SSL/TLS

----------

Create the SSL Certificate

The first thing to do is to create a   /etc/ssl/private/ folder on the server, which we’ll use to store the SSL/TLS key and certificate files:

Once done, we can run the terminal command below to create the certificate and key for VSFTPD in a single file:

Here’s a useful explanation of the above switches:

• • req – is a command for X.509 Certificate Signing Request (CSR) management.

  • x509 – means X.509 certificate data management.

  • days – defines number of days certificate is valid for.

  • newkey – specifies certificate key processor.

  • rsa:2048 – RSA key processor, will generate a 2048 bit private key.

  • keyout – sets the key storage file.

  • out – sets the certificate storage file.

Note that both the certificate and the key will be stored in the same file: /etc/ssl/private/vsftpd-selfsigned.pem.

Once submitted, the above command will ask you to answer the questions below:

• • Country Name (2 letter code) [XX]: the ISO 3166-1 two-letter country code for your country. Example: US

  • State or Province Name (full name) []: the state or province name. Example: Massachusetts

  • Locality Name (eg, city) [Default City]: the city of the service. Example: Boston

  • Organization Name (eg, company) [Default Company Ltd]: the FTP company name. Example: Example.com

  • Organizational Unit Name (eg, section) []: The company main area of interest. Example: Information Technology

  • Common Name (eg, your name or your server’s hostname) []: the hostname required to connect to the FTP server. Example: example.com

  • Email Address []: the admin e-mail address. Example: ftp-admin@example.com

Fill out the prompts appropriately. The most important line is the one that requests the Common Name: we need to enter the domain name associated with our server or our server’s public IP address.

Configuring VSFTPD To Use SSL/TLS

Before we perform any VSFTPD configurations, we need to open the TCP port 990 on the firewall in order to allow TLS connections:

Needless to say, the above lines take for granted that the public zone is bound to the WAN: if this is not the case, be sure to open these ports on the right zone.

Right after that, we can open the VSFTPD config file in /etc/vsftpd/vsftpd.conf  and specify the SSL details in the following way:

It’s worth noting that, since TSL is more secure than SSL, we also took the chance to restrict VSFTPD to employ TLS instead, using the ssl_tlsv1_2 option: doing that will shield your server from some malicious exploits which take advantage of known SSL vulnerabilities, such as POODLE.

The next options to set are those required to define the location of the SSL certificate and key file:

Now that SSL has been set, it’s highly advisable to force it whenever possible with the following directives:

The last two options specified above is meant to boost up FTP server security. Setting the ssl_ciphers value to HIGH will greatly limit efforts of attackers who try to force a particular cipher which they probably discovered vulnerabilities in; setting require_ssl_reuse to NO won’t force all SSL data connections to exhibit SSL session reuse, thus proving that they know the same master secret as the control channel – which is an info we wouldn’t like to give.

Enabling Passive Mode

The last thing we need to do is to set the port range (min and max port) of passive ports:

Remember to also open them within the firewall, as explained in this post.

Setting up SSL debug

If we feel like we need to we can allow SSL debugging, meaning that all openSSL connection diagnostic info will be recorded to the VSFTPD log file:

Once done, save all the changes and close the file, then let’s restart VSFTPD service in the following way:

That’s about it. We can now easily test our new FTPS server from a remote client by typing the following line from its command-line terminal:

------