papertrip
Papertrip
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dalexan

ASKER

I purged and reinstalled and have it running now with the default configuration.  I will work with the settings a few at a time to see if I can get it working tonight and let you know tomorrow.
Thanks for your help so far.
Avatar of Dalexan

ASKER

I am getting closer, I think, today.  After restarting from the generic install, I found that the implicit_ssl=YES was the cause for the restart failure.

Below are my current config settings, and the result showing a gnuTLS error:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
ftpd_banner=Welcome to NCTS FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd_cert.pem
rsa_private_key_file=/etc/ssl/private/vsftpd_key.pem
ssl_enable=YES
implicit_ssl=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
listen_port=990


I am now getting:
Status:      Connecting to 10.20.254.14:990...
Status:      Connection established, initializing TLS...
Status:      Verifying certificate...
Status:      TLS/SSL connection established, waiting for welcome message...
Response:      220 Welcome to NCTS FTP service.
Command:      USER ftpuser
Response:      331 Please specify the password.
Command:      PASS ********
Error:      GnuTLS error -8: A record packet with illegal version was received.
Error:      Could not connect to server
Does the client know to use SSL for that connection?
Avatar of Dalexan

ASKER

Yes. We have figured out the issue. I will post our solution and award points tomorrow.
Avatar of Dalexan

ASKER

We have given up on FTPS and reverted to using SFTP which works and is secure. Papertrip was helpful and this could possibly work FTPS but our time is limited.