VSFTPD and Implicit SSL

Implicit - Assumes that the server is expecting everything encrypted using SSL. This means that when the client first connects to the server it will immediately negotiate the SSL connection on the command connection. Normally Implicit connections are also on a different port such as port 990. So to run vsftpd in implicit mode, you need to set options

implicit_ssl=YES
listen_port=990 

Or

implicit_ssl=YES
listen_port=21 

and configure your ftp client to use 21 port for connection. (FileZilla client, for example, uses 990 port by default, when connecting to implicit server type).


Clearly you'll need to set implicit_ssl=YES in the config file to get anywhere.

But when you do, you can't start the server, of course. So the first thing to do is look at the server's logs, in /var/log/vsftpd.log (or, possibly, the messages went to /var/log/user.log or /var/log/messages, but that's unlikely).

Without seeing that, I can't possibly tell you what the problem actually is, but as a wild guess, I'd say there's a decent chance it's failing to find its server SSL certificate. Other possible contenders for the problem include permission problems, SELinux failures (if you have that enabled), or vsftpd just plain not liking the set of configuration options you gave it - it can be very picky that way, so as to keep you from accidentally leaving it configured in an insecure state. Or there's no lack of other possibilities - that's why you need the logs.


I had a similar issue, here is what your config should read:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
connect_from_port_20=YES
pam_service_name=vsftpd
ssl_enable=YES
#The following line enables implicit mode
implicit_ssl=YES
allow_anon_ssl=NO
#This will force secure data connections, not required, but recommended
force_local_data_ssl=YES
#This will force secure logins, not strictly required, but REALLY recommended
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
#The next line is the magic which I suspect will make this work for you.
#Some distros require explicit private key designation. You may need to regenerate your
#certificate / key pair. A lot of Debian based distros seem to need this step, and will not
#start the server without it.
rsa_private_key_file=<path to private key>.key

That did the trick for me. Also, as you're using tls, not ssl, your server should actually serve on the usual ftp ports. Now most clients on the other hand will look to port 990 for a ftps connection by default, but theres nothing you can really do about that, unless you actually want to serve on port 990. Not a dealbreaker, just a pain. You also might want to consider virtual users, chroot jailing, and passive mode for security, more security, and ease of client connections respectively. Cheers, -Matthias