Support FTP Over TLS on CentOS

Linux Tutorials - Herong's Tutorial Examples

∟Support FTP Over TLS on CentOS

This section provides a tutorial example on how to turn SSL/TLS support in vsftpd server on CentOS systems. A private-public key pair and a self-signed certificate is generated with the OpenSSL tool.

If you allow users to upload and download files remotely over public networks, you need to enable SSL (Secure Socket Layer) on vsftpd to support FTP over TLS (Transport Layer Security). This will encrypt information exchanged between FTP client programs and the vsftpd server, included user's password and upload/download files.

Here is what I did to enable SSL support for vsftpd on my CentOS computer.

1. Make sure "openssl" is available:

herong$ sudo dnf info openssl

Available Packages
Name         : openssl
Epoch        : 1
Version      : 1.1.1c
Release      : 15.el8
Architecture : x86_64
Size         : 697 k
Source       : openssl-1.1.1c-15.el8.src.rpm
Repository   : BaseOS
Summary      : Utilities from the general purpose cryptography library with TLS
             : implementation
URL          : http://www.openssl.org/
License      : OpenSSL
Description  : The OpenSSL toolkit provides support for secure communications between
             : machines. OpenSSL includes a certificate management tool and shared
             : libraries which provide various cryptographic algorithms and
             : protocols.

herong$ sudo dnf install  openssl
Upgraded:
  openssl-1:1.1.1c-15.el8.x86_64
  openssl-libs-1:1.1.1c-15.el8.x86_64

2. Generate a private-public key pair and a self-signed certificate for the vsftpd server:

herong$ cd /etc/vsftpd

herong$ sudo mkdir ssl
herong$ cd ssl

herong$ sudo openssl req -x509 -nodes -newkey rsa:2048 \
   -keyout vsftpd-private.pem -out vsftpd-cert.pem

Generating a RSA private key
............+++++
..+++++
writing new private key to 'vsftpd-private.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:NY
Organization Name (eg, company) [Default Company Ltd]:HY
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hy.centos
Email Address []:

herong$ sudo ls -l
total 8
-rw-r--r-- 1 root root 1294 Ju1 11 13:50 vsftpd-cert.pem
-rw------- 1 root root 1704 Ju1 11 13:49 vsftpd-private.pem

3. Update vsftpd configuration to turn on SSL:

herong$ cd /etc/vsftpd

herong$ sudo vi vsftpd.conf
...
ssl_enable=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd-cert.pem
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd-private.pem

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH

4. Restart vsftpd server.

herong$ sudo systemctl restart vsftpd

5. Test FTP over TLS with FileZilla client:

Define a new site with the following:
  Protocal: FTP - File Transfer Protocol
  Host: 192.168.1.3
  Port:
  Encryption: Require explicit FTP over TLS
  ...

Click "Connect" and enter user/password

Click ok when you see a warning on server's certificate,
because it is signed by my-self, not by a certificate authority.

You see a successful connection in the log:
  Status:   Connecting to 192.168.1.10:21...
  Status:   Connection established, waiting for welcome message...
  Status:   Initializing TLS...
  Status:   Verifying certificate...
  Status:   TLS connection established.
  Status:   Logged in
  Status:   Retrieving directory listing...
  Status:   Directory listing of "/" successful